Re: amd64 OpenBSD 6.2 doesn't see hard disks when controller in RAID mode

[nanaya]

Hi,

On Wed, Oct 11, 2017, at 12:28, Eric Furman wrote:
> 
> I disagree, but that's just my opinion.
> And just because something is "a default BIOS configuration in all
> modern
> desktop computers" doesn't mean it's a good thing.
> 

To add another case point, at least on his system (HP Z230) it's an
option at all. I haven't tried openbsd yet but illumos has similar
problem on my HP Z210 (older version of same series) with RAID mode. The
only options available in BIOS are IDE or RAID mode.

Re: amd64 OpenBSD 6.2 doesn't see hard disks when controller in RAID mode

[Eric Furman]

On Tue, Oct 10, 2017, at 04:29 PM, Rostislav Krasny wrote:
> I think it's worth to be supported. The RAID mode of storage
> controller seems to be a default BIOS configuration in all modern
> desktop computers. I think most desktop users don't configure any real
> RAID and continue to use their disks as separate devices. If at least
> this RAID configuration is supported it would be a great progress.

I disagree, but that's just my opinion.
And just because something is "a default BIOS configuration in all
modern
desktop computers" doesn't mean it's a good thing.

Re: How to allow __set_tcb in pledge

[Stephane Martin]

Thank you for your answer!

On 6 oct. 2017 à 20:13 +0200, Theo de Raadt , wrote:
> > I'm trying to use pledge to protect a go program.
> >
> > The exec aborts with abort trap: core dump
> >
> > Ktrace and /var/log/messages say that the __set_tcb
> > syscall is denied.
> >
> > Can I configure pledge to allow such syscall ?
>
> In post-6.2, this is now allowed. It wasn't allowed earlier
> due to an oversight.

After recompiling the kernel with STABLE 6.2, no such problem anymore.

> > (Same question for mlock and mlockall)
>
> Uhm, those are not going to be allowed. They are precisely the
> type of operations you should do before pledge.

Ok, makes sense to set up the memory protection before indeed.

Now I got another problem:

- golang tries to set default socket options (see sockopt_bsd.go in go source) 
such as:
syscall.SetsockoptInt(s, syscall.IPPROTO_IPV6, syscall.IPV6_V6ONLY, 
boolint(ipv6only))

- Boom, core dump with pledge.

- And pledge source code has that cute « notyet » thingie:

1282 #ifdef notyet
1283                 case IPV6_V6ONLY:
1284 #endif

What does that mean ?...

Regards,
Stephane

Re: 6.2 starts nsd before slaacd binds ipv6 address

[Florian Obser]

On Mon, Oct 09, 2017 at 06:31:06PM +, lists+m...@ggp2.com wrote:
> Hello all -
> 
> I don't feel this warrants a bug report, but nevertheless feel that this
> behavior is inconsistent with the way dhclient works.  I have a vultr

there is a school of thought that says dhclient should not delay the
boot process until it has a lease (or times out after what? 30
seconds?)

> server running nsd/OpenBSD 6.2, and I suspect that the move to slaacd
> from kernel code in 6.1 is what has broken my nsd config (it fails to
> start on boot now).

sure, you got lucky before, the kernel did the stateless address
auto configuration dance faster and won the race against nsd.
slaacd is losing. But if your router solicitations had been
delayed nsd might have one the race against the kernel...

> 
> Vultr uses dhcp/autoconf for ipv4/ipv6, and nsd worked perfectly on

Uhm, no. vultr *supports* dhcp/autoconf. But they assign a static v4
address and a v6 /64 subnet from which you are free to choose any
address(es) you want.
They tell you that you get your gateway from router advertisements in
v6.

> OpenBSD 6.1.  In my nsd.conf, I specify the outbound ipv4/ipv6
> addresses, and the idea is that the interface addresses are assigned
> before nsd is started.  This was the case in oBSD 6.1.  However, in 6.2,
> it seems that slaacd is assigning the ipv6 address after nsd starts.
> This leads to error messages such as:
> 
> nsd[15166]: xfrd: could not bind source address:port to socket: Can't assign 
> requested address
> 
> I've gotten around this by using the ipv4 address for xfr's, and having
> nsd listen on ::1@8053 (unbound has :53) for ipv6 & redirecting with pf.

