Blog Archives - FreeBSDNews.com

Design of a Trust System for FreeBSD

May 26, 2017 By Cao Leave a Comment

User Eric McCorkle discusses some security aspects of FreeBSD, notably signatures (executables, library, kernel) in his latest blog. This article is broken down in sections such as signed elf binaries, portable verification library, key management, etc. Read the whole thing at the link below.

About a month ago, I started a discussion on freebsd-hackers and freebsd-security about a system for signed executables, with a focus on signed kernels and kernel modules. This is part of a larger agenda of mine to equip FreeBSD with OS-level tamper resistance features.

While the initial use of this is for signing the kernel and its modules, and checking signatures during the loader process as well as at runtime when kernel modules are loaded. However, it is desirable to build a system that is capable of growing in likely directions, such as executable and library signing.

This article details the current state of the design of this system.

Desiderata

I originally outlined a number of goals for this system:

Be able to check for a correct cryptographic signature for any kernel or modules loaded at boot time for some platforms (EFI at a minimum)
Be able to check for a correct cryptographic signature for any kernel module loaded during normal operations (whether or not to do this could be controlled by a sysctl, securelevel, or some similar mechanism) ….

Original post: https://ericmccorkleblog.wordpress.com/2017/05/19/design-of-a-trust-system-for-freebsd/

Bringing up 802.11ac on FreeBSD

May 11, 2017 By Cao Leave a Comment

Adrian Chadd, known for his WiFi and FreeBSD work, writes about his latest updates on bringing 802.11ac to the FreeBSD operating system. Read his full story a the link provided.

I’ve been chipping away at bringing up 802.11ac on FreeBSD. I’ve been meaning to write this post for a while, but you know, life got in the way.

net80211 has reasonably good 802.11n support, but no 802.11ac support. I decided a while ago to start adding basic 802.11ac support. It was a good exercise in figuring out what the minimum set of required features are and another excuse to go find some of the broken corner cases in net80211 that needed addressing. I’ll talk about a few here.

802.11ac introduces a few new concepts that the stack needs to understand. I decided to use the QCA 802.11ac parts because (a) I know the firmware and general chip stuff from the first generation 11ac parts well, and (b) I know that it does a bunch of stuff (like rate control, packet scheduling, etc) so I don’t have to do it. If I chose, say, the Intel 11ac parts then I’d have to implement a lot more of the fiddly stuff to get good behaviour.

So, the first step …

Original post: http://adrianchadd.blogspot.com/2017/04/bringing-up-80211ac-on-freebsd.html

It’s Time for FreeBSD! & FreeBSD-Debian ZFS Migration

March 31, 2017 By Cao Leave a Comment

User Andy Mender is back with another insightful blog about FreeBSD. Read what he writes about FreeBSD’s storage capabilities — ZFS, bhyve, as well as an article about FreeBSD to Debian at the links below.

For the last couple of weeks I have been delving deeper into the arcane arts of FreeBSD, paying extra attention to containers (jails), local/remote package distribution (poudriere) and storage utilities (ZFS RAID, mirrors). Truth be told, with every ounce of practical knowledge I was increasingly impressed by this Unix-like operating system. It’s nothing short of amazing, really! The irony lies in the fact that FreeBSD is an underdog in the Unix world (less than OpenBSD or Illumos, but still), despite the fact that it excels as a server environment and established many technologies currently in focus (process isolation, efficient networking and firewalls, data storage, etc.) years ago already. GNU/Linux is picking up pace, but it still has a long way to go.

……

What I mean to say is that FreeBSD has its place in the world and the time is ripe to truly begin to appreciate it!

It’s Time for FreeBSD!

Since the Zettabyte File System (ZFS) is steadily getting more and more stable on non-Solaris and non-FreeBSD systems, I decided to put my data pool created for the previous entry to the test. In principle, it should be possible to migrate a pool from one operating system to another. Imagine the following scenario – a company is getting new hardware and/or new IT experts and needs to migrate to a different OS. In my case it was from FreeBSD to Debian and vice versa. All data volumes were located in a single pool, but depending on the size of the company, it might be several pools instead. Before even thinking of migrating it is first important to make sure that all I/O related to the pool(s) to be migrated was stopped. When the coast is clear we can “zpool export <pool>” and begin our exodus to another operating system.

FreeBSD-Debian ZFS Migration

[How-To] Applied FreeBSD: Basic iSCSI

March 8, 2017 By Cao Leave a Comment

This tutorial by user SpaceGhostEngineer shows us how to set up an iSCSI connection between two FreeBSD servers. The article then shows you how to use Windows Server to verify that the iSCSI target and initiator works. Follow the link below for the full set of instructions.

