Re: CVS confusion

2014-10-11 Thread Otto Moerbeek
On Sat, Oct 11, 2014 at 02:08:12AM +, Steven Surdock wrote:

 I'm trying to follow -stable ports, but CVSWEB appears inconsistent.
 
 If I look at ports/lang/php/5.4 for OPENBSD_5_5 
 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5)
  it shows the following:
 
 Makefile   1.16.2.1   4 months   jasper   security   update to php-5.4.28 ok 
 sthen@
 
 If look at the Makefile 
 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5)
  it shows a Revision of 1.16.2.3 and the last note says security update to 
 5.4.30; ok jasper@).
 
 If I look at Rev. 1.16.2.1 (from the first page above), it shows version 
 5.4.28
 
 If I grab a copy via CVS, I get 5.4.32.
 $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P 
 ports/lang/php/5.4
 
 Which is the correct php 5.4 for OpenBSD 5.5-stable?
 
 -Steve S.

Looks like a bug in cvsweb. Makefile 1.16.2.3 is the newest revision in the
OPENBSD_5_5 branch. You can see that if you click Makefile in the page
displayed by your first url.

-Otto



Re: Trying to get suspend to RAM working on an X31

2014-10-11 Thread John Magolske
* Mike Larkin mlar...@azathoth.net [141010 11:18]:
 On Fri, Oct 10, 2014 at 10:01:18AM -0700, John Magolske wrote:
  Upon issuing the `zzz` command, the screen turns off, the machine
  spins down and the little crescent-moon sleep indicator lights up.
  But when woken, the screen comes up frozen with lots of vertical
  stripes. Blind-typing comands into the console has no effect (e.g.
  `zzz` from a root console then `halt -p` after the awakening attempt).
 
 boot -c , disable radeondrm (and also disable auto xdm start).
 
 See if you can zzz/resume from the console without radeondrm running.
 
 That will at least give us a place to start.
 
 Another thing you can try is seeing if the machine is in ddb on resume
 for some reason. Try a few (3 or 4) bo re  commands (enter after each). See
 if the machine reboots, and if so you might have clues in dmesg after 
 reboot.

Thanks, that made a difference. Appears to be suspending to RAM --
hard drive spins down, crescent-moon indicator lights up, screen goes
black...but then the backlight comes back on while remaining in sleep
mode. Closing and opening the lid brings it back to life promptly with
no stripes on the screen, everything is working fine. I just repeated
this reliably about 10 times in a row.

Now if I could figure out how to keep the backlight from coming back
on immediately after the suspend. Also wondering how much I'd be
giving up by forgoing DRM in my case with this mobility radeon 7000.

Rebooted, then suspended to the frozen screen with vertical stripes,
tried the suggested `bo re` ... but no, that screen is frozen solid.

Regards,

John

-- 
John Magolske
http://B79.net/contact



Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

2014-10-11 Thread Federico Giannici

On 10/10/14 23:34, Stuart Henderson wrote:

oops, missed your sysctl -a output (I wasn't expecting to see it,
well done ;-)

net.inet.ip.ifq.drops=140720

You would probably benefit from increasing net.inet.ip.ifq.maxlen,
maybe double it once or twice and see if net.inet.ip.ifq.drops stops
increasing.



Our users too experience some disconnects.

We have a firewall with a large PF config (a lot of rules and queues) 
and a 500 Mbps Internet connection. Here is some info:


# uptime
10:16AM  up 47 days, 18:52, 1 user, load averages: 0.90, 0.82, 0.77

# sysctl net.inet.ip.ifq
net.inet.ip.ifq.len=0
net.inet.ip.ifq.maxlen=1536
net.inet.ip.ifq.drops=3158576

# sysctl kern.netlivelocks
kern.netlivelocks=12031149

In pf we set limit states 100 and states always remain below 
20 (we graph them).


Complete dmesg, sysctl, and netstat -i follows.

Kernel is GENERIC (no MP) only change is HZ=1000 (for queues accuracy).

