Announcement

Collapse
No announcement yet.

HardenedBSD Introduction and November 2021 Status Report

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • HardenedBSD Introduction and November 2021 Status Report

    Hey all,

    I thought I'd use this first post as an introduction to HardenedBSD followed immediately by the November 2021 Status Report.

    Introduction

    Founded in 2014 by Oliver Pinter and Shawn Webb, HardenedBSD is a security-enhanced fork of FreeBSD. The HardenedBSD Project implements many exploit mitigation and security technologies on top of FreeBSD. The project started with Address Space Layout Randomization (ASLR) as an initial focal point and is now implementing further exploit mitigation techniques.

    HardenedBSD aims to implement innovative exploit mitigation and security solutions for the FreeBSD community. Security is like an onion--it's made up of layers. In order to be successful, attackers must peel back each layer. HardenedBSD takes a holistic approach to security by hardening the system and implementing exploit mitigation technologies. We will work with FreeBSD and any other FreeBSD-based project to include our innovations. Our primary goal is to provide a clean-room reimplementation of the publicly-documented parts of the grsecurity patchset for Linux.

    November 2021 Status Report

    November saw a number of improvements to HardenedBSD. Loic fixed a bunch of old cruft in base. Among the changes from Loic:
    1. Remove Oliver Pinter's old kernel config
    2. Clean up line breaks
    3. Fix the motd generation code to use HardenedBSD's motd template
    4. Bug fixes in hbsd-update
    5. Use HTTPS with hbsd-update (possible now that FreeBSD distributes trusted CA root certificates.)

    I need to MFC a bunch of his work to 13-STABLE and 12-STABLE where applicable.

    The HardenedBSD Foundation's Ben La Monica has been stellar at keeping our self-hosted GitLab up-to-date and making sure that runs smoothly.

    FreeBSD updated llvm in 14-CURRENT base to llvm 13. I've been working on addressing the fallout from that. Note that though there is fallout, it's the good kind: the llvm compiler toolchain is progressing and finding buggy code. The problem comes when you build 30,000+ packages. ;-)

    Speaking of building packages, the 14-CURRENT/amd64 package build server experienced a catastrophic failure. Just today (30 Nov 2021), I went into the datacenter to rebuild the server. 14-CURRENT/amd64 packages will lag behind for a little bit while I transfer backed up config files and the like and kick off a new build.

    The 14-CURRENT/arm64 package builder is also in a paused state. I'm working on bisecting one or more commits from FreeBSD that trigger a kernel panic on the ThunderX1.

    We also purchased and received another ThunderX1. This new TX1 will be used for development purposes (for example: porting SafeStack to HardenedBSD/arm64). The TX1 referenced in the paragraph above is solely for package builds. The git bisect is being performed on this second TX1. I've yet to find the offending commit(s), but hope to by the end of this coming weekend.

    To better facilitate expansion and development efforts, I have installed a new 25U rack at home, which is where the second TX1 currently lives. My employer (BlackhawkNest, Inc, who graciously hosts the HardenedBSD build infrastructure) recently installed a third rack. We have a few servers to deploy into it, which will likely happen mid-December.

    I'd like to take a moment to thank the wider HardenedBSD community. Your help and support is not only crucial to the project, but immensely appreciated. Contributions come in all forms, some of which are advocacy, patch submissions, monetary donations, and community support. Every contribution, no matter the form, helps the project grow. Especially as we enter the last month of the year, we are incredibly grateful for your continued support.

    If you have an itch to scratch, please do! We review all patches for the project that come our way, regardless of whether they're security-related or not.

    As a reminder, for those who create new accounts on our self-hosted GitLab, please email netops{AT}hardenedbsd{DOT}org for account activation.
Working...
X