I would suggest to use static IPs for servers as a better
work around.

Also note that vultr gives you a full /64 v6 subnet, no
need to dick around with different port numbers.
Of course depends on what you are doing...

> 
> I *think* the proper behavior should be that daemons wait on slaacd to
> attempt to solicit/bind first, similar to dhclient.
> 

ah, but it's not the daemons that wait, dhclient is delaying.

> I do admit that I've been tinkering with ipv6 a lot lately and twisting
> all the knobs, but hopefully this is helpful info as we transition more
> ipv6 dominant internet.
> 

-- 
I'm not entirely sure you are real.

Re: amd64 OpenBSD 6.2 doesn't see hard disks when controller in RAID mode

[Rostislav Krasny]

I think it's worth to be supported. The RAID mode of storage
controller seems to be a default BIOS configuration in all modern
desktop computers. I think most desktop users don't configure any real
RAID and continue to use their disks as separate devices. If at least
this RAID configuration is supported it would be a great progress.

BTW attaching the dmesg output when booted from the 6.2 installation
media in RAID mode.

On Tue, Oct 10, 2017 at 10:08 PM, Theo de Raadt  wrote:
> This is kind of intentional, since noone has put effort into making
> softraid understand the disk-binding logic found in the BIOS-RAID
> sectors.  Maybe we should reconsider, dunno.
>
>> I've just tried to install the amd64 OpenBSD 6.2 and it doesn't see
>> hard disks when controller in RAID mode (BIOS configuration). If I
>> change it to AHCI mode (in BIOS) it can see them.
>>
>> Although I don't use RAID capabilities I can't switch to the AHCI mode
>> because I have Windows 7 installed when the storage controller was in
>> RAID mode (default in my BIOS).
>>
>> Is it a know bug/limitation? Various Linuxes and FreeBSD 11.1 work
>> properly with my disk controller and see all the disks, even in RAID
>> mode.
>>
>> My hardware:
>> HP Z230 desktop with Intel C226 chipset, Intel Core i7 4790 CPU and 16
>> GB of RAM.
>> Hard disks:
>> [1] 238GB SanDisk SD8SBAT256G1122 (SSD)
>> [2] 931GB Western Digital WDC WD10EZEX-60M2NA0 (SATA)
>>
>> Installation media:
>> install62.fs flashed on a USB drive.
OpenBSD 6.2 (RAMDISK_CD) #132: Tue Oct  3 21:26:51 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 16835059712 (16055MB)
avail mem = 16321089536 (15565MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xc08d2018 (85 entries)
bios0: vendor Hewlett-Packard version "L51 v01.55" date 10/18/2016
bios0: Hewlett-Packard HP Z230 Tower Workstation
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT SSDT SLIC 
MSDM ASF! TCPA DMAR
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz, 3592.14 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3592143080 Hz
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP04)
acpiprt3 at acpi0: bus -1 (P0P2)
acpiprt4 at acpi0: bus -1 (PEG0)
acpiec0 at acpi0: not present
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
"INT3F0D" at acpi0 not configured
"PNP0F03" at acpi0 not configured
"IFX0102" at acpi0 not configured
"PNP0C0C" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06
"Intel HD Graphics 4600" rev 0x06 at pci0 dev 2 function 0 not configured
"Intel Core 4G HD Audio" rev 0x06 at pci0 dev 3 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x05: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
em0 at pci0 dev 25 function 0 "Intel I217-LM" rev 0x05: msi, address 
c4:34:6b:5c:cc:16
ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x05: apic 2 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
"Intel 8 Series HD Audio" rev 0x05 at pci0 dev 27 function 0 not configured
ppb0 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd5: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 3 "Intel 8 Series PCIE" rev 0xd5: msi
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 "ITExpress IT8893E PCIE-PCI" rev 0x52
pci3 at ppb2 bus 3
ehci1 at pci0 dev 29 function 0 "Intel 8 Series USB" rev 0x05: apic 2 int 23
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
"Intel C226 LPC" rev 0x05 at pci0 dev 31 function 0 not configured
pciide0 at pci0 dev 31 function 2 "Intel 82801H RAID" rev 0x05: DMA, channel 0 
wired to native-PCI, 