Any idea of what could be the problem and how to solve it?

Thanks.



# dmesg
OpenBSD 5.5-stable (NMFW) #1: Fri Aug 22 11:11:29 CEST 2014
giann...@legolas.neomedia.it:/usr/src/sys/arch/amd64/compile/NMFW
real mem = 8530317312 (8135MB)
avail mem = 8294674432 (7910MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec0f0 (76 entries)
bios0: vendor American Megatrends Inc. version 2.0 date 04/24/2014
bios0: Supermicro X10SLL-F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT SSDT MCFG HPET 
SSDT SSDT SPMI DMAR EINJ ERST HEST BERT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) 
PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) 
RP05(S4) GLAN(S4) EHC1(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.16 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 2 (RP01)
acpiprt5 at acpi0: bus 4 (RP02)
acpiec0 at acpi0: Failed to read resource settings
acpicpu0 at acpi0: C1, PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: FN00, resource for FAN0
acpipwrres4 at acpi0: FN01, resource for FAN1
acpipwrres5 at acpi0: FN02, resource for FAN2
acpipwrres6 at acpi0: FN03, resource for FAN3
acpipwrres7 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 3600 MHz: speeds: 3601, 3600, 3400, 3200, 3000, 
2800, 2600, 2400, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz

pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel Xeon E3-1200 v3 Host rev 0x06
ppb0 at pci0 dev 1 function 0 Intel Core 4G PCIE rev 0x06: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 Intel 82571EB rev 0x06: apic 8 int 16, 
address 00:26:55:d0:32:42
em1 at pci1 dev 0 function 1 Intel 82571EB rev 0x06: apic 8 int 17, 
address 00:26:55:d0:32:43

Intel 8 Series xHCI rev 0x05 at pci0 dev 20 function 0 not configured
em2 at pci0 dev 25 function 0 Intel I217-LM rev 0x05: msi, address 
00:25:90:46:61:b5

ehci0 at pci0 dev 26 function 0 Intel 8 Series USB rev 0x05: apic 8 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb1 at pci0 dev 28 function 0 Intel 8 Series PCIE rev 0xd5: msi
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 ASPEED Technology AST1150 PCI rev 0x03
pci3 at ppb2 bus 3
vga1 at pci3 dev 0 function 0 ASPEED Technology AST2000 rev 0x30
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb3 at pci0 dev 28 function 1 Intel 8 Series PCIE rev 0xd5: msi
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 Intel I210 rev 0x03: msi, address 

Re: Shadow TCP stacks

2014-10-11 Thread Joachim Schipper
moved to misc@; it's still not on-topic, but this message may be
somewhat interesting

On Fri, Oct 10, 2014 at 07:31:50PM -0400, Ian Grant wrote:
 I want to try to implement some form of concealed port knocking in
 OpenBSD, along the lines of Martin Kirsch:
 
 https://gnunet.org/sites/default/files/ma_kirsch_2014_0.pdf

Looking through the abstract and introduction, that's just port
knocking. As the paper points out, Port knocking is a well-known
technique to hide TCP servers from port scanners.

(The thesis does aim at security against a global eavesdropper, which is
not traditionally a goal of port knocking; and the implementation does
try hard to work with existing software, which is nice.

I don't think port knocking is actually useful - see below - but this
does look like a competent execution of its concept.)

 The application is electronic democracy. I want to demonstrate how it
 is possible to do secure comms. over untrusted networks and hardware.

But it *isn't* possible to do secure comms from/to compromised hardware;
that is what compromised means.

Note that the thesis above merely aims at cryptographic port knocking; a
global adversary can still just read the unencrypted traffic. The thesis
also requires a pre-shared key; if you have a PSK, why not use real
crypto (e.g. a VPN) instead?

Also, note that securely pre-sharing keys is a pain even in a small
group of friends; there is no way you can scale that to every human in
the world.

