Page MenuHomeFreeBSD

securityUmbrella
ActivePublic

Recent Activity

Today

greg_unrelenting.technology updated the diff for D20780: Add support for getting early entropy from the UEFI RNG protocol.

Yep, I've had basically the exact same opinion as @delphij about the copyright. Let's go with Intel.

Fri, Jan 28, 11:59 AM · csprng, security, arm64

Yesterday

delphij accepted D20780: Add support for getting early entropy from the UEFI RNG protocol.
Thu, Jan 27, 5:52 PM · csprng, security, arm64
markm added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Thu, Jan 27, 5:42 PM · csprng, security, arm64

Wed, Jan 26

greg_unrelenting.technology updated the diff for D20780: Add support for getting early entropy from the UEFI RNG protocol.

So seems like it's easier to just do it all in core.lua, which is where lots of config accesses are anyway.

Wed, Jan 26, 9:31 PM · csprng, security, arm64

Mon, Jan 17

markm added a comment to D20780: Add support for getting early entropy from the UEFI RNG protocol.

err, I have not addressed the "isUEFIBoot" thing and the "This file needs a copyright / license at the top" thing…

Mon, Jan 17, 8:42 AM · csprng, security, arm64

Sun, Jan 16

greg_unrelenting.technology added a comment to D20780: Add support for getting early entropy from the UEFI RNG protocol.

err, I have not addressed the "isUEFIBoot" thing and the "This file needs a copyright / license at the top" thing…

Sun, Jan 16, 1:24 PM · csprng, security, arm64

Sat, Jan 15

cperciva added a comment to D20780: Add support for getting early entropy from the UEFI RNG protocol.

Thanks! Can you also MFC it to stable/13 after a week?

Sat, Jan 15, 5:48 PM · csprng, security, arm64
markm added a comment to D20780: Add support for getting early entropy from the UEFI RNG protocol.

Is this waiting for anything else before it gets committed?

Sat, Jan 15, 9:30 AM · csprng, security, arm64

Fri, Jan 14

Herald added a reviewer for D20780: Add support for getting early entropy from the UEFI RNG protocol: manu.

Is this waiting for anything else before it gets committed?

Fri, Jan 14, 10:14 PM · csprng, security, arm64

Nov 16 2021

mw closed D27666: Enable ASLR by default for 64-bit executables..
Nov 16 2021, 10:27 PM · PowerPC, security, arm64

Nov 15 2021

mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 8:26 PM · PowerPC, security, arm64
mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 8:26 PM · PowerPC, security, arm64
emaste accepted D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 7:12 PM · PowerPC, security, arm64
emaste added a comment to D27666: Enable ASLR by default for 64-bit executables..

I did a minor edit on the proposed commit message to clarify some things (sorry I do not have it as a diff)

Nov 15 2021, 7:12 PM · PowerPC, security, arm64
kib accepted D27666: Enable ASLR by default for 64-bit executables..
In D27666#745003, @mw wrote:

Altough I agree it should be safe to enable ASLR 32-bit, for now I'd stay with 64-bit only - please remember that after a discussion it was decided to compile only 64-bit executables "WITH_PIE".

Nov 15 2021, 5:33 PM · PowerPC, security, arm64
mw added a comment to D27666: Enable ASLR by default for 64-bit executables..
In D27666#744977, @kib wrote:

I might write are not changed at this time to suggest this is not necessarily a final decision (in fact, it's not really a decision at all, 32-bit is probably not relevant enough to spend much effort on).

For 32bit, it might make sense to enable ASLR for 32bit binaries on 64bit host, still. That said, i386 kernel provides almost full 4G for UVA, so it might make sense to enable there as well, but lets limit the change to 64bit kernels, indeed.

Nov 15 2021, 4:21 PM · PowerPC, security, arm64
kib added a comment to D27666: Enable ASLR by default for 64-bit executables..

I might write are not changed at this time to suggest this is not necessarily a final decision (in fact, it's not really a decision at all, 32-bit is probably not relevant enough to spend much effort on).