This article will cover a very basic setup where a FreeBSD server is configured as an iSCSI Target, and another FreeBSD server is configured as the iSCSI Initiator. The iSCSI Target will export a single disk drive, and the initiator will create a filesystem on this disk and mount it locally. Advanced topics, such as multipath, ZFS storage pools, failover controllers, etc. are not covered. Please refer to the following documentation on iSCSI for more information:

RFC 3720 – Internet Small Computer Systems Inferface (iSCSI)

FreeBSD Handbook – iSCSI Targets and Initiators

Mikhail E. Zakharov’s excellent article in BSD Magazine titled “FreeBSD Based Dual-Controller Storage System Concept”

Now to get started…

iSCSI Target Test Setup

The disk drive which should be shared on the network is /dev/ada0, a 5G SATA disk created in VMWare that I attached to the system before starting it up. With FeeBSD, iSCSI is controled by the ctld daemon, so this needs to be enabled on the system. While at it, why not go ahead and enable it at boot time too?

Full tutorial: https://globalengineer.wordpress.com/2017/03/05/applied-freebsd-basic-iscsi/

Packaging with CPack – on FreeBSD

March 2, 2017 By Cao Leave a Comment

This blog by user Bobulate writes about his work in progress with FreeBSD and CPack, a cross-platform software packaging tool that comes with CMake packing software. Read about his thoughts at the link below. cmake

Some days of the week, I work on Free Software projects that aren’t ready to see the light yet; they live in my own git repo’s, or wherever. While I have the intention of publishing eventually, I usually want to get things somewhat working before throwing code out there.

Part of checking if things work is packaging, and installing the stuff on more than one system. Sure, I can build everywhere, or copy around executables, but it struck me that it’d be cool to have packages — you know, installable with the system package manager — for the stuff I make. O yeah, I know flatpak is the new orange, but I’m not that hip. I’ll stick with Debian and FreeBSD packages, thanks.

Original post: http://euroquis.nl/bobulate/?p=1531

MirageOS Unikernels Now Support KVM and FreeBSD bhyve

March 2, 2017 By Cao Leave a Comment

MirageOS is a library operating system that builds unikernels for the purpose of high-performance network applications for cloud and mobile platforms. Recently, the developers have announced support for KVM hypervisor and FreeBSD’s bhyve. Read the full article for more information on what this capability brings.

Expanding Unikernels Support

Previously, unikernels created using MirageOS were far from being able to boot anywhere. They supported only environments hosted using the Xen hypervisor.

With the release of MirageOS 3.0, however, the platform now supports the KVM and FreeBSD bhyve hypervisors, too. That’s significant because it brings the unikernels a step closer to realizing their full potential—which is to be entirely environment-agnostic and capable of booting anywhere.

Original article: http://containerjournal.com/2017/02/27/mirageos-unikernels-now-support-kvm-freebsd-bhyve/

Hosting Journalist: http://www.hostingjournalist.com/iaas-hosting/xen-projects-mirageos-expands-its-ecosystem-in-latest-release/

FreeBSD – There and Back Again

March 2, 2017 By Cao Leave a Comment

User Andy Mender tells us of his experience switching over to FreeBSD, having been a long time Linux user. You can also see his older blogs documenting his journey of using both open source operating systems.

I guess it should be no surprise that I returned to FreeBSD once more. One of the reasons I originally started learning C was to be able to help writing/fixing wireless drivers for FreeBSD. Although I haven’t reached that point of proficiency just yet, I feel FreeBSD is truly the place I belong after all. From the intrinsic order of a cathedral, through good programming practices and complete documentation to great system-level tools (jails, zfs, bhyve, etc.). Reading the most recent issue of Admin: Network & Security made it even clearer to me. GNU/Linux is growing strong in the server sector, with new GUI-driven tools and frameworks for container management. Personally, I think that’s awesome! It’s a win for the whole open-source world. However, Unix is more than just GNU/Linux – people often forget about Solaris/OpenIndiana and the various BSD-based operating systems (FreeBSD, OpenBSD, NetBSD, DragonflyBSD, etc.). They too are great server platforms, one can learn a lot from. There are scenarios in which a non-Linux Unix is more suitable for the same or similar tasks.

Original post: https://linuxmender.wordpress.com/2017/02/26/freebsd-there-and-back-again/

Updating FreeBSD 4.11 – Blast from the past by eerielinux

February 13, 2017 By Cao 1 Comment

User eerielinux posts about updating their FreeBSD 4.11 machine. The version was released in 2005 and was end-of-life’d in 2007. Nonetheless, this article documents an interesting journey of updating a near decade old system. Check out the links below to read this blog series spanned across four posts.

Ah, weekend. And it’s a nice day, too: The sun shines on the snowy landscape! A perfect day to go out with the children – or to embark on a vastly different kind of adventure… Yes, you read that title right. This is not about four FreeBSD 11 machines. It’s about one FreeBSD 4.11 machine in 2017!

