The HardenedBSD Foundation is happy to announce a donation from the folks over at Protectli. Protectli is an open source firewall appliance company. This is their second donation to the HardenedBSD Foundation to date.

This donation is for a specific project: the development of a censorship- and surveillance-resistant mesh network. Protectli donated four FW4B devices. These devices will help us research and develop a prototype network, with the end goal being wider deployment once the initial proof-of-concept is developed and documented.

We--the HardenedBSD Foundation and the HardenedBSD Project--believe that Protectli offers a solid product line with which to base our reference implementation. We plan to start a concerted effort on the proof-of-concept implementation starting January through February 2025.

We are in talks with a Google Summer of Code contributor for FreeBSD in bringing their hard work to completion; or, at the very least, to a state that is usable for this project. The contributor, Aymeric Wibo, spoke at BSDCan 2024 about his efforts at porting BATMAN-adv to FreeBSD. We hope to bring his work into a special feature branch in HardenedBSD.

Special care must be taken so as not to introduce GPL code. Some bits of the BATMAN project are GPL. The bits that are BSD license compatible can land in the src tree, but GPL bits will land as ports entries.

Once we are satisfied with that work, we will begin work on a special version of HardenedBSD. This version will have all methods for capturing packets (eg, libpcap, tcpdump, BPF, etc.) removed. This would enable network operators to respond to law enforcement requests with a simple answer: "we have no customer data and lack the ability to capture customer data."

We envision networks akin to the NYC MESH project, with two key differences:

1. inter-mesh node connections will be encrypted (IPSEC, Wireguard, or OpenVPN);
2. Supernodes will route all outbound public Internet connections via Tor.

Node and Supernode operators will undergo a vetting process. Supernode operators must also run a public Tor relay to offset the bandwidth cost of users. Routing all traffic through Tor will place a large burden on the Tor network, so we must be kind citizens and try to offset that burden as much as possible.

Protectli plays a crucial role beyond this one donation. We are in talks with Protectli to establish a baseline set of equipment as gold standard. Network operators can supply their own equipment, but we will recommend Protectli as the "known working gold standard reference."

Node operators will be required to run hardened operating systems, with a strong recommendation of HardenedBSD.

We are grateful for Protectli's support of the HardenedBSD project and its goals. We dream of a decentralized digital world wherein safety of its participants is of utmost importance.

If you would like to play a part in this initial research and development, please reach out to the HardenedBSD Foundation at foundation@hardenedbsd.org.

It has been a busy month for me personally, so not too much was accomplished in HardenedBSD.

It got really hot here at home, and the server room's temperatures kept creeping higher than desired. So I spent some time trying to get temperature control more efficient and I made a lot of progress. At the beginning of the month, the server room got up to 76F. After installing foam panels in the window, and doing some more weatherproofing, the room now averages 69F at the hotest, and 60F at the coolest.

I taught our infrastructure monitoring daemon (hbsdmon) how to monitor CPU temperatures. I also taught it how to take action when a monitor transitions from nominal success to failure, and vice-versa. hbsdmon alerts me if the CPU temp hits 80C, and shuts down the server if the CPU temp hits 90C. So now I don't have to worry if I go on vacation, or if the A/C unit dies while I'm asleep. :-)

We received a new server donation. This server will allow us to centralize storage. We'll likely budget for ten 8TB drives (six hot, four spare).

In src:

1. I fixed a kernel panic when a PaX MPROTECT error handling code path was chosen.
2. I coordinated _FORTIFY_SOURCE changes and testing with FreeBSD's Kyle Evans.

In ports:

1. Fabien Amelinck fixed a custom patch we have in ports-mgmt/poudriere-hbsd
2. Shawn Webb fixed x11/station-tweak
3. Shawn Webb enabled PIE and RELRO for textproc/unix2ascii
4. Shawn Webb updated various net-p2p/heartwood* related ports
5. Fabien Amelinck fixed emulators/virtualbox-ose
6. Fabien Amelinck fixed an issue with secadm's manual page path
7. 0x1eef updated the hardenedbsd/sourcezap port
8. Shawn Webb marked math/pspp broken for all supported src branches
9. Shawn Webb updated the hardenedbsd/hbsdmon port

I also published (and deployed locally) a new build of hbsdfw. hbsdfw is a HardenedBSD 14-STABLE based fork of OPNsense that we maintain as a hobby side-project.

As usual, your update process is:

1. Backup your config
2. Reinstall with the new image
3. Restore your config

Default username: root
Default password: hbsdfw

You can find the install media here:
https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_14.1-20240801...

$ wc -c hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
 1547783764 hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
$ sha256 hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
SHA256 (hbsdfw_installer_vga_14.1-20240801-154128.iso.xz) = 639e87b17fc999acd143c6c731e665f7299a3efe8d551674d0833a475b46cb8e

May 2024 was pretty quiet overall.

In FreeBSD land, The FreeBSD Foundation and Stormshield both sponsored a port of NetBSD's _FORTIFY_SOURCE implementation. Within twenty-four hours, we set _FORTIFY_SOURCE to 2 for the entirety of the base userland and the ports tree. June will see the first 15-CURRENT/amd64 package build with _FORTIFY_SOURCE=2 set by default. I'm sure there will be a lot of fallout to address in ports.

I'm making final preparations to give the HardenedBSD talk at BSDCan. That is the reason I'm writing this status report early. I will post my slides after the conclusion of my presentation.

In ports:

1. 0x1eef updated hardenedbsd/portzap to v0.12.0
2. Shawn disabled fortify source on a few select ports:
   • lang/gcc10
   • lang/gcc11
   • lang/gcc12
   • lang/gcc13
   • multimedia/libv4l
   • devel/libepoll-shim
3. ports-mgmt/poudriere-hbsd was updated to 3.4.1.
4. sysutils/cpu-microcode-intel build was fixed.
5. ports-mgmt/pkg was updated to 1.21.3

What a busy month it has been! And not just for HardenedBSD, but for the rest of the security and IT industries as we work through the xz backdoor (CVE-2024-3094).

In src, the hbsdcontrol utility, and the library implementing the core logic (libhbsdcontrol) were rewritten from the ground up. While the implementation is now feature complete, there is still a bit of work to be done. Chiefly, rewriting the manual pages. After the documentation is updated, I plan to also integrate libucl support, to support JSON output and perhaps also support applying rules specified by a configuration file.

In ports, www/firefox was fixed and the minimum llvm version number was bumped for devel/boost.

Updates were applied across the entire infrastructure. A new build of hbsdfw (a HardenedBSD-basd fork of OPNsense) was deployed. This build has some issues, so I would recommend others not to deploy it, though it works fine enough for us to keep this current build deployed.

Here's what to look for in April:

1. Continued work on {,lib}hbsdcontrol.
2. I'm hoping to study more the dance between the CSU, libc, libthr, and the RTLD.
3. More work on libhijack, perhaps a new shim library that gets injected to help aid further process injection work.

And, lastly:


$ fetch -q -o - https://api.github.com/repos/HardenedBSD/HardenedBSD | jq -r .created_at
2014-04-08T10:10:24Z


Happy birthday, HardenedBSD! May the next decade be as impactful as the previous.

I spent most of February getting 15-CURRENT working again. FreeBSD introduced a new library, libsys, which is where the userland side of performing syscalls is implemented. There's an intricate dance between libsys, libc, libthr, and the CSU. I spent some time learning about that dance, and I still feel like there's more to learn.

HardenedBSD 15-CURRENT is mostly fixed. Prior to the libsys change, we built libc with Link-Time Optimizations (LTO). Building libc with LTO was part of the problem, though not the only issue. Once all the issues are resolved, I will re-enable LTO for libc.

FreeBSD also introduced a new pam_xdg(8) PAM module. This module had a few vulnerabilities, which are fixed in HardenedBSD. The two NULL deref bugs are fixed in FreeBSD now, too. The filesystem race condition and recursion limit issues are somewhat mitigated in HardenedBSD, but not completely.

HardenedBSD now has two VisionFive StarFive2 64-bit RISCV SBCs. I spent a little bit of time toying around with them. The kernel boots to the mountroot prompt. I've been wanting to learn hardware hacking, including writing drivers, so these little SBCs might be great for that.

In ports:

1. the u-boot ports are fixed
2. dns/unbound was updated to 1.19.1
3. the net/vnstat port was fixed
4. graphics/mupdf is now built as a PIE with SafeStack enabled
5. The secadm ports were updated

Looking forward into March: I'm hoping to close two gaps of knowledge: the dance mentioned above and I'd like to return to jemalloc hardening. I plan to also do some infrastructure maintenance--routine updates.