 I hope to be able do this by carrying out a global referendum. See

  http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html

A very quick read shows that you want to do, roughly, electronic voting.
A number of proposals exists to achieve secure (or verifiable)
electronic voting; I believe you should be able to find fairly
accessible introductions to the cryptographic scheme proposed by Ron
Rivest (of RSA fame).

No proposal that I'm aware of even contemplates using compromised
hardware, though, and all proposals assume a functioning census.

 My plan is to use a virtual interface which magically shows behind the
 physical interface when connections are made with the right ISN key in
 the SYN packet. If the ISN is not one of the 'knocks' then the
 connection sees the ordinary physical interface.
 
 Then I want to make a connection between applications and the TCP
 stack so that the knocks can be determined only by data from within
 the VPN. Then the knocks will vary non-deterministically. To bootstrap
 into the VPN a machine will need a direct trusted connection to
 another machine which is already in the VPN, and which can send it the
 initial knock key sequence which will allow it to handshake into the
 VPN, and thereafter have a connection.
 
 The VPN will be tunneled over TCP and/or IP datagram connections.
 Within the VPN the routing and representation of data within real TCP
 network packets will also vary non-deterministically according to data
 passed over the VPN.
 
 The VPN will be used for trusted core protocols for authentication,
 key-exchange and verification. So it need not carry such high volumes
 of traffic The bulk of data will be carried over the exposed network.
 
 If anyone here has a better idea, or any other useful advice (even if
 it's this has already been done! or It won't work, but please
 explain exactly why.) or pointers: I am new to this game: I have never
 seriously looked at network protocol driver code in OpenBSD or any
 other OS.

This is way too large; start with something *much* smaller. Very smart
people have been working on the kind of things you're thinking about for
decades; you're not going to solve this in a weekend, or in just a
hundred lifetimes.

Some things that you may find interesting:
 - http://curvecp.org/: djb's encrypt the whole internet scheme. One
   useful first contribution might be to get the efficiency measurements
   that http://curvecp.org/efficiency.html promises; this is not easy.
 - Tor is the most realistic choice for internet anonymity at the
   moment; there are plenty of issues with it, but it's something.
   Consider setting up a tor node; do not set up an exit node without
   consulting an appropriate legal professional.
 - the global poor are getting more and more access to mobile
   (dumb-)phones; consider things like
   http://en.wikipedia.org/wiki/M-Pesa. It has been very hard for the
   open source world to do much of anything in this area, since (a) it's
   desperately uncool and (b) telecom companies are hesitant to allow
   any arbitrary code on their devices. Nonetheless, some (extremely
   ambitious) projects might be worthwhile:
 + try turning Karsten Nohl's research into something like Cydia, a
 platform for rooting SIM cards and installing custom applications
 on them. Again, consult a legal professional; this is definitely
 not legal everywhere.
 + create an e-voting application and bring it to market with the
 telecom operators' 

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

2014-10-11 Thread Daniel Aubry
On Fri, 10 Oct 2014 21:28:25 + (UTC)
Stuart Henderson s...@spacehopper.org wrote:

Hi Stuart

Many thanks for the input, i do have access to the servers too.

 I was going to suggest that you might have asymmetric routing causing
 split states i.e. one firewall seeing inbound packets, one seeing
 outbound, in which case ifconfig pfsync0 defer might help, but
 (assuming you weren't just seeing issues from connections which
 had been setup before disabling one firewall) the above test would
 seem to rule that out ..

I think we had less connection drops with only one firewall, but they
didn't disappear. 

Pfsync is configured to use unicast, the defer option is present:

# cat /etc/hostname.pfsync0 
up syncif vlan123 defer syncpeer xx.xx.xx.xx

You are correct, the routing can be asymmetric in our case.

 What does the output of sysctl kern.netlivelocks net.inet.ip.ifq
 look like?

net.inet.ip.ifq.maxlen was set to 256 i've changed it to 768. I'll look
if the values in net.inet.ip.ifq.drops change.

