HardenedBSD issueshttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues2022-08-28T12:57:09Zhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/82Cant compile HardenedBSD kernel with COMPAT_FREEBSD322022-08-28T12:57:09ZMr. UNIXCant compile HardenedBSD kernel with COMPAT_FREEBSD32When I try to compile HardenedBSD 13-STABLE with `COMPAT_FREEBSD32` option enabled I get this error message:
![2022-08-23_22-51](/uploads/5b2a3ea1e6e309021869ac5277832155/2022-08-23_22-51.png)
I got this issue with this commit: https://g...When I try to compile HardenedBSD 13-STABLE with `COMPAT_FREEBSD32` option enabled I get this error message:
![2022-08-23_22-51](/uploads/5b2a3ea1e6e309021869ac5277832155/2022-08-23_22-51.png)
I got this issue with this commit: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/tree/3e3432a706f89785e9f81232835948716822f4a8LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79Add notion of "insecure kernel module"2024-03-18T18:01:52ZShawn WebbAdd notion of "insecure kernel module"We need to mark certain kernel modules with a notion of "this module may cause security issues." We should add a flag to the KLD API to specify whether to load modules marked as insecure, with a default of disabled.
Some good modules to...We need to mark certain kernel modules with a notion of "this module may cause security issues." We should add a flag to the KLD API to specify whether to load modules marked as insecure, with a default of disabled.
Some good modules to start with:
1. linux.ko
1. linux32.ko
1. smbfs.ko
1. accf_http.koShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/78Force enable -ftrivial-auto-var-init=zero in base2022-10-28T12:20:48ZShawn WebbForce enable -ftrivial-auto-var-init=zero in baseInstead of relying on a set of CFLAGs that may change arbitrarily, go ahead and force trivial-auto-var-init to zero. This way, anything that uses clang from base will gain the feature.Instead of relying on a set of CFLAGs that may change arbitrarily, go ahead and force trivial-auto-var-init to zero. This way, anything that uses clang from base will gain the feature.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/77IPFW not loading2022-12-03T18:05:27ZUlas SAYGINIPFW not loadingwhen i want to load ipfw by service ipfw onestart command it gives error below and logs.
is hardenedbsd deleted ipfw from base system? i didnt compile custom kernel. everything is normal.
```
# service ipfw onestart
kldload: an error o...when i want to load ipfw by service ipfw onestart command it gives error below and logs.
is hardenedbsd deleted ipfw from base system? i didnt compile custom kernel. everything is normal.
```
# service ipfw onestart
kldload: an error occurred while loading module ipfw. Please check dmesg(8) for more details.
/etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw
```
logs.
```
Mar 13 06:48:02 root[81563]: /etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw
Mar 13 06:48:02 kernel: [53100] KLD ipfw.ko: depends on kernel - not available or version mismatch
Mar 13 06:48:02 kernel: [53100] linker_load_file: /boot/kernel/ipfw.ko - unsupported file type
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/76[SOLVED] ghci cannot start2022-03-12T12:03:06ZMr. UNIX[SOLVED] ghci cannot startI have this problem with Haskell Interpreter (GHCI), When I start it it crashes immediately and I get this:
```
~ | ghci
GHCi, version 8.10.7: https://www.haskell.org/ghc/ :? for help
ghc: internal error: setExecutable: failed to prote...I have this problem with Haskell Interpreter (GHCI), When I start it it crashes immediately and I get this:
```
~ | ghci
GHCi, version 8.10.7: https://www.haskell.org/ghc/ :? for help
ghc: internal error: setExecutable: failed to protect 0x0x2928c5f0000
(GHC version 8.10.7 for x86_64_portbld_freebsd)
Please report this as a GHC bug: https://www.haskell.org/ghc/reportabug
zsh: abort (core dumped) ghci
~ |
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/75dbopen(3): Develop mechanism for cfi-icall-safe function pointer calls2023-11-30T22:43:41ZShawn Webbdbopen(3): Develop mechanism for cfi-icall-safe function pointer callsThe `dbopen(3)` API (and ABI) present issues with the cfi-icall scheme. Function pointers are stuffed into a structure whereby the function pointers usually point to functions in libc. This presents a problem since we don't support Cross...The `dbopen(3)` API (and ABI) present issues with the cfi-icall scheme. Function pointers are stuffed into a structure whereby the function pointers usually point to functions in libc. This presents a problem since we don't support Cross-DSO CFI, causing the CFI checks to fail on an uninstrumented function pointer address.