Re: ftp.eu.openbsd.org

[Juan Francisco Cantero Hurtado]

On Tue, Oct 10, 2017 at 08:08:56PM +0200, Tony Sarendal wrote:
> Not looking so good.
> 
> tonsar@jump0.swe1$ ftp ftp.eu.openbsd.org
> Trying 193.156.26.18...
> Connected to ftp.eu.openbsd.org (193.156.26.18).
> 220 jj-prod-obsdmirror.inet6.se FTP server ready.
> Name (ftp.eu.openbsd.org:tonsar): ftp
> 331 Guest login ok, send your email address as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 227 Entering Passive Mode (192,168,0,13,204,157)
> ^C

$ ftp ftp.eu.openbsd.org
Trying 193.156.26.18...
Connected to ftp.eu.openbsd.org.
220 jj-prod-obsdmirror.inet6.se FTP server ready.
Name (ftp.eu.openbsd.org:juanfra): anonymous
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 16
drwxr-xr-x  56 1001  5000  1024 Oct 10 20:31 OpenBSD
lrwxr-xr-x   1 0 11 Aug 21 08:35 pub -> .
226 Transfer complete.

Run the ftp client with the passive mode enabled. It's the default on
OpenBSD.


-- 
Juan Francisco Cantero Hurtado http://juanfra.info

Re: Trouble with VMM/VMD

[Carlos Cardenas]

On 10/10/17 11:57, Roar Waagsbø wrote:
> Hi.
> 
> Sorry.
> 
> Its my first report.
> 
> Im not even sure its a bug or if its me doing something wrong.
> 
> The logs arent saying much either, besides the one line I posted.
> 
> Roar
> 
> On Oct 10, 2017 5:21 PM, "Mike Larkin"  wrote:
> 
>> On Tue, Oct 10, 2017 at 02:39:05PM +0200, Roar Waagsbř wrote:
>>> Hi.
>>>
>>> I starting using openbsd a while back and I was told on #openbsd@freenode
>>> that vmm was the way to go, and not use qemu.
>>>
>>> I want to use openbsd on my host machine.
>>>
>>> I setup two vms and it worked fine.
>>>
>>> After about a week I noticed that one of my vms was shutdown.
>>>
>>> I started it back up again and didnt give it much thought.
>>>
>>> After a few days my other vm was shut down.
>>>
>>> Then after a few days again both my vms was shutdown.
>>>
>>> Today I upgraded the host to a new -current snapshot (10/10/2017)
>>>
>>> And when I start my vm now, it says that it starts successfully, then
>> after
>>> a few seconds it is shutdown again.
>>>
>>> I started vmd with -d (tried -dv but it said that -v wasnt an options,
>> even
>>> though man vmd say so)
>>>
>>> And the only thing /var/log/daemon says was:
>>>
>>> vmd2: vm2 even trhead exited unexpectedly.
>>>
>>> Am I missing something?
>>>
>>> Or am I doing anything wrong?
>>>
>>> Regards Roar
>>
>> Your bug report is horrible.
>>
>> man sendbug
>>
>> -ml
>>

Roar,

Let's start with this:
* You said you are running -current (2017-10-10), which architecture (amd64 or 
i386)? A dmesg would be good.
* What are your VM params (i.e. how did you start them)? Do you have a vm.conf 
file you can share?
* What guest VMs are you running?
* How many vmd's are you running? (asking because of the "vmd2: " line) 
There should be only one.

If you are going to run vmd in the foreground, make sure no other vmd instances 
are running.

I don't understand your comment about '-v' since not only is it present in the 
usage of vmd but also
in the man page (man vmd).

los@rollo:% doas vmd -h
vmd: unknown option -- h
usage: vmd [-dnv] [-D macro=value] [-f file]

Either way, run vmd in the foreground with '-dvvv' as in:
doas vmd -dvvv

Once you're able to share all of that info then we can start the process of 
troubleshooting.

+--+
Carlos

Re: amd64 OpenBSD 6.2 doesn't see hard disks when controller in RAID mode

[Theo de Raadt]

This is kind of intentional, since noone has put effort into making
softraid understand the disk-binding logic found in the BIOS-RAID
sectors.  Maybe we should reconsider, dunno.