Nov 15 2021, 3:53 PM · PowerPC, security, arm64
mw added a comment to D27666: Enable ASLR by default for 64-bit executables..

As a result, although the tests on 32-bit architectures with ASLR enabled were
mostly on par with what was observed on 64-bit ones, the defaults for the
former are not changed. Also, for the sake of safety keep the feature disabled for 32-bit
executables on 64-bit machines, too.

I might write are not changed at this time to suggest this is not necessarily a final decision (in fact, it's not really a decision at all, 32-bit is probably not relevant enough to spend much effort on).

Nov 15 2021, 3:17 PM · PowerPC, security, arm64
mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 3:17 PM · PowerPC, security, arm64
emaste added a comment to D27666: Enable ASLR by default for 64-bit executables..

As a result, although the tests on 32-bit architectures with ASLR enabled were
mostly on par with what was observed on 64-bit ones, the defaults for the
former are not changed. Also, for the sake of safety keep the feature disabled for 32-bit
executables on 64-bit machines, too.

Nov 15 2021, 3:10 PM · PowerPC, security, arm64
mw added a comment to D27666: Enable ASLR by default for 64-bit executables..
In D27666#744905, @kib wrote:

Yes, leave it. I think it is verbose but explicit so that more people can notice that if pointed to.

Nov 15 2021, 2:53 PM · PowerPC, security, arm64
mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 2:52 PM · PowerPC, security, arm64
kib added a comment to D27666: Enable ASLR by default for 64-bit executables..

Yes, leave it. I think it is verbose but explicit so that more people can notice that if pointed to.

Nov 15 2021, 2:15 PM · PowerPC, security, arm64
mw added a comment to D27666: Enable ASLR by default for 64-bit executables..
In D27666#744903, @kib wrote:

I suggest also dropping the

In case any change in the OS behavior is observed, that can be possibly
caused by this patch, it is recommended to use freebsd-bugs@freebsd.org
mailing list for reporting and discussing the encountered issue. Also,

wording.

Nov 15 2021, 2:12 PM · PowerPC, security, arm64
kib added a comment to D27666: Enable ASLR by default for 64-bit executables..

I suggest also dropping the

In case any change in the OS behavior is observed, that can be possibly
caused by this patch, it is recommended to use freebsd-bugs@freebsd.org
mailing list for reporting and discussing the encountered issue. Also,

wording.

Nov 15 2021, 1:44 PM · PowerPC, security, arm64
mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 15 2021, 10:47 AM · PowerPC, security, arm64

Nov 12 2021

kib added a comment to D27666: Enable ASLR by default for 64-bit executables..

I think it is better to provide short and concise list of potential issues with ASLR, like this:

  • changed ABI due to modified layout of address space
  • address space fragmentation
  • non-reproducable address space layout between runs
  • harder debugging
  • some debuggers automatically disable ASLR for spawned targets, making target' environment different between debug and non-debug runs
Nov 12 2021, 7:50 PM · PowerPC, security, arm64
mw updated the summary of D27666: Enable ASLR by default for 64-bit executables..
Nov 12 2021, 7:28 PM · PowerPC, security, arm64

Nov 4 2021

mw updated the diff for D27666: Enable ASLR by default for 64-bit executables..

Limit setting of __elfN(pie_aslr_enabled) for only 64-bit PIE binaries.

Nov 4 2021, 3:42 PM · PowerPC, security, arm64

Nov 2 2021

mw added inline comments to D27666: Enable ASLR by default for 64-bit executables..
Nov 2 2021, 5:18 PM · PowerPC, security, arm64
dgr_semihalf.com added inline comments to D27666: Enable ASLR by default for 64-bit executables..
Nov 2 2021, 4:06 PM · PowerPC, security, arm64

Oct 29 2021

mw added a comment to D27666: Enable ASLR by default for 64-bit executables..

Hi! Any comments/remarks to the updated version?

Oct 29 2021, 9:33 AM · PowerPC, security, arm64

Oct 25 2021

mw added inline comments to D27666: Enable ASLR by default for 64-bit executables..
Oct 25 2021, 2:09 AM · PowerPC, security, arm64
mw updated the diff for D27666: Enable ASLR by default for 64-bit executables..
Oct 25 2021, 2:05 AM · PowerPC, security, arm64

Oct 23 2021

imp added inline comments to D27666: Enable ASLR by default for 64-bit executables..
Oct 23 2021, 1:11 AM · PowerPC, security, arm64

Oct 22 2021

emaste added inline comments to D27666: Enable ASLR by default for 64-bit executables..
Oct 22 2021, 11:22 PM · PowerPC, security, arm64

Oct 18 2021

mw added a comment to D27666: Enable ASLR by default for 64-bit executables..
In D27666#734443, @mw wrote:

Hi,

I'm refreshing the discussion. The current status is following:

  1. Fixes for the outstanding bugs ntpd (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253208) and Firefox/Thunderbird (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239873) landed on Friday. Hopefully this will cover all cases that might have remained unknown until now.

It seems like a problem with the underlying AS{L}R implementation. HardenedBSD has not needed to make any changes to any application since it completed its PaX-inspired ASLR implementation in 2015. If applications experience issues with FreeBSD's AS{L}R implementation, it'd be safe to assume a problem with the AS{L}R implementation, not the application.

Oct 18 2021, 1:55 PM · PowerPC, security, arm64
lattera-gmail.com added a comment to D27666: Enable ASLR by default for 64-bit executables..
In D27666#734443, @mw wrote:

Hi,

I'm refreshing the discussion. The current status is following:

  1. Fixes for the outstanding bugs ntpd (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253208) and Firefox/Thunderbird (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239873) landed on Friday. Hopefully this will cover all cases that might have remained unknown until now.
Oct 18 2021, 12:09 PM · PowerPC, security, arm64
mw added a comment to D27666: Enable ASLR by default for 64-bit executables..

I'm refreshing the discussion. The current status is following:

  1. PIE enabled by default in 64-builds.
  2. Ports' exp-run issues are fixed (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214864)
  3. Fixes for the outstanding bugs ntpd (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253208) and Firefox/Thunderbird (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239873) landed on Friday. Hopefully this will cover all cases that might have remained unknown until now.
Oct 18 2021, 11:36 AM · PowerPC, security, arm64

Sep 19 2021

kevans added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Sep 19 2021, 3:13 AM · csprng, security, arm64

Sep 17 2021

merv_soundabstractions.io added a watcher for security: merv_soundabstractions.io.
Sep 17 2021, 3:48 PM

Sep 6 2021

delphij accepted D20780: Add support for getting early entropy from the UEFI RNG protocol.

Oops, didn't meant to block after the amendment.

Sep 6 2021, 12:58 AM · csprng, security, arm64

Jul 27 2021

imp added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Jul 27 2021, 9:02 PM · csprng, security, arm64
greg_unrelenting.technology added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Jul 27 2021, 8:30 PM · csprng, security, arm64
imp added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Jul 27 2021, 7:42 PM · csprng, security, arm64
markm accepted D20780: Add support for getting early entropy from the UEFI RNG protocol.

Testing this on an RPi4 would be nice, but it's not a dealbreaker.

Jul 27 2021, 7:29 PM · csprng, security, arm64
markm added a project to D20780: Add support for getting early entropy from the UEFI RNG protocol: csprng.
Jul 27 2021, 7:28 PM · csprng, security, arm64
markm added a reviewer for D20780: Add support for getting early entropy from the UEFI RNG protocol: csprng.
Jul 27 2021, 7:26 PM · csprng, security, arm64
greg_unrelenting.technology updated the diff for D20780: Add support for getting early entropy from the UEFI RNG protocol.

Now loading with a separate preload type

Jul 27 2021, 12:15 PM · csprng, security, arm64
greg_unrelenting.technology added inline comments to D20780: Add support for getting early entropy from the UEFI RNG protocol.
Jul 27 2021, 11:36 AM · csprng, security, arm64