```
typedef struct {
DBTYPE type;
int (*close)(DB *db);
int (*del)(const DB *db, const DBT *key, u_int flags);
int (*fd)(const DB *db);
int (*get)(const DB *db, const DBT *key, DBT *data, u_int flags);
int (*put)(const DB *db, DBT *key, const DBT *data,
u_int flags);
int (*sync)(const DB *db, u_int flags);
int (*seq)(const DB *db, DBT *key, DBT *data, u_int flags);
} DB;
```
The `dbopen(3)` function sets these function pointers to functions within libc. Applications are expected to call these function pointers directly.
We can solve this in one of two ways:
1. Provide wrapper functions in libc that calls the function pointers.
1. Provide wrapper functions in `sa(8)` that calls the function pointers. These wrapper functions would need to have cfi-icall disabled.
Option 1 is likely the best route to go. Ideally, applications wouldn't want to access this ABI at all since changes to it (which are unlikely) could cause ripples downstream.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/73Reject execve when new argc is zero2022-10-28T12:21:14ZShawn WebbReject execve when new argc is zeroOpenBSD has this nifty hardening feature whereby they disallow execve when the new executable image has zero arguments. I like that idea. We should make execve return EPERM when the argument count is zero.OpenBSD has this nifty hardening feature whereby they disallow execve when the new executable image has zero arguments. I like that idea. We should make execve return EPERM when the argument count is zero.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/71Deorbit Intel SGX support2022-03-15T16:27:28ZShawn WebbDeorbit Intel SGX supportIntel is deprecating SGX support in 11th and 12th gen CPUs. And for good reason.Intel is deprecating SGX support in 11th and 12th gen CPUs. And for good reason.LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/68/etc/motd is not updated at boot2021-12-03T13:52:27ZCarlos Lopez/etc/motd is not updated at bootGood morning,
/etc/motd is not updated at boot under HardenedBSD 13-STABLE.
Running “sh -x /etc/rc.d/motd start” returns:
+ [ start '!=' start ]
+ [ -n update_motd -a start '!=' rcvar -a start '!=' stop -a start '!=' delete -a start '...Good morning,
/etc/motd is not updated at boot under HardenedBSD 13-STABLE.
Running “sh -x /etc/rc.d/motd start” returns:
+ [ start '!=' start ]
+ [ -n update_motd -a start '!=' rcvar -a start '!=' stop -a start '!=' delete -a start '!=' enable -a start '!=' describe ]
+ checkyesno update_motd
+ eval '_value=$update_motd'
+ _value=YES
+ debug 'checkyesno: update_motd is set to YES.'
+ return 0
+ [ start '=' start -a -z '' -a -n '' ]
+ eval '_cmd=$start_cmd' '_precmd=$start_precmd' '_postcmd=$start_postcmd'
+ _cmd=motd_start _precmd='' _postcmd=''
+ [ -n motd_start ]
+ [ -n '' ]
+ _run_rc_precmd
+ check_required_before start
+ local _f
+ return 0
+ [ -n '' ]
+ check_required_after start
+ local _f _args
+ return 0
+ return 0
+ _run_rc_doit 'motd_start '
+ debug 'run_rc_command: doit: motd_start '
+ eval 'motd_start '
+ motd_start
+ check_startmsgs
+ [ -n '' ]
+ return 0
+ echo -n 'Updating motd:'
Updating motd:+ [ ! -f /etc/motd.template ]
+ mktemp -t motd
+ T=/tmp/motd.CgZi7Rlv
+ uname -v
+ sed -e 's,^\([^#]*\) #\(.* [1-2][0-9][0-9][0-9]\).*/\([^\]*\) $,\1 (\3) #\2,'
+ awk '{if (NR == 1) {if ($1 == "FreeBSD" || $1 == "HardenedBSD") {next} else {print "\n"$0}} else {print}}'
eval: cannot open /etc/motd: No such file or directory
+ install -C -o root -g wheel -m 644 /tmp/motd.CgZi7Rlv /var/run/motd
+ rm -f /tmp/motd.CgZi7Rlv
+ check_startmsgs
+ [ -n '' ]
+ return 0
+ echo .
.
+ _return=0
+ [ 0 -ne 0 ]
+ return 0
+ _run_rc_postcmd
+ [ -n '' ]
+ return 0
+ return 0LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/67Hbsd update kernel update.2021-10-03T20:07:33ZMaxime GuilleminHbsd update kernel update.I think Jenkins (or me) built the wrong kernel, I applied it doing hbsd-update install.
