Stable release: HardenedBSD-stable 11-STABLE v1100056.6

HardenedBSD-11-STABLE-v1100056.6 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning:
since this version, the SMT (Hyper Threads, virtual CPUs) is disabled by default, if you want to enable the SMT back, please consult with the specific commit or ask around on IRC (#hardenedbsd on FreeNode)

Highlights:

  • Check to ensure the buffer returned is not NULL. (9359dbab020da232fa5104036f1014d0fa879561) [FreeBSD-EN-18:10.syscall CVE-2018-17154]
  • Restore the inp_vflag and inp_inc.inc_flags fields when the underlying operation fails and the inp could be in an inconsistent state. (854244afa3ccf0baa19ea60569bedd26267cf534) [FreeBSD-EN-18:11.listen CVE-2018-6925]
  • MFC r338982. Clear stack allocated data structure to prevent kernel memory leak. (7d66fd1e932a68e0bd893f0a19724069d5c80ace) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r338724: Fix an nvpair leak in vdev_geom_read_config(). (81ef86df2cf70de6e205ddfed8ae1d736239cd22)
  • HBSD: Disable SMT by default (70e728df724ed9cfe0e79f79d6446d00234f2ff7)
  • MFC r338600: Update libarchive to 3.3.3 (85012f82112d6062b2c4179c5ae9734275f4c480)
  • MFC 332454,334009,334122: Various fixes for x86 debug exceptions. (4484bf717c82ee46f15a522b7fc088a3e85f3d5b)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-bootonly.iso) = 582ac18f93337df8219bbc2aa707ec85a71c1ef1910b491230fa338d258fc5efd9326775e60a5961a6118196ae04ba7b0c18fb023b30341273c07e37766f4a16
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-disc1.iso) = ba064494fc320654922e17e1ba1e86e231ebe42196b0c2d35e9e3eff63f5b8ae4303a3255b3f8b560a6bbb6f5efad304baffabcd629b8c5e4f92ed1e56f87640
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-memstick.img) = ef229d8d5dff57375859b671e81ef67a0ee4676c9664f0acea4129c1ba0aec3806361479d3363b2f889e1dfcd83343fc2f8aec0b38f27146badf38179d3cfc51
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-mini-memstick.img) = d95c8ed96dbcf3b394a68d9771f12bec1a8ca94cf2a8250d70eccdb23f95c27bdf4239ec81f499b2fd84c38822aa82360f96ad408f743ff369488fec7ef1f14c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlutXwcACgkQgZsRom/9
GI2tpw//SSzwtC2vbWtbbOTv88TocVuempe9XkX14hKbJSOeUWE9qvXXbpulWvHU
OFqm5B6Y70egSubStfbM3ZKnhUDZYnrNU7SbPZYS7/kUQ9apB6g1njSS4u4Bd4av
a2T+1osOVP46ZNaRHCaFNr3Q+yZhdUg1LgbrC5NhMX7SzX7egts4owD6dsK5vIVH
ig6R5oDWe9fnY8UgMDUuNeEh51hdstW5tPDY70oMDdA0HIj3MWgbGYPTJtS4csH+
t0l5daxdqSuoVapES5mriOl4fYdeGEK37E1Er+Gntzl6a4/6WmTXETnQnsyuQ8cv
9kdg/ewjsvyHDJGdPXkfz+9Lpdoi9qIy19dc8o4oEA4PhDQ261j4uPsoY1nrYKrd
/O6+GqRuvjI9EPx3+RbTT8wSlKRn3UFif63Tidf2bEy/cFhoDVwlv46jnFpyDiwf
PoWR97tcc0lgSCzk2bNPpmWh+1KtL2NvbnkaKoZFn0QHgWnEmUl3c38YqQANHzcc
Gc+Rw1vuJ/3csLxdLhfAq+qkBuqB6QYhKUT0hkpkulBbSh9Z7DcR7IxIQc23Dd0Z
JKlMSnMvd4oZWo+yMqw7G+lXB+8uD6/ct+XgpN0BhYEgK/8v4nJa3K8KPv2RDEbe
uFxc3rFc8b/qfrOjJtK2Ajy1/cOfbKNOWTAYpmzuwn8R1i1csDI=
=0oYP
-----END PGP SIGNATURE-----

Announcing The HardenedBSD Foundation

In June of 2018, we announced our intent to become a not-for-profit, tax-exempt 501(c)(3) organization in the United States. It took a dedicated team months of work behind-the-scenes to make that happen. On 06 September 2018, HardenedBSD Foundation Corp was granted 501(c)(3) status, from which point all US-based persons making donations can deduct the donation from their taxes.

We are grateful for those who contribute to HardenedBSD in whatever way they can. Thank you for making HardenedBSD possible. We look forward to a bright future, driven by a helpful and positive community.