Kind regards,
Daniel



Re: edge router lite promt-less boot

2014-10-11 Thread Rafael Neves
Hi,

On Fri, Sep 26, 2014 at 08:49:36PM -0700, Rusty wrote:
 Good morning misc/
 
 I purchased a couple of ubequitys edgerouter lite boxes.
 
 And while the ubequity os is ok (better than most small home routers
 anyhow) I quickly started missing my obsd, this is why I bought them after
 all.
 
 I am fine netbooting for the time being. however are there any hints to skip
 the prompt for the root device?
 
 you know the one asking for
 root device:


This is configured in sys/kern/subr_disk.c. You can hardcode some of your 
ethernet ports (e.g., cnmac0) there. However take if you use the same source 
tree to build to compile from other archs than octeon, because this file is 
used in all archs. Be sure to put your changes inside #ifdef CPU_OCTEON .  

I have this in my tree, but take it at your own risk and to be clear: it is a 
nasty workaround. The only use case for my EdgeMax is for hacking. I would not 
use them in production until USB supported be concluded, but it is up to you.

Regards,
Rafael Neves

Index: sys/kern/subr_disk.c
===
RCS file: /cvs/src/sys/kern/subr_disk.c,v
retrieving revision 1.170
diff -u -p -r1.170 subr_disk.c
--- sys/kern/subr_disk.c14 Sep 2014 14:17:25 -  1.170
+++ sys/kern/subr_disk.c11 Oct 2014 14:28:23 -
@@ -1462,11 +1462,18 @@ setroot(struct device *bootdv, int part,
printf());
}
printf(: );
+#ifdef CPU_OCTEON
+   char *dsklbuf = cnmac0;
+   printf(%s\n, dsklbuf);
+   strlcpy(buf, dsklbuf, sizeof buf);
+   len = strlen(buf);
+#else
s = splhigh();
cnpollc(TRUE);
len = getsn(buf, sizeof(buf));
cnpollc(FALSE);
splx(s);
+#endif /* CPU_OCTEON */
if (strcmp(buf, exit) == 0)
reboot(exitflags);
if (len == 0  bootdv != NULL) {


 I would also welcome any hints on updating a diskless set.
 My current method is based roughly on the install script.
 
 detar sets preserving permissions(excepting etc??.tgz)
 reboot into arches bsd.rd to rebuild device nodes
 reboot and run sysmerge to merge etc??.tgz
 
 
 full serial boot log:
 
 Looking for valid bootloader image
 Jumping to start of image at address 0xbfc8
 
 
 U-Boot 1.1.1 (UBNT Build ID: 4493936-g009d77b) (Build time: Sep 20 2012 -
 15:48:51)
 
 BIST check passed.
 UBNT_E100 r1:2, r2:14, serial #: DC9FDB803A4D
 Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
 DRAM:  512 MB
 Clearing DRAM... done
 Flash:  4 MB
 Net:   octeth0, octeth1, octeth2
 
 USB:   (port 0) scanning bus for devices... 1 USB Devices found
scanning bus for storage devices...
   Device 0: Vendor:  Prod.: USB DISK 2.0 Rev: PMAP
 Type: Removable Hard Disk
 Capacity: 3700.6 MB = 3.6 GB (7579008 x 512)
  0
 Interface 0 has 3 ports (RGMII)
 Using octeth0 device
 TFTP from server 192.168.16.5; our IP address is 192.168.16.16
 Filename 'bsd.sp.octeon'.
 Load address: 0x9f0
 Loading: octeth0: Up 1000 Mbps Full duplex (port  0)
 ###
 