Old :
![IMG_20210928_005142](/uploads/16fa7e2d160840b959916c1549785407/IMG_20210928_005142.jpg)
New:
![IMG_20210928_010920](/uploads/3238f30eefd182...I think Jenkins (or me) built the wrong kernel, I applied it doing hbsd-update install.
Old :
![IMG_20210928_005142](/uploads/16fa7e2d160840b959916c1549785407/IMG_20210928_005142.jpg)
New:
![IMG_20210928_010920](/uploads/3238f30eefd1829037d948893b423566/IMG_20210928_010920.jpg)https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/66Address WITH_LLVM_BINUTILS fallout2023-03-29T18:59:41ZShawn WebbAddress WITH_LLVM_BINUTILS falloutWith commit 8da1f6e996c50106ee646dd4180616bb658c8eb9, we switched to using a full compiler toolchain for not only base, but ports. We see some issues with llvm-objcopy in [this](http://ci-08.md.hardenedbsd.org/build.html?mastername=harde...With commit 8da1f6e996c50106ee646dd4180616bb658c8eb9, we switched to using a full compiler toolchain for not only base, but ports. We see some issues with llvm-objcopy in [this](http://ci-08.md.hardenedbsd.org/build.html?mastername=hardenedbsd-current_amd64-local&build=2021-09-13_14h34m33s) package build.
This issue is to track fixing those issues. My initial plan is to study llvm-objcopy, looking for the specific errors outputted in the build log of a few failing ports. [This](http://ci-08.md.hardenedbsd.org/data/hardenedbsd-current_amd64-local/2021-09-13_14h34m33s/logs/errors/perl5-5.32.1_1.log) is a good example of a port broken by llvm-objcopy.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/65Malloc_domainset_aligned2021-12-08T05:02:11ZMaxime GuilleminMalloc_domainset_alignedI encountered a problem with the installation of hardenedbsd on my machine.
After selecting "boot multiuser" I have a panic :
panic : malloc_domainset_aligned : align 0x8000 (size0xc00) too large.
Cpuid =0
Time =1
My conf :
Intel cor...I encountered a problem with the installation of hardenedbsd on my machine.
After selecting "boot multiuser" I have a panic :
panic : malloc_domainset_aligned : align 0x8000 (size0xc00) too large.
Cpuid =0
Time =1
My conf :
Intel core 2 quad Cpu q9300
8g ram ddr2
Asus p5k premium motherboard
1to hd
250 go ssd
Installation is good on freebsd amd64 image.
Really frustrating 😉LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/63Connexion to git.hardenedbsd.org2021-09-12T00:04:31ZMaxime GuilleminConnexion to git.hardenedbsd.orgI am not able to connect form firefox installed on HardenedBSD.
I succeded on my mobile phone, same network or not.
EDIT : My bad, the timezone, wasn't set on my PcI am not able to connect form firefox installed on HardenedBSD.
I succeded on my mobile phone, same network or not.
EDIT : My bad, the timezone, wasn't set on my Pchttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/62Thunderbird segfault2021-09-10T16:09:28ZMaxime GuilleminThunderbird segfaultHi,
Thunderbird segfaults until you disable mprotect with hbsdcontrol.Hi,
Thunderbird segfaults until you disable mprotect with hbsdcontrol.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/60Bring in liblattzfs2021-10-01T18:04:09ZShawn WebbBring in liblattzfsshawn.webb/liblattzfs> is a little shim around libzfs to make it easy for out-of-tree applications to make use of ZFS (hbsdmon is my use case). For now, liblattzfs only supports getting the status of a ZFS pool, but that's all we need.shawn.webb/liblattzfs> is a little shim around libzfs to make it easy for out-of-tree applications to make use of ZFS (hbsdmon is my use case). For now, liblattzfs only supports getting the status of a ZFS pool, but that's all we need.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/59[13-stable amd64] pkg fails to update the HardenedBSD repository2021-08-16T15:39:42Zh3artbl33d[13-stable amd64] pkg fails to update the HardenedBSD repositoryInstalled a fresh VM with 13-stable (amd64), upon bootstrapping `pkg` it errors with the following lines:
```
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: ...Installed a fresh VM with 13-stable (amd64), upon bootstrapping `pkg` it errors with the following lines:
```
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:13:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.17.1...
Extracting pkg-1.17.1: 100%
Updating HardenedBSD repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 6 MiB 2.2MB/s 00:03
pkg: No signature found
Unable to update repository HardenedBSD
Error updating repositories!