Stable release: HardenedBSD-stable 11-STABLE v1100056.5

HardenedBSD-11-STABLE-v1100056.5 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC 338603: Correct ELF header parsing code to prevent invalid ELF sections from (4bfdb79b43e74833a67eb9d7f2afcf632b136917) [FreeBSD-SA-18:12.elf CVE-2018-6924]
  • MFC r338126: MFV r338092: ntp 4.2.8p12. (900dde8260d39322fa4c1816fcc5978c204071d2) [CVE-2018-12327]
  • MFC r338068, r338113: Update L1TF workaround to sustain L1D pollution from NMI. (d9d4e900945e90a783c711019255120ffc7a4163)
  • MFC r333063: Update ELF Tool Chain to r3614 (e90f3bfc9bb4deb6c5da699ebe5ad305ee6391e1)
  • MFC r337505, r337865, r337869: dd status=progress (8c00a8c01e99dcdb8ef723f02b90e98fb6f2444c)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-bootonly.iso) = 5b0deba102a2c9da3fe3fcc015c3217b95ad63a01d83a0c33a6934f805486f8f0482ef6e60d3f209c4a996bd309cccb404b84cc5ded2724589f95f12106a660c
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-disc1.iso) = 5b37ba3d75559d8cf9745f9b9c1898f402636949159ef9dc0a40dec31a0d839bd68cd3ca73aa69eef7c2adbf7fe18a6ac6363000cf7930c34cc0b2964be0e29c
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-memstick.img) = c8b90115ae6585da0288d6017b896d23bfbd68ea821d04585422cfce36edef61507f076264c03f7298fbc8104f79ebb42d68c3ac4d9542e8795d26ce0ddc8946
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-mini-memstick.img) = d76c735ff59bd2ebccdd13e353c2ccd2694aa056d1d656df16ae65dadd589ce26062184a18e2bfaba4acde7290c2aecd7ecbe6031dcd4f7c4b443ce0e1afbeec

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAluZ1ZUACgkQgZsRom/9
GI37txAAkyqAsGx0mCUsKu8JWnnhw3DG1n0KMRJ+aSvWYIGL+b0fN4kTivhBKSVs
Ln/FKfvymQ5jVLDSOXRbwI9hd/Kadm967Vp0/lI2wBZfsrJ6oPUMs0cfCzJ8ZE9/
i76lCY8icS1Wl/eTKA5dPwSZSuJcYVbxXhg4zK2pMssOfFTGhycHGd86Znvfe/LM
qlybRqG4uC70rWQc3IgqrgMa1/cvCMSmKb792l2Bfs2FmLoXatxYtkjsWtnMWDQL
TGTcv0fOL5NRSXRlJj4QP+4NNpKq3ThN3kW2svJZzqMZRG+QZsIm7kfIbmleXHWQ
54r26dj1C74oR1r8CAC2OyiDJaGx19a7FXM/gdg/9AuTyMO4kEX7DyJhRAxZBchi
hr/uF+uiKS1BTXQOd2/Xjb8bkPl1TRnCa7N+BZoEToHWIUHCeiHRMD5K85Kyvue8
OA3ruhtW9dDYcq8WVoWSaAJdZpWQZGM3iPfwNI2P5YgdRGBDg51dYgMq2ofDueCc
0XJkeU+ysp+tlYPmYhLIqhZR1vA4iLzlXPa+0srITQJWbkS0WC+0cZqPgtyyIGBp
lQc8VWu+ncCKluZzndgff6SBE8404YRjgt8VQvJZqE2P1gZMwN4oGLmLnnyQVdYu
Qj98k0AkvLD2t7//cAFP62HTazpMfodhOt9ny2F0Zw9UEnSbTKk=
=sBkB
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.4

HardenedBSD-11-STABLE-v1100056.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r337773, r337838, r338112, r338202: Fixes for early EFIRT usage on amd64. (ebd8a26815cca310cec2634d2c159f5c03367f36)
  • MFC r337615: Fix a really subtle miscompile due to a somewhat glaring bug in EFLAGS copy lowering. (24eeeec9837c397f3dcdd8d7f6e68d2eb8114852)
  • MFC: r336839 Modify the NFSv4.1 server so that it allows ReclaimComplete as done by ESXi 6.7. (121df03ce024a9e8f52afc369903523b8607fc4d)
  • MFC r337969: pf: Limit the maximum number of fragments per packet (340f9f0f5ef86c2de708a6a82f7dc94b37ceca5b) [CVE-2018-5391]
  • HBSD: hook in hbsdcontrol into build (09a80cfc44e479cae28e5bd4a7f3970222507271)
  • HBSD: import upstream version e41faa644bf9c4b8ca79d85fe4119bd712317616 of hbsdcontrol (1326740583ee131c05b459c5085d686c558311bd)
  • MFH r337745: Sync libarchive with vendor.. (02f8199a18902245444f96f92bed334497db0b0d) [CVE-2017-14501]
  • MFC: r337791 Merge OpenSSL 1.0.2p. (04b30e35ca24b7e1150eba96db7fba2bf700cfaf) [CVE-2018-0732 CVE-2018-0737]
  • MFC r337819 (cy@): MFV r337818: WPA: Ignore unauthenticated encrypted EAPOL-Key data (89cd8f5e63ae09cb29e9f67a407235435f791104) [CVE-2018-14526 FreeBSD-SA-18:11.hostapd]
  • MFC r336203, r336499, r336501-r336502, r336506, r336510, r336512-r336513, r336515, r336528-r336531 Update wpa 2.5 --> 2.6. (2c0c29a3880db47098b28cff7a47fe20486cbab2)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-bootonly.iso) = c39f7dc83fa405852bdf0d67ddd9767248d51089d267a7c63033d7bb10a525341f1406ac1856d32d9004fa271ae70c94bf2726fd40de57f55a2bc14d757668cc
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-disc1.iso) = 0ad47e752f7e309d6651b249429022f5e9970c169162af4f20fe1aff99f07be533f5a18e453ea2dbfb513e256fb37cf009ba0d09fb7e7f58ed6a36a245400c90
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-memstick.img) = 3f1723169babd884f960328165e32aff9e8fe5eabafcbb8c67e6cf317fae19ce3740e54dd80ccbef9ba0ba14087aabc85745b5e707a9dce30a6278357723916d
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-mini-memstick.img) = 763803d0d996b381a15eb54491684269ee09407366b75fa68d82cb8e1e3f10dd5b9b2ea6908be237c7cbd364f980eab8b40c5694fe46ebb87c7190b5a6972d7d