   [76/276]
 done
 Bytes transferred = 3734226 (38fad2 hex), 9855 Kbytes/sec
 ELF file is 64 bit
 Allocating memory for ELF segment: addr: 0x8100 (adjusted to:
 0x100), size 0x3bfc70
 Allocated memory for ELF segment: addr: 0x8100, size 0x3bfc70
 Processing PHDR 0
   Loading 334bf8 bytes at 8100
   Clearing 8b078 bytes at 81334bf8
 ## Loading Linux kernel with entry point: 0x8100 ...
 Bootloader: Done loading app on coremask: 0x1
 Total DRAM Size 0x2000
 Bank 0 = 0x013C   -  0x0FFF
 mem_layout[0] page 0x04F0 - 0x3FFF
 boot_desc-argv[1] = root=/dev/cnmac0
 Initial setup done, switching console.
 boot_desc-desc_ver:7
 boot_desc-desc_size:400
 boot_desc-stack_top:0
 boot_desc-heap_start:0
 boot_desc-heap_end:0
 boot_desc-argc:2
 boot_desc-flags:0x5
 boot_desc-core_mask:0x1
 boot_desc-dram_size:512
 boot_desc-phy_mem_desc_addr:0
 boot_desc-debugger_flag_addr:0xa44
 boot_desc-eclock:5
 boot_desc-boot_info_addr:0x1001f0
 boot_info-ver_major:1
 boot_info-ver_minor:2
 boot_info-stack_top:0
 boot_info-heap_start:0
 boot_info-heap_end:0
 boot_info-boot_desc_addr:0
 boot_info-exception_base_addr:0x1000
 boot_info-stack_size:0
 boot_info-flags:0x5
 boot_info-core_mask:0x1
 boot_info-dram_size:512
 boot_info-phys_mem_desc_addr:0x24108
 boot_info-debugger_flags_addr:0
 boot_info-eclock:5
 boot_info-dclock:26600
 boot_info-board_type:20002
 boot_info-board_rev_major:2
 boot_info-board_rev_minor:14
 boot_info-mac_addr_count:3
 boot_info-cf_common_addr:0
 boot_info-cf_attr_addr:0
 

Re: CVS confusion

2014-10-11 Thread Ted Unangst
On Sat, Oct 11, 2014 at 08:55, Otto Moerbeek wrote:
 On Sat, Oct 11, 2014 at 02:08:12AM +, Steven Surdock wrote:
 
 I'm trying to follow -stable ports, but CVSWEB appears inconsistent.

 If I look at ports/lang/php/5.4 for OPENBSD_5_5
 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5)
 it shows the following:

 Makefile   1.16.2.1   4 months   jasper   security   update to
 php-5.4.28 ok sthen@

 If look at the Makefile
 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5)
 it shows a Revision of 1.16.2.3 and the last note says security update to
 5.4.30; ok jasper@).

 If I look at Rev. 1.16.2.1 (from the first page above), it shows version
 5.4.28

 If I grab a copy via CVS, I get 5.4.32.
 $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P
 ports/lang/php/5.4

 Which is the correct php 5.4 for OpenBSD 5.5-stable?

 -Steve S.
 
 Looks like a bug in cvsweb. Makefile 1.16.2.3 is the newest revision in the
 OPENBSD_5_5 branch. You can see that if you click Makefile in the page
 displayed by your first url.

There's also a typo in the last commit message, which adds to the fun.
It says 5.4.30 but should say 5.4.32.



Zenocara Intel Crestline Graphics

2014-10-11 Thread Raymond Lillard

I have the opportunity to purchase a Dell laptop
with Intel Crestline Graphics hardware. Crestline
appears to be marketing speak for:

intel GM965/GMA X3100

Can someone advice me as to the likelihood of using
the h/w or will I be limitied to the framebuffer?

Mr. Google has failed me.

Ray



Re: Zenocara Intel Crestline Graphics

2014-10-11 Thread Chris Cappuccio
Raymond Lillard [r...@prosysmeg.com] wrote:
 I have the opportunity to purchase a Dell laptop
 with Intel Crestline Graphics hardware. Crestline
 appears to be marketing speak for:
 
 intel GM965/GMA X3100
 
 Can someone advice me as to the likelihood of using
 the h/w or will I be limitied to the framebuffer?
 

You should have full accelerated support with inteldrm