> I've just tried to install the amd64 OpenBSD 6.2 and it doesn't see
> hard disks when controller in RAID mode (BIOS configuration). If I
> change it to AHCI mode (in BIOS) it can see them.
> 
> Although I don't use RAID capabilities I can't switch to the AHCI mode
> because I have Windows 7 installed when the storage controller was in
> RAID mode (default in my BIOS).
> 
> Is it a know bug/limitation? Various Linuxes and FreeBSD 11.1 work
> properly with my disk controller and see all the disks, even in RAID
> mode.
> 
> My hardware:
> HP Z230 desktop with Intel C226 chipset, Intel Core i7 4790 CPU and 16
> GB of RAM.
> Hard disks:
> [1] 238GB SanDisk SD8SBAT256G1122 (SSD)
> [2] 931GB Western Digital WDC WD10EZEX-60M2NA0 (SATA)
> 
> Installation media:
> install62.fs flashed on a USB drive.
> 

Re: Trouble with VMM/VMD

[Roar Waagsbø]

Hi.

Sorry.

Its my first report.

Im not even sure its a bug or if its me doing something wrong.

The logs arent saying much either, besides the one line I posted.

Roar

On Oct 10, 2017 5:21 PM, "Mike Larkin"  wrote:

> On Tue, Oct 10, 2017 at 02:39:05PM +0200, Roar Waagsbř wrote:
> > Hi.
> >
> > I starting using openbsd a while back and I was told on #openbsd@freenode
> > that vmm was the way to go, and not use qemu.
> >
> > I want to use openbsd on my host machine.
> >
> > I setup two vms and it worked fine.
> >
> > After about a week I noticed that one of my vms was shutdown.
> >
> > I started it back up again and didnt give it much thought.
> >
> > After a few days my other vm was shut down.
> >
> > Then after a few days again both my vms was shutdown.
> >
> > Today I upgraded the host to a new -current snapshot (10/10/2017)
> >
> > And when I start my vm now, it says that it starts successfully, then
> after
> > a few seconds it is shutdown again.
> >
> > I started vmd with -d (tried -dv but it said that -v wasnt an options,
> even
> > though man vmd say so)
> >
> > And the only thing /var/log/daemon says was:
> >
> > vmd2: vm2 even trhead exited unexpectedly.
> >
> > Am I missing something?
> >
> > Or am I doing anything wrong?
> >
> > Regards Roar
>
> Your bug report is horrible.
>
> man sendbug
>
> -ml
>

ftp.eu.openbsd.org

[Tony Sarendal]

Not looking so good.

tonsar@jump0.swe1$ ftp ftp.eu.openbsd.org
Trying 193.156.26.18...
Connected to ftp.eu.openbsd.org (193.156.26.18).
220 jj-prod-obsdmirror.inet6.se FTP server ready.
Name (ftp.eu.openbsd.org:tonsar): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (192,168,0,13,204,157)
^C

/T

Re: reordering libraries:/etc/rc[443]: ./test-ld.so: Permission denied

[Kevin Chadwick]

On Wed, 27 Sep 2017 21:43:48 -0500


> Why is this happening, and is there anything that I should do to
> correct
> 

The system has been getting more and more dynamic to make attackers
fumble in the dark.

> the "Permission denied" error?

If you prefer then add: 

/sbin/mount -uo noexec /tmp 

to /etc/rc.local

The new pledge powers that have been mentioned recently potentially make
noexec more useful ;)

I am moving all potentially problematic fstab changes such as ro
to /etc/rc.local (/sbin/mount -urf /), letting the devs use the system
during boot as they would their own system.

amd64 OpenBSD 6.2 doesn't see hard disks when controller in RAID mode

[Rostislav Krasny]

Hi,

I've just tried to install the amd64 OpenBSD 6.2 and it doesn't see
hard disks when controller in RAID mode (BIOS configuration). If I
change it to AHCI mode (in BIOS) it can see them.

Although I don't use RAID capabilities I can't switch to the AHCI mode
because I have Windows 7 installed when the storage controller was in
RAID mode (default in my BIOS).