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAluDUNgACgkQgZsRom/9
GI3xJxAAndi77pvbsXre+A0/LQ6B9rFd6ZUHj/Jk2yWZGF/A7Yr5VVEgBNzuff9y
3iU/Ma9SGBG5jTSo/LxIvZhw/cibp1U87+8Kisf9iGqbgXNKWlZNHeK9uzH+g2Zp
lNVxuLGFSeBULm3PijOBsMRTlxmT7Y9i54wNGB3pmLB1b8tXCasMaw8ivbjlW0B8
mjNml9XNrSxPl+nO8u3dfRGAa55PGdwe9mN7fKFB9DAyjG4S68UDhax8/p3Q8WNE
I4FlPNsRujc+M+qSupl5j4xxbBuwsLz93chC6e8DBBD604Pllk5o0C41XJ07yEQE
QxQSpXwvKwztf5IkooP8OTPKkdmuM2W0KWuwWp+/Y4zhQDG5SseBy12xvSFMKB/z
d5vw9FwTg0N0PD5ZYW0mHagWWeyyT+HVSQdxt8GK5iAnyIRe7bP0UjDjyBVMgqHp
d6BFYPi6Qg4hjD6bZCyqLo4oDjsEQrdr6d1ijk+8LyMdQtnHPjRn5c7avqqkQFrc
99jtK2Y/zZuXj4D1OmGvpz0+btaQ6suJHc2rWqRcID02U/gwnD3zoTF5I852KpAv
H1rnK60C0BdFEAwEjcwZKq28mtTIsfsKBRTeuTUZIk8ij2xx7y8+9e8n25kYJbOS
dSg1WSgfLYttR6Cqv66a9NXWC1IaF5RXlVN4BCB/9L9yKpj9CK4=
=j6H/
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.3

HardenedBSD-11-STABLE-v1100056.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING (19f62c611d729b0e11aeea09cca92b8a2357e086)
  • HBSD MFC r337774: Reserve page at the physical address zero on amd64. (2be594934556ef121ee095b76cbed845cf51fbb3) [CVE-2018-3620]
  • Limit IP reassembly queues (b237529341a40e980dbbb8998bd029dd805f976f 473b73fec73ba098937b1deb304cbb285fed289a 3b9d004b0f08c95203a2a61bdb293a075470d55e 9154624e12ec34b0048dd9ca7159a4b7fdda80e7 dfb2edc8f5fa836a42011e06d48ee99560312081 d85d7540a7fc2cf733c4a655a4c9b28fb6acf42c 54c1ac1408df4b7b0186933e804da8a5a622c24f b3822a674366465673f831e3ff2b544e7292f9242762fee5dd30eb9f1896295c63521e86a9b98d06 95d18bdb4de4bc81529cae34a3e1976145d6fcb1f0d4e7bdc43c2e330df8bf6cb1fca39295403ffd) [FreeBSD-SA-18:10.ip CVE-2018-6923]
  • HBSD MFC r337745: MFV r337744: Sync libarchive with vendor. [CVE-2017-14501]
  • MFC r337785: Provide part of the mitigation for L1TF-VMM. (249be5558ae7f7a429466ea46764dfb581133a03) [CVE-2018-3646]
  • MFC r336855 Fix the long term ULE load balancer so that it actually works. (e2d93727643b74f67085eb874430e0e9eeb57641)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-bootonly.iso) = ebb9bcfff4ae383a5786f1c604d1a8798168b452f3c60c93138987e42248c85c54986d86707e03f18cf5166dae95b18b87ed075bce1829c314007a6988c7248d
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-disc1.iso) = d59e6c829713f8a93bcafd712205598f690d4c4933bc5798f7c727382e84b18450cf2e166b3ff5fabdb410a73873fa238d7a90913de80f25af1ec1cfaa62bffd
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-memstick.img) = 63da6f43b0d280e4af5acd57541bd0b8876910e2ec433e076ece608737c9770672629a009dc6522b366432d69c095860fceab0fac2ed2d1c9f9e9da6f8d6bd4b
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-mini-memstick.img) = 1b720e5735c549b24154d7d12ed945fa3a0fbca55304c344845ae731fcdb0a990f07c299d5e9fb7cf858af4d88392fcfb7b930a070ffd4b2bffadf56a7b260eb