```
I am not familiar with the `pkg` internals; how are the signatures distributed?Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/57hbsd-update: Provide a "download only" option2021-07-10T18:55:45ZShawn Webbhbsd-update: Provide a "download only" optionMake it easy to simply download the update archive and not do anything with it, not even extracting it. This will enable a user to be able to inspect the archive and manually apply parts of it if needed.Make it easy to simply download the update archive and not do anything with it, not even extracting it. This will enable a user to be able to inspect the archive and manually apply parts of it if needed.LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/56Hook llvm-ar into the tools bootstrap2021-10-01T18:04:28ZShawn WebbHook llvm-ar into the tools bootstrapWhen building base, we use the system llvm-ar. This can cause issues when the LLVM IR bitcode has been modified (and the bitcode version number bumped) and we build static/shared libraries in base with LTO.
FreeBSD recently merged llvm ...When building base, we use the system llvm-ar. This can cause issues when the LLVM IR bitcode has been modified (and the bitcode version number bumped) and we build static/shared libraries in base with LTO.
FreeBSD recently merged llvm 12.0.0 into base in 14-CURRENT. The LLVM IR bitcode spec and implementation was modified. clang had outputted object files that contained the newer bitcode. The system llvm-ar (which is at 11.0), naturally, didn't understand the new bitcode, causing a failure.
The way to solve this chicken-and-egg scenario is to include llvm-ar in the bootstrap-tools stage in `buildworld`. As of the time of writing this bug report, I made a naive attempt at hooking llvm-ar into the bootstrap-tools. The attempt failed due to llvm-ar needing to pull in the full libllvm, rather than the libllvmminimal that the bootstrap-tools installs.
Right now, in 14-CURRENT, the system must be build with MK_LTOLIB disabled for the first build. The second build can re-enable MK_LTOLIB (since the updated system has the new version of llvm-ar).Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/55hbsd-update -r /path/to/empty/directory fails2022-01-16T08:19:35ZSylvie Rinnerhbsd-update -r /path/to/empty/directory failsI'm trying to use hbsd-update to bootstrap some jails, but it looks like it's broken for this usecase at the moment.
When I simply run `hbsd-update -r /jails/something`, where `/jails/something` is an empty directory, I get the followin...I'm trying to use hbsd-update to bootstrap some jails, but it looks like it's broken for this usecase at the moment.
When I simply run `hbsd-update -r /jails/something`, where `/jails/something` is an empty directory, I get the following error and the whole process is aborted:
```
cp: /jails/something/boot/kernel: No such file or directory
```
Based on the man page stating that `-r` does not need to point to an existing installation, I'd expect this to work.
It does get a little but further when I specify `-n` to skip installing the kernel (which I actually wanted in this case). Then it fails with:
```
./usr/libexec/dwatch/proc-exec: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-signal-clear: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-status: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-signal-discard: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-exec-failure: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-exec-success: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-signal: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-signal-send: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-exit: Hard-link target './usr/libexec/dwatch/proc' does not exist.
./usr/libexec/dwatch/proc-create: Hard-link target './usr/libexec/dwatch/proc' does not exist.
```
I have no idea how to debug that or if there maybe is a flag I'm missing that would make it work.
My jail host system is fully updated as far as I can tell:
```
[+] Local version: hbsd-v1300061-5dbd0eeaab8b687ee5ec183cb7e782ae24cd550b
[+] Remote version: hbsd-v1300061-5dbd0eeaab8b687ee5ec183cb7e782ae24cd550b sha256 c956d5804d66408dd99cdb23efeada556bf907a678d71dbeaa7ceed6bdb4ae78
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/50Improve EFI framebuffer startup2022-02-03T19:45:19ZLoicImprove EFI framebuffer startupThe EFI framebuffer boot in FreeBSD (so HardenedBSD) often crashes on modern computers:
![20210517_162746](/uploads/2ed672f6d1d13403b2076d9a6bb109bf/20210517_162746.jpg)
See: [Bug 255208](https://bugs.freebsd.org/bugzilla/show_bug.cgi?i...The EFI framebuffer boot in FreeBSD (so HardenedBSD) often crashes on modern computers:
![20210517_162746](/uploads/2ed672f6d1d13403b2076d9a6bb109bf/20210517_162746.jpg)
See: [Bug 255208](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209821#c35)
OpenBSD does not have this problem, we should see if we can borrow a solution.LoicLoic