Ken Westerback (krw@ when wearing his developer hat) writes:

Monthly paypal donations from the OpenBSD community have made the community the OpenBSD Foundation's first Gold level contributor for 2018!

2018 is the third consecutive year that the community has reached Gold status or better.

These monthly paypal commitments by the community are our most reliable source of funds and thus the most useful for financial planning purposes. We are extremely thankful for the continuing support and hope the community matches their 2017 achievement of Platinum status. Or even their 2016 achievement of Iridium status.

Sign up now for a monthly donation!

Note that Bitcoin contributions have been re-enabled now that our Bitcoin intermediary has re-certified our Canadian paperwork.

https://www.openbsdfoundation.org/donations.html

In this commit, visa@ submitted code (disabled for now) to use built-in acceleration on octeon CPUs, much like AESNI for x86s.

I decided to test tcpbench(1) and IPsec, before and after updating and enabling the octcrypto(4) driver.

The MAP_STACK anti-ROP mechanism described in a recent article has been committed to -current. The commit message includes:

Implement MAP_STACK option for mmap().  Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).

Landry Breuil (landry@ when wearing his developer hat) wrote in…

I've been a huge fan of MPD over the years to centralize my audio collection, and i've been using it with the http output to stream the music as a radio on the computer i'm currently using…

April 2, 2018: The OpenBSD project has announced the availability of the newest release, OpenBSD 6.3:

We are pleased to announce the official release of OpenBSD 6.3.
This is our 44th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

Notable changes include:

• SMP is supported on arm64 platforms.
• amd64 Intel CPU microcode is loaded on boot.
• Many improvements have been made in vmm/vmd.
• Several parts of the network stack now run without KERNEL_LOCK().
• slaacd now generates stable IPv6 stateless autoconfiguration addresses (RFC 7217), and supports any prefix size as required by RFC 4862.
• Multiple security improvements have been made, including Meltdown/Spectre (variant 2) mitigations.
• pledge() has been modified to support "execpromises" (as the second argument).
• Filesystem handling in suspend/hibernate has been improved.

As usual, there are updated versions of OpenSMTPD, OpenSSH, and LibreSSL.

The release page contains a more complete list of changes, and the upgrade page gives recommendations on how to upgrade to the new release.

Recently, Theo de Raadt (deraadt@) described a new type of mitigation he has been working on together with Stefan Kempf (stefan@):

How about we add another new permission!  This is not a hardware
permission, but a software permission.  It is opportunistically
enforced by the kernel.
                                                                                                          
the permission is MAP_STACK.  If you want to use memory as a stack,
you must mmap it with that flag bit.  The kernel does so automatically
for the stack region of a process's stack.  Two other types of stack
occur: thread stacks, and alternate signal stacks.  Those are handled
in clever ways.

When a system call happens, we check if the stack-pointer register
points to such a page.  If it doesn't, the program is killed.  We
have tightened the ABI.  You may no longer point your stack register
at non-stack memory.  You'll be killed.  This checking code is MI, so
it works for all platforms.

For more detail, see Theo's original message.

Mike Larkin (mlarkin@) has just given a presentation at bhyvecon Tokyo 2018.

The slides are now available (as PDF).

In addition to the excellent summary of the state-of-play for vmm and friends, the presentation offers a tantalizing glimpse at possible future directions.

Update: video is available

Good news for people doing upgrades only once per year: syspatches will be provided for both supported releases. The commit from T.J. Townsend (tj@) speaks for itself:

Subject:    CVS: cvs.openbsd.org: www
From:       T.J. Townsend <tj () openbsd ! org>
Date:       2018-03-06 22:09:12

CVSROOT:	/cvs
Module name:	www
Changes by:	tj@cvs.openbsd.org	2018/03/06 15:09:12

Modified files:
	.              : errata61.html stable.html 
	faq            : faq10.html 

Log message:
syspatches will now be provided for both supported releases.

Thanks to all the developers involved in providing these!

Update: An official announcement has been released:

Ken Westerback (krw@) has sent in the first report from the (recently concluded) a2k18 hackathon:

YYZ -> YVR -> MEL -> ZQN -> CHC -> DUD -> WLG -> AKL -> SYD -> BNE -> YVR -> YYZ.

Whew.

Once in Dunedin the hacking commenced. The background was a regular tick of new meltdown diffs to test in addition to whatever work one was actually engaged in. I was lucky (?) in that none of the problems with the various versions cropped up on my laptop.