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltzXYAACgkQgZsRom/9
GI2iexAAk2JlTkOgAjrncC3ooGC3qaCWbPLvt9z+6ZybRTMTvUXmEjVekXVv4wYf
nHKpeN9AMM1ak1fJUJcRvlFMKYoU976ceLgzdxY4OHtFyfaA4EdixpLNRcipbJWZ
8MPpCs8XFjt2jd1hvNKuny2zeBpTvwuS7UC7gQMmZnQXxW05xXl2dJIvv2Z+3/V6
xdziT6czswUmtQGxLnyzfZBbKprFJ4x+ykKxTp4tfHkklKY2hbvgJunjXblRpFnT
UZHQXlt2TF2lL6TBQ+eBRVoARqCybAk6zKn5w9/q8i2/2/g+IXVZfANSP/zq4Uur
VB+xgRPVzfZzFUUjwxTUz5CdEJUl6UnhNkwuTu1jzy5ziWtWGpu16KN0dR86lW9i
MOGXBKk6zZoSnDLR+SZ50FJRpNsjNwJuJC7goEB3WDsGrzM5IBEBdQeimL3hXT5J
H+WCzAE4riyATL1ZmdX5w8ck2rv0KuLGxqzMPySWuwIpK/tDjXiE/8eOGK2Mc+7S
q2tR/2gRDM0+YITQWkW4SvPHBMS+vdQmj31u6Zq1aCVJB/LhuCc06JYSKXDvWcfZ
0TZeGIklkekLlmsN0Y7F7dSzvxY0evh6KQejL0iUgH8HV2CpxExHQcXAd0RrlvYp
60vgNqjGDiKQN5OyFtVWAQgvX0dfgphwx61hnB3SecxSuR06biM=
=4kIf
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.2

HardenedBSD-11-STABLE-v1100056.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r333405: Remove PG_U from the rest of the kernel pmap ptes. (6840ef5d2739bb01a0dc7d192316bd18eb24967b)
  • crypto/libressl: Security update to 2.6.5 (ace3164bc710f03d7978019792dedb0a236c52e0)
  • MFC r336761 & r336781: Allow a EVFILT_TIMER kevent to be updated. (a1143bbcefc092238acc75578211f8938cddd8c8)
  • MFC r337384: Address concerns about CPU usage while doing TCP reassembly. (db2e2eea0366604ed65e6f50824471e22035f343) [FreeBSD-SA-18:08.tcp CVE-2018-6922]
  • MFC r336919, r336924: efirt: Add tunable to allow disabling EFI Runtime Services
  • Libarchive update (3ff094362c83c79ca9d501ec9e52a11690e8beff) [CVE-2017-14503]
  • HBSD MFC r313168: Fix VIMAGE-related bugs in TFO. (7a58c5a57aba467d77542a81e797330c3b4ec0bf)
  • HBSD MFC r333885: ctf dwarf: don't report "no dwarf entry" as if it were an error (c4bda35c98a3d1f587b7d6235b8d23161922070e)
  • MFC r336763: Add workarounds for several Ryzen erratas, on amd64. (b26157613a63f16d4822e421cd65ebf5524af67a)
  • MFC: r336357 Modify the reasons for not issuing a delegation in the NFSv4.1 server. (88b6d0a280d23369b39c11398cacc17ff7f39da3)
  • MFC r336683: Extend ranges of the critical sections to ensure that context switch code never sees FPU pcb flags not consistent with the hardware state. (e0245aeafd4d0ab7073f8d616840077f69e15a2a)
  • MFC r336188: Improve bhyve exit(3) error code. (ff4bc3fee787254597b6a515f16495b20ed620c9)
  • HBSD: Really bring hbsd-update current (630cab9f8eeee3907157f181c4c7a4d8183babff)
  • mlx5 updates
  • ofed updates
  • arm64 updates
  • msun updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-bootonly.iso) = 2f75e591853aa932b8a6576ff5499b530fbddd0974a19463cd88b269e9faed6021282204485240486608033b3e05d9ed65463849263785efe9a97b7cc0065a50
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-disc1.iso) = 25545b3ab97265b53984609886b5bd2941a4140a742d5285816bbb37720584a20e8d9f16fa001eb854aa27c498a6341af0e48848109aceafea0086ab451527bc
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-memstick.img) = 3d6080deccb880b1e228636869598e0763cb40d4ec1a228d82b39f9a169cec1f5c846db3ccc2045e654ec8880c27c2e9be4b873c6201c5bae3060a6b923106fc
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-mini-memstick.img) = cb49fa02e29d9aacf18d84e94bcdfe0d90f874903047dcb4bf06aae40ec54b0b4f68114a38d54599d04a0f972ffd1f60d9ddfbb2a06e5c3a2a4682cf59d934c1