Is it a know bug/limitation? Various Linuxes and FreeBSD 11.1 work
properly with my disk controller and see all the disks, even in RAID
mode.

My hardware:
HP Z230 desktop with Intel C226 chipset, Intel Core i7 4790 CPU and 16
GB of RAM.
Hard disks:
[1] 238GB SanDisk SD8SBAT256G1122 (SSD)
[2] 931GB Western Digital WDC WD10EZEX-60M2NA0 (SATA)

Installation media:
install62.fs flashed on a USB drive.

Re: Trouble with VMM/VMD

[Mike Larkin]

On Tue, Oct 10, 2017 at 02:39:05PM +0200, Roar Waagsbø wrote:
> Hi.
> 
> I starting using openbsd a while back and I was told on #openbsd@freenode
> that vmm was the way to go, and not use qemu.
> 
> I want to use openbsd on my host machine.
> 
> I setup two vms and it worked fine.
> 
> After about a week I noticed that one of my vms was shutdown.
> 
> I started it back up again and didnt give it much thought.
> 
> After a few days my other vm was shut down.
> 
> Then after a few days again both my vms was shutdown.
> 
> Today I upgraded the host to a new -current snapshot (10/10/2017)
> 
> And when I start my vm now, it says that it starts successfully, then after
> a few seconds it is shutdown again.
> 
> I started vmd with -d (tried -dv but it said that -v wasnt an options, even
> though man vmd say so)
> 
> And the only thing /var/log/daemon says was:
> 
> vmd2: vm2 even trhead exited unexpectedly.
> 
> Am I missing something?
> 
> Or am I doing anything wrong?
> 
> Regards Roar

Your bug report is horrible.

man sendbug

-ml

Issue with ipsec tunnels on 6.2

[Renaud Allard]

Hello,

Since the upgrade to OpenBSD 6.2 (from 6.1). One of my tunnels is not
working anymore (it was working on 6.1)
There are 2 things which differ from the other (working) ones:
Both hosts are natted, and one host is i386 (instead of amd64).

I can see packets leaving the source server and entering the destination
one.

leaving:
Oct 10 16:20:20.456154 e4:11:5b:d4:4a:6e c4:ea:1d:45:50:2c 0800 194:
192.168.254.2.4500 > 91.183.56.68.4500:udpencap: esp 192.168.254.2 >
91.183.56.68 spi 0x1b3c3f1f seq 155 len 152 (DF)

arriving:
Oct 10 16:20:20.474021 08:76:ff:e5:24:82 00:04:a7:08:9a:c6 0800 194:
91.183.56.64.4500 > 172.20.254.254.4500:udpencap: esp 91.183.56.64 >
172.20.254.254 spi 0x1b3c3f1f seq 155 len 152 (DF) [tos 0x38]

However, if I sniff enc0 on the source host, I can see the packets, but
on the destination host, I don't see anything on enc0 besides the NAT-T
keepalives.


Has anyone seen such an issue?

Best Regards

Re: softraid crypto with keydisk and password

[Stefan Sperling]

On Tue, Oct 10, 2017 at 11:13:45PM +1100, tomr wrote:
> Well... there's nothing in the FAQ about using a keydisk at all, and
> there's no hints in bioctl(8) about using both a keydisk and a password
> together.

That's because using both isn't a supported use case yet.
In the current design and implementation, there's either a passphrase
or a keydisk, but never both.

> The last comment on this thread describes what I'd like to do, which is
> to somehow have a keydisk *and* a passphrase:
> https://undeadly.org/cgi?action=article=20131112031806

Please understand that I don't have any interest in supporting such hacks.
If you use them and they work for you, that's fine of course.

I'd rather see a patch that makes this feature a proper part of the design
and implementation. I don't need this feature. But if you write a patch
to implement it properly, I will review your patch.

Trouble with VMM/VMD

[Roar Waagsbø]

Hi.

I starting using openbsd a while back and I was told on #openbsd@freenode
that vmm was the way to go, and not use qemu.

I want to use openbsd on my host machine.

I setup two vms and it worked fine.

After about a week I noticed that one of my vms was shutdown.

I started it back up again and didnt give it much thought.

After a few days my other vm was shut down.