Legacy systems in general

Why even bother with FreeBSD 4.11 today? Well, most people would probably respect historical interest and in fact I was keen on tinkering with a legendary old 4.x release and see if you can have some fun with it (spoiler: Oh yes, you can!). But this would be a task for times when I have absolutely nothing else to do. So it’s fairly obvious that there’s another reason.

Updating FreeBSD 4.11 (1/4) – Blast from the past

This post is about the first part of updating this fresh 4.11 system to a state that’s a bit less catastrophic. Remember: FreeBSD 4.11 was released in 2005 – however the ABI of each release is carved in stone with a .0 release. Which means that the software in the base system is from 4.0 and thus we venture back into the last millenium: 1999!

Updating FreeBSD 4.11 (2/4) – Digging up old graves

This post will cover installing newer software.

Any bets?

So far we have a pkgsrc tree from mid 2007 and things seem to be working. However that’s pretty close to 4.11’s release in 2005 and thus not too amazing. Working with such an old system there are plenty of cases which mean “game over”.

Updating FreeBSD 4.11 (3/4) – Neophyte’s notorious necromancy

This post details some more updates until we reach the final state that’s possible with such an old system (without resorting to extreme means).

Planting a new tree

So far we’ve built some packages from 2013 and before. Using a current pkgsrc tree won’t work – the various pkgsrc tools that our system has are too old. It might not be too big a step but we can use a tree from the second half of 2014.

Updating FreeBSD 4.11 (4/4) – Reflecting radical resurrection

[How-To] IPv6 on FreeBSD/EC2

February 3, 2017 By Cao Leave a Comment

In this tutorial, FreeBSD Security Officer Colin Percival shows us how to set up IPv6 on FreeBSD/EC2 and provides some tips to help simplify the process. Visit the link below to read his full blog.

A few hours ago Amazon announced that they had rolled out IPv6 support in EC2 to 15 regions — everywhere except the Beijing region, apparently. This seems as good a time as any to write about using IPv6 in EC2 on FreeBSD instances.

First, the good news: Future FreeBSD releases will support IPv6 “out of the box” on EC2. I committed changes to HEAD last week, and merged them to the stable/11 branch moments ago, to have FreeBSD automatically use whatever IPv6 addresses EC2 makes available to it.

Next, the annoying news: To get IPv6 support in EC2 from existing FreeBSD releases (10.3, 11.0) you’ll need to run a few simple commands. I consider this unfortunate but inevitable: While Amazon has been unusually helpful recently, there’s nothing they could have done to get support for their IPv6 networking configuration into FreeBSD a year before they launched it.

To enable IPv6 support in an existing FreeBSD EC2 instance, you’ll need to do three things: …

Full tutorial: http://www.daemonology.net/blog/2017-01-26-IPv6-on-FreeBSD-EC2.html

The True Value of Randomness & Deeper Exploration in (Free|Hardened)BSD Entropy

February 3, 2017 By Cao Leave a Comment

This blog series by user W. Dean Freeman discusses some security aspects of HardenedBSD, along with an Entropy Assessment of FreeBSD. The author runs various tests using DTrace and documents his findings across 2 different blogs, and more to come in the future. Check out the blog links for the full and detailed report.

The True Value of Randomness: Initial Results in Hardened/FreeBSD Entropy Assessment (Part 1 of Series)

First, touching back on some background: Currently, I am employed by Acumen Security, LLC as a Lead Security Engineer where I work on Common Criteria and FIPS consulting and evaluation testing. Most of this (especially the FIPS 140 stuff) is basically being the crypto police — verifying the correct implementation and operation of cryptographic algorithms and modules, correct implementation of encrypted communications channels, etc.

In order for a product to be accepted into evaluation these days, the product vendor and lab must first submit an Entropy Assessment Report. Essentially, this is proving that there is enough raw randomness being fed into the crypto system from the start, because if you have week or predictable initial entropy, the strength of the entire rest of the crypto system is compromised

Original article: https://www.weaponizedawesome.com/blog/?p=154

Deeper Exploration in (Free|Hardened)BSD Entropy (Part 2 of series)

So, the other day I posted some background and initial findings from a side project in attempting to measure entropy in FreeBSD and HardenedBSD systems. Rather than instrumenting the kernel with printf(9) or log(9) calls, I decided that I wanted to take the opportunity to start digging with with DTrace.

The first blog post attracted a little bit of attention, and I got into a fairly long conversation on Twitter with John-Mark Gurney that let me know that I was on the right track, but needed to get a little bit further in to really, effectively count what was being fed in.

Original article: https://www.weaponizedawesome.com/blog/?p=173