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltrW9gACgkQgZsRom/9
GI1MVRAA0xwNbOIVimbAyxqmkYuF1DhqgJmLT2Gr3pN9pg03LLpGH0f6rVCi/cKM
Sr1rY3O7eOSUvc6vhQroQT3B1APU2YCEv3VO3vY0oc9wcw1qpcogkHrsjlxUlMlD
B4PaiUtHCyHiYI5xfMKt+/kmwLUUOSapUhfv1A3HfpQOJrd7jCtBekhOjZJHbVAH
ZDJnsjio4P7aXxIm7LGxuk8EU+C8Sj+oqGZpSqsfjoaBvTvqDTSSII1z1HoLCHDx
Zmx2zSX5dhwLHvbs89sTfd2WU3898r0FRibMnKZFPsoLGzEzrMjQRxnY8IS328Gj
FPbcWGgjT0P/NdhKe+HXyhmrq/ZQLZJEqbSz5x528ZXboQvQA5JXeXqstnqNWQiv
OO9C9qtXD/uLgW76FYBiEElhS/G1bD5FrCzLfIzuBcrmx2Un+FNt/vrB3EjSlk8L
Zyhfa6tb+n3t44J1HYMSgzQ+7ulOrZrYkT2we3qN2p+JnzKBAWIpIXKz/g/r0dRw
K9tAyBCqEGXpNE521i24G26gurm7HqzamrvwphNW71ju3TEd9PZDqi++3Bm6aF3J
mADB7Tts8JBmD0fkp/8lyCiIlonmCVdQZ7cJMkVX6i+yLBvEG91fKq3c37zKuT2R
FMYnU4PIf/AdzNASWYBwVVJZ7dNkgSHUJyU1zXvkjuchvNA/tiw=
=eU3I
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.1

HardenedBSD-11-STABLE-v1100056.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r336273: pf: Fix panic on vnet jail shutdown with synproxy (0873e9ee23e89e484beda97e2df50de20eb5eb49)
  • MFC r336275: pf: Fix synproxy (b21dc776778cd732b26ce6cbc6cc5d11b902815c)
  • HBSD: Bring usr.sbin/hbsd-update current (7131affd05b24405930598458f21d5aed58372b2)
  • MFC r335939, r336088: Add setproctitle_fast(3) for frequent callers. (b0161972b61f32e3939b1d00ed596a51f2d9df53)
  • MFC r336195: unbreak dhclient(8) option 26 processing (6cf691c4162ca1b63686cf0168c7c7308abcf749)
  • MFC r336060: Allow the use of slashes in process names of RFC 3164 formatted messages (1443b72deb5a8d24de24dca3c17f7584a1bcdc85)
  • MFC r334296: Fix "Bad tailq" panic when auditing auditon(A_SETCLASS, ...) (2629e7874930097ab4606daa386c9c151be0855b)
  • MFC: r333508 Add support for the TestStateID operation to the NFSv4.1 server. (63f6f19b0756b18f2e68d82cbe037f21f9a8c500)
  • MFC r335921: Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8) (fbeac7fa845df8507cfd3ff4205e4edce5cd64a3)
  • MFC r335595-r335596 r335595: Modernize usage of "restrict" keyword in ntp.conf (026ad5cf663bf4ef529f4e74337e0713b9f9c22b)
  • llvm/clang/lldb update to 6.0.1 (b11d8bd84ca80f747465696403ade22f752ca6d7)
  • libnv updates
  • msun updates
  • fsck_msdosfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.1-amd64-bootonly.iso) = 7c7350a80f50ba19d7e1c64557ac0cb22c90f22a3124dd27a789c4c293d9ae5d3f895d8ab885ae6ca7236fb3d63236df9d6aa8c96cc3cf9475db070c8e5d71ed
SHA512 (HardenedBSD-11-STABLE-v1100056.1-amd64-disc1.iso) = 21ad6239b58e1e61217a81785f66180e1559a1e17cf239f3a2097e70a7b8e5e713bd47a0cb6ba9a00609874bb35806d4b4214cf73c01281e44f46c647caab4b2
SHA512 (HardenedBSD-11-STABLE-v1100056.1-amd64-memstick.img) = 07ef9e0229a81bf97fdd871cf45b3bda787a4a6e0ed60740d404e4915c1fa4b99108a27e299bed27c861830c64a48eafc145528ad9c2047aec857264572a68c9
SHA512 (HardenedBSD-11-STABLE-v1100056.1-amd64-mini-memstick.img) = ae6ea867c87c2dde581139a652ec648b2f0ba7b87337183c42d556d4a6383f41f4ef3bcaa7dfd7d9841d7bd78dfe50bfe5885dbe4dbc075b1d4af47d12246c7f

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltT6hAACgkQgZsRom/9
GI3m1Q/+IMCKPwNLKLn8oT+xfacVg1fz9IqivnWhIKn0HLTq+xfbBFV6VQgtl7YH
pACIlTVUz7+cXoBlvgscDu7NrPdeseyKCSSBiD1t7Anu1Ro4jMNVGiS16MfpDr9w
W35RQ3hUM3BCUwPQ3dxvzBOU0c9hin6AqUrPWKnFdNbR2y60td7WnwYkxCdLuqYC
1jreV0H65gkXTSJnIxlLJ+Yzv4bJ/g9z4OLr8O6ATEtXuo1j7H2zAAl5OHt7Fuzk
faYnS+UhIqhhlCysM3zwdJIyc9MdeWHrfeWwJcwNfyPJQdN1CwoctJuR31opD+d0
L1tiWJ9FULioUXP6lxEGTanWinwvltzZ6bcxq4Z13smnjRUW8xflU3C9/lPhRdDy
xZ8SFQFTUrmcFmq0eEt8isj9S3Kv3BY0wfk5bE9U92iRnZ7SxusGG9URbts12UKz
M5DH0KttLOSW42G0XlZK10Ma2r2BsLwqE+HWps5vixByXTlANv745kP+fRnVmiQN
kWrVFZ1P4oK197rHYnZzIVKTcifG6IGqZBQxd+ck4rWYu1YsGC//e8hKYI6nCU/W
myuQwnphTPV3yybfC5uG9RzKukO2GvF+7VGag8Nh9xkVc8MOU3r0mHt7hOCUUfny
Wxl6PJy+zDIuSOOfUguCvWhsuKnc2q5QeDn7zZgUH263HPjxqts=
=y6aK
-----END PGP SIGNATURE-----

Preliminary Call-For-Testing: Cross-DSO CFI

Over the past year, HardenedBSD has been hard at work in integrating the Cross-DSO CFI implementation in llvm. We have reached a point where we can release an early (pre-alpha) public Call For Testing (CFT) of this work.

For reasons which will be described below, we recommend this CFT be used by those using root-on-ZFS with boot environments. We recommend testing in a dedicated boot environment.

This initial round of testing is best suited for development server installations. Production servers and desktops/laptops are not advised for testing at this time. We're looking for feedback on what works and doesn't work.

Introduction

Control Flow Integrity, or CFI, is an exploit mitigation that aims to make it harder for an attacker to hijack the control flow of an executable image. llvm's CFI implementation provides forward-edge protection, meaning it protects call sites and non-return code branches. llvm includes basic and incomplete backward-edge protection via SafeStack.

CFI in llvm consists of two flavors:

1. Non-Cross-DSO CFI
2. Cross-DSO CFI

For over a year now, HardenedBSD has adopted non-Cross-DSO CFI in 12-CURRENT/amd64. Support for non-Cross-DSO CFI was added for 12-CURRENT/arm64 on 01 July 2018. Non-Cross-DSO CFI applies CFI to the applications themselves, but not on the shared objects they depend on. Cross-DSO CFI applies CFI to both applications and shared objects, enforcing CFI across shared object boundaries.

When an application or shared object is compiled, its source files typically get compiled first to intermediate object files. Enabling Cross-DSO CFI requires compiling and linking both static and shared libraries with Link Time Optimization (LTO). When LTO is enabled, these object files are no longer ELF object files, but rather LLVM IR bitcode object files.

Linking applications that have been compiled with LTO generally only requires ld.lld as the linker. Linking libraries that have been compiled with LTO requires switching certain compiler toolchain components to ones that understand LLVM IR bitcode. To prepare for Cross-DSO CFI, we switched ar, ranlib, nm, and objdump to their respective llvm compiler toolchain components. This gives us the ability to use LTO across-the-board for the HardenedBSD userland, with a few exceptions.

Note that because Cross-DSO CFI requires storing metadata regarding the shared library boundaries at runtime, Cross-DSO CFI requires ASLR and PaX NOEXEC at a minimum to be effective. If an attacker knows the address of the metadata pages, the attacker can first perform data-only attacks for later code execution/code reuse attacks. Similarily, if an attacker is able to mark non-executable, yet writable, pages as executable while still obeying CFI, (example: JIT compiled code) the attacker can still gain perform execution/code reuse attacks.

Known Issues And Limitations

There are a few known issues. Before we dive into the testing procedure, I would like to talk a bit about known regressions. Note that this list of known issues essentially also constitutes a "work-in-progress" and every known issue will be fixed prior to the
official launch of Cross-DSO CFI.

It seems llvm does not like statically compiling applications with LTO that have a mixture of C and C++ code. /sbin/devd is one of these applications. As such, when Cross-DSO CFI is enabled, devd is compiled as a Position-Independent Executable (PIE). Doing this breaks UFS systems where /usr is on a separate partition. We are currently looking into solving this issue to allow devd to be statically compiled again.

NO_SHARED is now unset in the tools build stage (aka, bootstrap-tools, cross-tools). This is related to the static compilation issue above. Unsetting NO_SHARED for to tools build stage is only a band-aid until we can resolve static compliation with LTO.

One goal of our Cross-DSO CFI integration work is to be able to support the cfi-icall scheme when dlopen(3) and dlsym(3)/dlfunc(3) is used. This means the runtime linker (RTLD), must be enhanced to know and care about the CFI runtime. This enhancement is not currently implemented, but is planned.

When Cross-DSO CFI is enabled, SafeStack is disabled. This is because compiling with Cross-DSO CFI brings in a second copy of the sanitizer runtime, violating the One Definition Rule (ODR). Resolving this issue should be straightforward: Unify the sanitizer runtime into a single common library that both Cross-DSO CFI and SafeStack can link against.

As of 07 Jun 2018, libpmc and friends are receiving a lot of code churn in upstream FreeBSD. The jevents application in lib/libpmc/pmu-events is used as a build tool to generate code. Enabling Cross-DSO CFI disables building PMC-related tools (libpmc and friends) due to the jevents application segfaulting during the build process.

When the installed world has Cross-DSO CFI enabled, performing a buildworld with Cross-DSO CFI disabled fails. This is somewhat related to the static compilation issue described above.

Linking with Cross-DSO CFI can cause lld to use an extremely large amount of memory. For each parallel build job, budget around 15GB of memory for the linker.

Due to the issues discussed above, this CFT is applicable to users who either use ZFS or where /usr is contained within the root filesystem.

Procedure For Testing

Use git to clone locally the HardenedBSD Playground repo. The instructions below assume using /usr/src as the location for the source tree. It also blows away your existing source tree, if it exists. If you want to keep your existing source tree, feel free to
modify the steps below to your liking.

Due to the complexity of building Cross-DSO CFI, the buildworld step must be completed twice: once without Cross-DSO CFI and a second time with. The non-Cross-DSO CFI world must be installed prior to performing the second build. As noted above, we will work to ensure this doesn't need to happen later.

These instructions make the following assumptions:

1. The root filesystem is on ZFS, with the proper layout for ZFS Boot Environments.
2. The beadm package is installed.
3. The existing installation is running 12-CURRENT on amd64.


# cd /usr
# rm -rf src
# git clone https://github.com/HardenedBSD/hardenedBSD-playground.git \
src
# cd src
# git checkout -b hardened/current/cross-dso-cfi \
origin/hardened/current/cross-dso-cfi
# make -sj$(sysctl -n hw.ncpu) buildworld buildkernel
# beadm create cfi-01
# beadm mount cfi-01 /tmp/newbe
# make -s installworld installkernel DESTDIR=/tmp/newbe
# mergemaster -iFUD /tmp/newbe
# beadm umount cfi-01
# beadm activate cfi-01
# shutdown -r now

Binary Updates

We will provide binary updates in base for the hardened/current/cross-dso-cfi feature branch on amd64 until this work gets merged into hardened/current/master. Take a look at Appendix A for a sample hbsd-update.conf configuration file for the Cross-DSO CFI work.

Future Work

We're not done, yet! There's still plenty of work to do. Of upmost importance is fixing static compilation with LTO enabled. Without it, statically-linked applications will crash. devd can go back to being a statically-linked application and users with /usr on a separate non-ZFS filesystem will be able to take advantage of Cross-DSO CFI.

Secondly, we need to re-integrate SafeStack, giving us backward-edge protections once again.

Third up is integration with the RTLD. Without it, we still need to disable the cfi-icall scheme for applications that make use of dlopen(3)+dlsym(3)/dlfunc(3).

Given that we're in uncharted territory, we will likely find other issues. We will keep the community updated and informed. Once all issues have been resolved, we will work on integration with ports.

We need to ensure buildworld works with the various CFI (MK_CFI and MK_CROSS_DSO_CFI) options toggled, regardless of installed world state.

Given the tremendous memory requirements, HardenedBSD may not be able to apply Cross-DSO CFI across the entire package repository. The current amd64 package building system is a dual Xeon system with eight cores per CPU (sixteen cores total), 192GB RAM, and 64GB swap. Without Cross-DSO CFI, building the package repo for amd64 takes around 82 hours to complete using all sixteen cores. With Cross-DSO CFI enabled, the package build server eventually runs out of swap using only eight of the sixteen cores.

Though we plan to support Cross-DSO CFI in arm64, amd64 will be the primary development platform until the major issues are worked out. The sanitizer framework needs to be updated to take FreeBSD/HardenedBSD into account on arm64. As of 14 July 2018, the llvm sanitizer framework does not support FreeBSD/arm64. With time, we plan to change that.

HardenedBSD may very well be the first UNIX-like operating system with full Cross-DSO CFI integration across its entire base operating system userland.

Appendix A - hbsd-update.conf

# hbsd-update.conf
# Configuration settings for hbsd-update.
# This file is read in through a /bin/sh shell and uses that syntax.

# dnsrec:
# DNS TXT record to use when looking up the version info for the
# latest update.
#
# This record name seems redundant, but it provides the following
# information:
#     1) architecture
#     2) branch (hardened/current/master) in reverse form
#     3) repo (hardenedbsd)
dnsrec="$(uname -m).cross-dso-cfi.current.hardened.hardenedbsd-playground.updates.hardenedbsd.org"

# kernel:
# Which kernel to install.
# By default, this is intelligently detected by parsing `uname -v`
# output.
#kernel="HARDENEDBSD"

# capath:
# Location of the trusted root certificate store.
capath="/usr/share/keys/hbsd-update/trusted"

# branch:
# Which branch/tag we are pointing to. This option is only used in
# this file for the baseurl option below.
branch="hardened/current/cross-dso-cfi"

# baseurl:
# Where to get the update from.
baseurl="http://updates.hardenedbsd.org/pub/HardenedBSD-playground/updates/${branch}/$(uname -m)"

# dnssec:
# Use DNSSEC for validating the DNS TXT record. Default: yes
#dnssec="no"

Mid-July HardenedBSD Foundation Status

On 09 July 2018, the HardenedBSD Foundation Board of Directors held the kick-off meeting to start organizing the Foundation. The following people attended the kick-off meeting:

1. Shawn Webb (in person)
2. George Saylor (in person)
3. Ben Welch (in person)
4. Virginia Suydan (in person)
5. Ben La Monica (phone)
6. Dean Freeman (phone)
7. Christian Severt (phone)

We discussed the very first steps that need to be taken to organize the HardenedBSD Foundation as a 501(c)(3) not-for-profit organization in the US. We determined we could file a 1023EZ instead of the full-blown 1023. This will help speed the process up drastically.

The steps are laid out as follows:

  1. Register a Post Office Box (PO Box) (completed on 10 Jul 2018).
  2. Register The HardenedBSD Foundation as a tax-exempt nonstock corporation in the state of Maryland (started on 10 Jul 2018, submitted on 18 Jul 2018, granted 20 Jul 2018).
  3. Obtain a federal tax ID (obtained 20 Jul 2018).
  4. Close the current bank account and create a new one using the federal tax ID (completed on 20 Jul 2018).
  5. File the 1023EZ paperwork with the federal government (started on 20 Jul 2018, submitted 28 Aug 2018).
  6. Hire an attorney to help draft the organization bylaws.

Each of the steps must be done serially and in order.

We added Christian Severt, who is on Emerald Onion's Board of Directors, to the HardenedBSD Foundation Board of Directors as an advisor. He was foundational in getting Emerald Onion their 501(c)(3) tax-exempt, not-for-profit status and has really good insight. Additionally, he's going to help HardenedBSD coordinate hosting services, figuring out the best deals for us.

We promoted George Saylor to Vice President and changed Shawn Webb's title to President and Director. This is to help resolve potential concerns both the state and federal agencies might have with an organization having only a single President role.

We hope to be granted our 501(c)(3) status before the end of the year, though that may be subject to change. We are excited for the formation of the HardenedBSD Foundation, which will open up new opportunities not otherwise available to HardenedBSD.

Stable release: HardenedBSD-stable 11-STABLE v1100056

HardenedBSD-11-STABLE-v1100056 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r335558: Add support for selectively enabling LLVM targets (62b732f45dfe86a663fb78aec3e30ba28d0485c8)
  • HBSD: Switch back to OpenSSL as the default crypto lib (1087d59e45072059e2d20ac2dea1801d995c9a2d)
  • MFC r335569: pf: Support "return" statements in passing rules when they fail. (9e4899f2d2193db78e985cc427fcfb870a20e40a)
  • MFC r335641: Fix a stack overflow in mount_smbfs when hostname is too long. (0b39c762ec1d16fa2bca8a386d2e1af10e106a5e) [FreeBSD-SA-Candidate]
  • MFC r333059 (by tychon): Expand the checks for UCR3 == PMAP_NO_CR3 to enable processes to be excluded from PTI. (bad2d0f8e14dbc917f3ccbeb0adee1e045a63ae5)
  • loader updates
  • bhyve updates
  • libpcap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-bootonly.iso) = 1df1060cea47345ddaa4be6a93de16f5443a5e4b299e58aa89aaa5c9af16251d80cdd76f4b7a083686b78e3cafbf361c69b844fb6b75ca7919f969cbffe769ad
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-disc1.iso) = 78281285ea05b4adeb1933c50e780054419edd6aabccd350df6304a06b9fca02ea39863a2a1edaa9d615ff8c2cf78e63e2fc0f254adab4da8f3f7ed618ee52c2
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-memstick.img) = 0000bcab6e06421c7fdf0054cd13ecc339f8dc894082fe3a6f0d7b5039b7313fa14f14ee1db1d84ad5b7ad6679c1bd53438d52ebb819a67786d8e29c09d956e1
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-mini-memstick.img) = 08066dc2de7e19a7535188fe30d79bf7bd78c6fc877001a75d562b5e1ace2fb31a7e429cf6022d13e15e4d0a4cefa6b9ba8787725ad545e8aa32020193503338

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAls8Mr0ACgkQgZsRom/9
GI0WzxAA0uatTUXE+5ukll9Ehvnkd077UoS0hUhVoYw/OuPt/zm4RQH3q/ADWlaM
Fbm2yPPU/JHBISg6cE9HSDCu//dMe+9MS8Jx1GuoTihRBwQ3/9skIYeUeNIiOixf
55y13PHBHlLoXKnEuGJEbBUAFr4a5cltl3Uqbtla2ltFXsBE0tEAuZw/f4DbsvIB
TekXruGiuOzypLT/B2SMVTA0a9JwQ8S3A7avvUU+jpuvJcibb7ZMEvMmzpnuuBdd
QGsvanXRXMrB7o17PQSjGwtShpPuFER3ZKQ06FwT5h4mvk+oN8TkmEZrZfzNngD4
qLhuXf+4xe+VJyDBV+daHumwrvnFph50MB+jqkTHUmXOOZQmDXIyW6GIx7MjW8en
jfPzrD21W/LGr5ntKAggETOPN/h3sUl5Ukd3ZZhwNrouaT8Locl4wF4UXVtKFjgK
Z73ty+S1q9xIJm53tfH0qQSdf9ZmcTJZPy4yv28btjnznkF52UbAL4poP1OTH64p
xIjR7erdN2y7KxIcU/8zaYpBIHNYlFppSX6CGK6gvLK1XiUky03lnquX26oM+9Jv
bsWswNJRUsZ4hQtYqXT0LihGh7M+niY9xxbDlaXjZ+L/ie40RF4SdPhcnp56WBc8
eChcSRM0dzNYQYWOkUUqX41hL5IiLySurD+GgTBIOB16kIGabfQ=
=HMQk
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS