BSD Now - Episodes Tagged with “Verisign”

105: Virginia BSD Assembly

JT Pennington — Wed, 02 Sep 2015 08:00:00 -0400

It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out.

This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
In this article, the author talks about why he thinks this is a bad idea
He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
You should also see some power management improvements, longer battery life and various other bug fixes
If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
More discussion can be found on HN, as one might expect
If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
This is their first big status update, covering some of the things that've happened since the project was born
There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
They've now flipped the switch, and the process of complete removal has started
From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

89: Exclusive Disjunction

JT Pennington — Wed, 13 May 2015 08:00:00 -0400

This week on the show, we'll be talking to Mike Larkin about various memory protections in OpenBSD. We'll cover recent W^X improvements, SSP, ASLR, PIE and all kinds of acronyms! We've also got a bunch of news and answers to your questions, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenSMTPD for the whole family

Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts
This article talks about configuring a home mail server too, but even for the other people you live with
After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too
If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through
In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box ***

NetBSD on the Edgerouter Lite

We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices
The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper)
A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post
The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!)
OpenBSD and FreeBSD also have some support for these devices ***

Bitrig at NYC*BUG

The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo
John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show
He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms
Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences ***

OPNsense, meet HardenedBSD

Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces
Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase
Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface
We'll cover more news on the collaboration as it comes out ***

Interview - Mike Larkin - mlarkin@openbsd.org / @mlarkin2012

Memory protections in OpenBSD: W^X, ASLR, PIE, SSP

News Roundup

A closer look at FreeBSD

The week wouldn't be complete without at least one BSD article making it to a mainstream tech site
This time, it's a high-level overview of FreeBSD, some of its features and where it's used
Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing
If you have any BSD-curious Linux friends, this might be a good one to send to them ***

Linksys NSLU2 and NetBSD

The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004
"About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]"
After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box
If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there ***

OpenBSD disklabel templates

We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout
With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme
This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel
Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily ***

FreeBSD native ARM builds

FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base
Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used
This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen ***