1. 7
  1.  

  2. 5

    Those are some pretty flaky arguments regarding OpenBSD. What is “theoretical” SMP? I’m running this from a 4-core OpenBSD laptop. You know, non-theoretically. Same language snark goes with vmm: they tried to implement a hypervisor? I’ll be sure to inform mlarkin of his failure to execute. It may not be what the author wants, but that’s a different story. Anyway, if there are good comparisons between the two systems security-wise, they look like they’re in that chart from https://hardenedbsd.org/content/easy-feature-comparison. Is it up to date with the recent anti-ROP efforts?

    1. 2

      It is. OpenBSD has an SROP mitigation, whereas HardenedBSD doesn’t. HardenedBSD has non-Cross-DSO CFI (Cross-DSO CFI is actively being worked on), whereas OpenBSD doesn’t. HardenedBSD also applies SafeStack to applications in base. CFI provides forward-edge safety while SafeStack provides backward-edge safety (at least, according to llvm’s own documentation.)

      HardenedBSD inherits MAP_STACK from FreeBSD. The one thing about OpenBSD’s MAP_STACK implementation that HardenedBSD may lack (I need to verify) is that the stack registers (rsp/rbp) is checked during syscall enter to ensure it points to a valid MAP_STACK region. If FreeBSD’s syscall implementation doesn’t do this already, doing so would be a good addition in HardenedBSD.

      So, there’s room for improvement by both BSDs, as should be expected. It looks like OpenBSD is starting the migration towards an llvm toolchain, which would allow OpenBSD to catch up to HardenedBSD with regards to CFI and SafeStack.

      Sorry for the excessive use of commas. I enjoy them perhaps a bit too much. ;)

      1. 1

        I haven’t read the whole article, because I’m not interested in HardenedBSD.

        What is “theoretical” SMP? I’m running this from a 4-core OpenBSD laptop. You know, non-theoretically.

        The article is indeed vague about it, but I think the author meant scalability issues. Too much time spent in the kernel space.

        Same language snark goes with vmm: they tried to implement a hypervisor? I’ll be sure to inform mlarkin of his failure to execute.

        I don’t have any experience with virtualization, but the point seems to be that you can only have OpenBSD and Linux guests under an OpenBSD host which compares less than something like bhyve.

        1. 1

          SMP

          From what I have read about SMP on OpenBSD its not that it would not detect 4 or 64 cores, its that its subsystems (like FreeBSD 5.0 for example) were not entirely rewritten to fully itilize all cores, that in many places still so called GIANT LOCK is used, may have changed recently, sorry if information is not up to latest date.

          vmm

          Now ints very limited, can You run Windows VM on it? … or Solaris VM? Last I read about it only OpenBSD and Linux VMs worked.

          Is it up to date with the recent anti-ROP efforts?

          I am not sure, You may ask here - https://www.twitter.com/HardenedBSD - or on the HardenedBSD forums - https://groups.google.com/a/hardenedbsd.org/forum/#!forum/users

          1. 3

            or Solaris VM? Last I read about it only OpenBSD and Linux VMs worked.

            It runs Illumos derivatives (eg. OpenIndiana). There’s a speicific feature missing that FreeBSD/NetBSD need which is being worked on. It doesn’t run Windows because Windows needs graphics.

            1. 2

              Thanks for clarification, I hope that graphics support/emulation will also came to vmm soon.

              I added that information to the post.

          2. 1

            I’m not sure, the article seems like it makes an honest enough comparison between hardenedBSD and OpenBSD that I make OpenBSD a priority to consider the next time I need truly secure OS.

            1. 3

              The “One may ask…” paragraph is so slanted toward HardenedBSD over OpenBSD that I’d have immediately assumed a HardenedBSD developer or fan was writing it.

              1. 1

                Tried my best, I thought that it was clean enough from the article that OpenBSD is secure for sure while HardenedBSD aspires to that target with FreeBSD codebase as start …

              2. 1

                Tried my best, I thought that it was clean enough from the article that OpenBSD is secure for sure while HardenedBSD aspires to that target with FreeBSD codebase as start …

            2. 3
              • Meta point: there is no way that many tags are needed on this. (Exactly how is this visualization or linux?)
              • Is it necessary to have that many screenshots? If the installer is so complicated as to require that many screenshots (it doesn’t appear to be) then perhaps the installer should be changed.
              • How important is it to see the output of all the commands? There’s even a part to show that the freebsd-update command doesn’t exist.
              1. 2

                Hi,

                Meta point: there is no way that many tags are needed on this. (Exactly how is this visualization or linux?)

                I selected LINUX tag because many Linux users, mostly because of systemd search for alternatives and FreeBSD/HardenedBSD may be well suited for them as an alternative. I misused VIRTUALIZATION tag as my other post about Nextcloud used FreeBSD Jails (which is operating system level virtualization) with this post, sorry for that and thanks for correction.

                Is it necessary to have that many screenshots?

                To show show WHOLE installation process, yes.

                If the installer is so complicated as to require that many screenshots (it doesn’t appear to be) then perhaps the installer should be changed.

                Feel free to send your thought on the installer to the upstream FreeBSD project:

                https://bugs.freebsd.org/bugzilla/enter_bug.cgi

                It depends how You look at it, the installer configures a lot of things, one may want to install fast configure later or configure at installer and run after reboot. At least I see it that way.

                How important is it to see the output of all the commands? There’s even a part to show that the freebsd-update command doesn’t exist.

                Its for the FreeBSD users, they are VERY used to these commands, besides these are only 4 lines (for two commands) while screenshots take much much more.

                1. 7

                  I’ll try to help you out real quick. The tags serve two purposes: filtering content people dont want to see; highlighting what the submission is gonna talk about. We try to pick least number of tags that cover these goals.

                  In this case, maybe UNIX and security tags would do since it covers many UNIXen without much depth except for HardenedBSD we dont have a tag for. FreeBSD might work, too, given they’re related.You dont need virtualization since this isnt a writeup about virtualization in any depth. It just mentions it briefly.

                  1. 1

                    Thanks.