Then after a few days again both my vms was shutdown.

Today I upgraded the host to a new -current snapshot (10/10/2017)

And when I start my vm now, it says that it starts successfully, then after
a few seconds it is shutdown again.

I started vmd with -d (tried -dv but it said that -v wasnt an options, even
though man vmd say so)

And the only thing /var/log/daemon says was:

vmd2: vm2 even trhead exited unexpectedly.

Am I missing something?

Or am I doing anything wrong?

Regards Roar

Re: softraid crypto with keydisk and password

[tomr]

On 09/28/17 17:58, Stefan Sperling wrote:
> On Thu, Sep 28, 2017 at 04:15:20AM +0200, Erling Westenvik wrote:
>> On Thu, Sep 28, 2017 at 09:11:49AM +1000, tomr wrote:
>>> I remember seeing a post, I think on undeadly.org, which went through
>>> having the bootloader on password-encrypted usb drive, that also
>>> contains a keyfile for the main disk. It said something like "I also
>>> wanted the laptop to appear broken, and the disk full of random data, if
>>> the usb drive wasn't present - rather than stopping at a password prompt"
>>
>> Here you go:
>>
>> http://www.undeadly.org/cgi?action=article=20110530221728
> 
> Hi, I am the author of this undeadly article.
> It is now very old and full of outdated information.
> 
> Follow this FAQ section instead:
> http://www.openbsd.org/faq/faq14.html#softraid

Well... there's nothing in the FAQ about using a keydisk at all, and
there's no hints in bioctl(8) about using both a keydisk and a password
together.

The last comment on this thread describes what I'd like to do, which is
to somehow have a keydisk *and* a passphrase:
https://undeadly.org/cgi?action=article=20131112031806

Re: l2tp client

[Stefan Sperling]

On Mon, Oct 09, 2017 at 08:03:54PM -0500, Daniel Boyd wrote:
> I’ve just started a job where I will be working from home a bunch, so I would 
> like to configure my home router as an ipsec/l2tp client and to push the 
> routes from my work network to all computers on my home network.  i.e. a 
> site-to-site VPN.
> 
> I have found a bunch of documentation for configuring OpenBSD as a ipsec/l2tp 
> server, but not as much as a client.  
> 
> I assume I’ll need the xl2tpd package… When I connect a Mac, iOS device, or 
> PC, the VPN requires a username, password and a secret.
> 
> Can anyone point me in the direction of some documentation to get started?
> 
> Thanks!
> 
> Daniel Boyd

If you install the xl2tpd package you'll find a README file with instructions
in /usr/local/share/doc/pkg-readmes/

Re: l2tp client

[Stuart Henderson]

On 2017-10-10, Daniel Boyd  wrote:
> I’ve just started a job where I will be working from home a bunch, so I would 
> like to configure my home router as an ipsec/l2tp client and to push the 
> routes from my work network to all computers on my home network.  i.e. a 
> site-to-site VPN.
>
> I have found a bunch of documentation for configuring OpenBSD as a ipsec/l2tp 
> server, but not as much as a client.  
>
> I assume I’ll need the xl2tpd package… When I connect a Mac, iOS device, or 
> PC, the VPN requires a username, password and a secret.
>
> Can anyone point me in the direction of some documentation to get started?
>
> Thanks!
>
> Daniel Boyd
>

Yes you'll need xl2tpd and pppd(8) for ipsec/l2tp client.
Be warned, it doesn't work particularly well.

If the other side is under your control, use pretty much anything else
instead.

Plain IKEv1 (isakmpd/ipsec.conf), IKEv2 (iked/iked.conf), OpenVPN, or
openconnect (with ocserv or cisco anyconnect on the server side) - all
will work more reliably and be easier to configure than L2TP+IPsec
client on OpenBSD.

Re: gtar: ambiguous package

[Stuart Henderson]

On 2017-10-09, Todd C. Miller  wrote:
> On Mon, 09 Oct 2017 17:24:53 +0200, Max Power wrote:
>
>> Hi guys, and wishes for the new release, Thank You Theo.
>> 
>> Installing gtar ask me:
>> Ambiguos: choose package for gtar
>> a  0:
>>  1: gtar-1.28p1
>>  2: gtar-1.28p1-static
>> Your choice:
>> 
>> Ok, but differece between 'normal' and 'static'...? 
>
> Packages with the -static suffix are statically linked and do not
> depend on shared libraries.  This means that the binary is not
> affected by changes in the shared libraries, which can be handy for
> development.  It is also consistent with the OpenBSD tar/pax which
> is also statically linked.
>
> Chances are it won't make a difference to you and the non-static
> package will be a bit smaller.

If you want to script this (or use with config management systems)
and don't want to be presented with the choice, use "gtar--" as the
package name, e.g. "pkg_add gtar--".

Re: Switching swap partition

[Frank Groeneveld]

On Tue, Oct 10, 2017, at 10:22, leo_...@volny.cz wrote:
> Instead of sd0b? Then it appears fine.

Yes, that was my point, everything seemed fine until I found that line
in dmesg.
 
> >> You might want to keep sd0b around as a dump partition though, just in
> >> case it ever panics before going multiluser...
> >
> > The point of this operation was to reclaim that space for other use ;-)
> 
> You could even just shrink it significantly -- I don't think a dump at
> early boot would take up *that* much space...

Good suggestion, I might do it like that indeed. Thanks!

Frank

RE: Switching swap partition

[leo_tck]

Haai,

"Frank Groeneveld"  wrote:
>
> swapctl -l always lists /dev/sd1b correctly.

Instead of sd0b? Then it appears fine.

>> You might want to keep sd0b around as a dump partition though, just in
>> case it ever panics before going multiluser...
>
> The point of this operation was to reclaim that space for other use ;-)

You could even just shrink it significantly -- I don't think a dump at
early boot would take up *that* much space...

 --schaafuit.

Re: Switching swap partition

[Frank Groeneveld]

On Tue, Oct 10, 2017, at 09:48, leo_...@volny.cz wrote:
> It'd seem more wrong to me if it'd try to swap to a nonexistent
> partition ;) Just in case, what is the output of 'swapctl -l' straight
> after boot, preferably when still single-user? 

swapctl -l always lists /dev/sd1b correctly.

> You might want to keep sd0b around as a dump partition though, just in
> case it ever panics before going multiluser... 

The point of this operation was to reclaim that space for other use ;-)

Frank

6.2-RELEASE with single disk FDE hangs on serial console after wrong passphrase

[Kapfhammer, Stefan]

Hi misc,

I have a PC Engines apu2b4 with one 16 GB
ssd, for installation or reboot reasons I am
connected via serial console.

Here is the boot screen:

(dmesg below)


=

PC Engines apu2
coreboot build 20170831
BIOS version v4.0.12
4080 MB ECC DRAM

SeaBIOS (version rel-1.10.2.1)

Press F10 key now for boot menu

Booting from Hard Disk...
Using drive 0, partition 3.
Loading..
probing: pc0 com0 com1 com2 com3 mem[638K 3582M 496M a20=on] 
disk: hd0+ sr0*
>> OpenBSD/amd64 BOOT 3.33
Passphrase:    accidentially 
pressed Enter
bcrypt_pbkdf failed
open(sr0a:/etc/boot.conf): Operation not permitted    should be loaded 
for com0 switching
boot> 
Passphrase:     given the right 
passphrase
booting sr0a:/bsd: 8520476+2544648+241408+0+675840 
[662700+82+702264+484833]=0xd32ce8
entry point at 0x1000158    hangs forever

=

Hint:
After entering empty or wrong passphrase and at least the correct
passphrase, should reload /etc/boot.conf (with correct permissions set ? )

Workaround:
Giving 'stty com0 115200' and 'set tty com0'
at the bootprompt and given afterwards the 
correct passphrase, seems to work and system switches
to com0 and boots up.

If you are too slow, system tries to boot and hangs on the console.
But it's annoying after the hang, that you have  (especially for APUx devices)
to pull the AC cable and put it back again. Provokes fs checks on crypto device.

This is not a hard bug and I am very good with 6.2-RELEASE, the fastest
and best up to now.

Congratulations to the developers, great great work.

Regards,

Stefan Kapfhammer


dmesg:
OpenBSD 6.2 (GENERIC.MP) #134: Tue Oct  3 21:22:29 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4261076992 (4063MB)
avail mem = 4124921856 (3933MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries)
bios0: vendor coreboot version "v4.0.12" date 08/31/2017
bios0: PC Engines apu2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S2 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) 
UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-412TC SOC, 998.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: TSC frequency 998270800 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD GX-412TC SOC, 998.13 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD GX-412TC SOC, 998.13 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD GX-412TC SOC, 998.13 MHz
cpu3: 

RE: Switching swap partition

[leo_tck]

Haai,

"Frank Groeneveld"  wrote:
> I recently switched the swap partition on a server from sd0b to sd1b.
> I've modified /etc/fstab accordingly and after a reboot swapctl -l lists
> it as being the only used swap partition correctly. Today I noticed this
> line in dmesg:
> root on sd0a (4340b9bfa4cdde0a.a) swap on sd0b dump on sd0b

FWIW, I believe these are just boot-time defaults.

> It still lists the old partition (which I modified to be of the
> "unknown" type in the disklabel, but removing the partition doesn't fix
> it either) as being the swap partition. How can I change this? I found a
> kernel compile option, but recompiling a kernel because I want swap on a
> different partition seems wrong.

It'd seem more wrong to me if it'd try to swap to a nonexistent
partition ;) Just in case, what is the output of 'swapctl -l' straight
after boot, preferably when still single-user? 

You might want to keep sd0b around as a dump partition though, just in
case it ever panics before going multiluser... 

--schaafuit.

Switching swap partition

[Frank Groeneveld]

I recently switched the swap partition on a server from sd0b to sd1b.
I've modified /etc/fstab accordingly and after a reboot swapctl -l lists
it as being the only used swap partition correctly. Today I noticed this
line in dmesg:
root on sd0a (4340b9bfa4cdde0a.a) swap on sd0b dump on sd0b

It still lists the old partition (which I modified to be of the
"unknown" type in the disklabel, but removing the partition doesn't fix
it either) as being the swap partition. How can I change this? I found a
kernel compile option, but recompiling a kernel because I want swap on a
different partition seems wrong.

Thanks for any hints!

Frank

Re: reordering libraries:/etc/rc[443]: ./test-ld.so: Permission denied

[Renaud Allard]

On 09/28/2017 06:34 AM, Philip Guenther wrote:
> On Wed, 27 Sep 2017, Theodore Wynnychenko wrote:
> ...
>> Thank you for the information.  I removed the “noexec” flag from fstab 
>> and the error has disappeared.
>>
>> But, I am also surprised by the requirement that /tmp _not_ be mounted 
>> noexec for this to function correctly.  I recall reading that it was 
>> best to mount filesystems with the most restrictive settings possible 
>> for that specific filesystem, and that /tmp should be mounted with 
>> (essentially) nothing set (ie: nodev, nosuid, noexec).
>>
>> Am I incorrect or has something changed in this regard?
>>
>> It seems to me that, as a general rule, making /tmp noexec is a good 
>> thing from a security standpoint; but I admit that I don’t know enough 
>> about this to be sure.
>>
>> Anyway, I just added a line to rc.local to remount temp as noexec at the 
>> end of the boot so that rc would work without errors and that /tmp is 
>> noexec once the system is up.
> 
> To quote a co-worker: "What problem are you trying to solve?"
> Or, in this case: What attack/threat vector are you trying to block?
> 
> What on your system is running with (a) ability to exec (think pledge(2)), 
> *and* (b) access to /tmp but *without* write access to other directories 
> (like $HOME) that aren't mounted noexec?
> 
> If the answer is "nothing", then marking /tmp as noexec is only annoying 
> you.
> 
> 

Sorry to revive an "old" post, but I am trying to understand the logic.

On a desktop, I fully agree with you, it's generally useless.

But on my servers, I have a lot of processes which can write into their
home directories, but those directories are noexec as well. Why would
you need to allow any process to exec things that are not in controlled
paths? As an example, let's say I have dovecot running, why would I let
dovecot run anything besides its own processes that have been written by
root and it cannot modify? Many exploits try to drop binaries into /tmp
by default.

Also, remounting /tmp noexec doesn't work if your /tmp is mfs AFAIK.