Re: Symon on 5.6
On Wed, Jan 14, 2015 at 21:24:15 -0500, Steve Shockley wrote: > On 1/14/2015 9:47 AM, Predrag Punosevac wrote: > >>and I ran > >>the chroot enable script from rrdtool. > > >As documented in the rrdtool pkg-readme, you must do: > >/usr/local/share/examples/rrdtool/rrdtool-chroot enable > > > >You should look under /usr/local/share/doc/pkg-readmes/, it comes with a > >*lot* of OpenBSD specific information.. > > Thanks. I did run rrd-chroot enable, and changed rrdtool_path in setup.inc > to /usr/local/bin/rrdtool (which is where rrdtool-chroot copies it in the > chroot). Even with that, nothing worked until I coincidentally copied > /bin/sh to the chroot. > > Maybe $this->exec($cmdline) in php (class_rrdtool.inc line 103) requires sh? > But that wouldn't explain if it works for everyone else. Hi, for me, it didn't work as well. I (think I) did everything needed, including rrdtool-chroot enable, and I had the same effect as you - no graphs. Only after copying /bin/sh the graphs started working. I didn't do much investigation though. Oh and: I'm running nginx, if that matters. Thanks and regards, Christoph
New x86, 4,5W Hardware Fit-PC Fillet
Hi, as i am always searching for new (low power) hardware, today i found something new. It sounds quite nice for running openbsd as a router/firewall. It is possible that not everything is supported right now in openbsd but the low power and number of nics made me smile. It might be availiable around march 2015. Hopefully someone will try running openbsd on it.Some highlights: AMD A4-6400T SoC 64-bit quad core 1.0GHz (boost up to 1.6GHz) 4.5W 1x SO-DIMM 204-pin DDR3 SDRAM memory slot Up to 8GB DDR3-1333 1x mSATA slot up to 6 Gbps (SATA 3.0) AMD Radeon R3 Graphics 2x GbE LAN ports (RJ-45) LAN1: Intel I211 GbE controller LAN2: Intel I211 GbE controller Warranty 5 years Pricing ?? (other models available) link to product http://www.fit-pc.com/web/products/specifications/fitlet-models-specifications/?model%5B%5D=fitlet-B+%28TBA%29&model%5B%5D=fitlet-X+%28TBA%29&model%5B%5D=fitlet-i+%28TBA%29 link to news http://www.phoronix.com/scan.php?page=news_item&px=CompuLab-Fitlet-Linux-PC as always, other/similar choices: APU1D4 soekris net6801-xx Jan
Re: usb ehci errors in 5.6-stable
On Wed, Jan 14, 2015 at 19:35 +, Fred wrote: > On 01/14/15 13:13, Evgeny Zhavoronkov wrote: > >>On 01/14/15 12:37, Evgeny Zhavoronkov wrote: > >>>Hi, All! > >>> > >>>I get these errors when actively use usb wifi adapter > >>>Jan 14 16:08:57 t4 /bsd: 0x4f4e5155 > >>>Jan 14 16:08:57 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >>>not busy 0x4f4e5155 > >>>Jan 14 16:08:57 t4 last message repeated 1006 times > >>>Jan 14 16:08:57 t4 /bsd: athn0: could not wakeup chip > >>>Jan 14 16:09:22 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >>>Jan 14 16:10:40 t4 /bsd: 0x4f4e5155 > >>>Jan 14 16:10:40 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >>>not busy 0x4f4e5155 > >>>Jan 14 16:10:40 t4 last message repeated 1006 times > >>>Jan 14 16:10:40 t4 /bsd: athn0: could not wakeup chip > >>>Jan 14 16:11:04 t4 /bsd: 0x4f4e5155 > >>>Jan 14 16:11:04 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >>>not busy 0x4f4e5155 > >>>Jan 14 16:11:04 t4 last message repeated 1006 times > >>>Jan 14 16:11:04 t4 /bsd: athn0: could not wakeup chip > >>>Jan 14 16:12:20 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >>>Jan 14 16:12:28 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >>>Jan 14 16:15:12 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >>>Jan 14 16:24:21 t4 last message repeated 7 times > >>>Jan 14 16:32:25 t4 last message repeated 4 times > >>> > >>> > >>>it errased my dmesg, so I can't provide it. > >>> > >>>[demime 1.01d removed an attachment of type application/pgp-signature] > >>> > >> > >>look in: /var/run/dmesg.boot > >>Fred > > > >Thanks, here it is: > > > >OpenBSD 5.6-stable (GENERIC.MP) #0: Sun Jan 11 20:07:24 MSK 2015 > > root@t4.local.:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > real mem = 8262713344 (7879MB) > > avail mem = 8033972224 (7661MB) > > mpath0 at root > > scsibus0 at mpath0: 256 targets > > mainbus0 at root > > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd21000 (62 entries) > > bios0: vendor LENOVO version "GJET61WW (2.11 )" date 10/02/2013 > > bios0: LENOVO 20AQ004TRT > > acpi0 at bios0: rev 2 > > acpi0: sleep states S0 S3 S4 S5 > > acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT > > SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB > > FPDT UEFI SSDT DMAR > > acpi0: wakeup devices LID_(S4) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) > > HDEF(S4) > > acpitimer0 at acpi0: 3579545 Hz, 24 bits > > acpiec0 at acpi0 > > acpihpet0 at acpi0: 14318179 Hz > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > cpu0 at mainbus0: apid 0 (boot processor) > > cpu0: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.65 MHz > > cpu0: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM > > cpu0: 256KB 64b/line 8-way L2 cache > > cpu0: smt 0, core 0, package 0 > > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > > cpu0: apic clock running at 99MHz > > cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE > > cpu1 at mainbus0: apid 1 (application processor) > > cpu1: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz > > cpu1: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM > > cpu1: 256KB 64b/line 8-way L2 cache > > cpu1: smt 1, core 0, package 0 > > cpu2 at mainbus0: apid 2 (application processor) > > cpu2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz > > cpu2: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM > > cpu2: 256KB 64b/line 8-way L2 cache > > cpu2: smt 0, core 1, package 0 > > cpu3 at mainbus0: apid 3 (application processor) > > cpu3: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz > > cpu3: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE
Re: integrity of commercial CD set
On 14/01/2015 17:03, mar...@martinbrandenburg.com wrote: > [...] you trust Theo and OpenBSD because you have no better option. > Don't pretend you increase your security by proving the software came > from a source you can't prove is trustworthy. [...] More than Theo himself, what makes me trust OpenBSD is its stable, clean, open and essential code reviewed by a very skilled community. That's why I go the extra mile(s) to ensure running *that* code. > Security is about pushing attacks out of your attackers' ability or > price range. [...] Are you willing to go to the effort that defending > against your outlined attack requires? Being my current line of work, yes. Not that I or my clients have anything malicious to hide, but some government agencies and vendors seem to have lost touch with reality and/or ethics. The discussion went off topic. I was just after signed CD checksums, to raise the security of my physical delivery on par with that of the source code. Never mind: I will make do with downloading an ISO, while the kid within me enjoys the boxed CD set (which, save missing CD checksums for paranoid security people, is very nice indeed). Many thanks to Theo and the others for your advice and opinions. Regards -- Enos D'Andrea
Re: Symon on 5.6
On 1/14/2015 9:47 AM, Predrag Punosevac wrote: and I ran the chroot enable script from rrdtool. As documented in the rrdtool pkg-readme, you must do: /usr/local/share/examples/rrdtool/rrdtool-chroot enable You should look under /usr/local/share/doc/pkg-readmes/, it comes with a *lot* of OpenBSD specific information.. Thanks. I did run rrd-chroot enable, and changed rrdtool_path in setup.inc to /usr/local/bin/rrdtool (which is where rrdtool-chroot copies it in the chroot). Even with that, nothing worked until I coincidentally copied /bin/sh to the chroot. Maybe $this->exec($cmdline) in php (class_rrdtool.inc line 103) requires sh? But that wouldn't explain if it works for everyone else.
Re: What exactly is sigtramp?
See page 159 of the recent second edition of McKusick's book on the BSD kernel. It's FreeBSD centric, but its the same concepts. On Jan 14, 2015 6:31 PM, "Theo de Raadt" wrote: > > at [1], I read something about 'Sigtramp separation' within > > the W^X transition. I only know that this sigtramp-page (?) is > > used to jump back into the kernel when a signal arrives. > > > > My question is, what exactly is this signal trampoline? > > That is not what the slides say. > > > Why do I need it? > > To return from a signal handler. > > > Why was it on the Stack (first page of the virtual memory)? > > Because it was. > > > And why must it be executable / what does the code? > > Because it is code. > > > Thank you for your help. > > You've got access to all this source code. It is documented. > And there are books. There are search engines which can answer > this. > > But the modern way is to ask large mailing lists? > > If you can't study the world around you, you will remain ignorant.
Re: What exactly is sigtramp?
> at [1], I read something about 'Sigtramp separation' within > the W^X transition. I only know that this sigtramp-page (?) is > used to jump back into the kernel when a signal arrives. > > My question is, what exactly is this signal trampoline? That is not what the slides say. > Why do I need it? To return from a signal handler. > Why was it on the Stack (first page of the virtual memory)? Because it was. > And why must it be executable / what does the code? Because it is code. > Thank you for your help. You've got access to all this source code. It is documented. And there are books. There are search engines which can answer this. But the modern way is to ask large mailing lists? If you can't study the world around you, you will remain ignorant.
Re: What exactly is sigtramp?
On Wed, Jan 14, 2015 at 3:10 PM, Stefan Berger wrote: > at [1], I read something about 'Sigtramp separation' within > the W^X transition. I only know that this sigtramp-page (?) is > used to jump back into the kernel when a signal arrives. > > My question is, what exactly is this signal trampoline? https://groups.google.com/d/msg/comp.unix.internals/10d55NxFs7E/MK0lmjLEdh8J
What exactly is sigtramp?
hello, at [1], I read something about 'Sigtramp separation' within the W^X transition. I only know that this sigtramp-page (?) is used to jump back into the kernel when a signal arrives. My question is, what exactly is this signal trampoline? Why do I need it? Why was it on the Stack (first page of the virtual memory)? And why must it be executable / what does the code? Thank you for your help. [1] http://www.openbsd.org/papers/ru13-deraadt/mgp00012.html
Re: Alix3d2 + AR9280 wireless access point performance
On Wed, Jan 14, 2015 at 08:24:02PM +, Christian Weisgerber wrote: > On 2015-01-14, Stefan Sperling wrote: > > > 15Mbit/s sounds as if it maxes out at 18Mbit/s (the highest QPSK rate) > > and never switches to OFDM rates (24 - 54 Mbit/s). > > IEEE 802.11 still uses a shared medium and CSMA/CA, right? (Wikipedia > says so.) So the transfer between two nodes is effectively > half-duplex. The overhead from switching the transmission direction > back and forth will alone reduce your throughput substantially. > Leaving TCP ACKs aside, the 802.11 layer 2 protocol also acks data > frames, so even strictly unidirectional data transfers on a higher > layer will suffer from underlying carrier turnaround. That's right. Also, labels like "54Mbit/s" apply to the transmission rate of the data part of a frame. There is still a preamble and header which is always transmitted at 1Mbit/s for legacy compat. Not all bits fly at the same speed in wifi.
Re: Alix3d2 + AR9280 wireless access point performance
2015-01-14 17:41 GMT+01:00 Stefan Sperling > OpenBSD's implementation of rate adaptation is basic. It's possible > that you'll see the AP sending data frames at less than 54Mbit/s under > normal conditions. You'll probably see better results with other OSs > since they have better tuned wifi stacks. It's an interesting problem > to look into but nobody is doing that right now. Looks like I should start studying sources :-) I'll try to stick to OpenBSD, since I like how great it is documented and the ease of setting it up. > Try this on your AP: > > # tcpdump -n -i athn0 -y IEEE802_11_RADIO -vvv | grep data > > This shows a broadcast frame sent at 1 Mbit/s (which is normal for broadcast > since even old devices that only support 1 and 2 Mbit/s need to receive it): > > 17:19:44.890129 802.11 flags=42: data: 00:00:5e:00:01:01 sap 36 > > 01:00:5e:00:00:12 sap 37 I (s=64,r=48,R) len=80, 1, 11g> > > This shows a ping sent at 1 Mbit/s and the reply received at 2 Mbit/s: > > 2:18.085924 802.11 flags=42: data: fe:e1:ba:d0:6a:df sap 00 > > 00:13:02:03:a5:e7 sap 12 I (s=0,r=16,C) len=104, 1, 11g> > 17:22:18.091566 802.11 flags=41: data: 00:13:02:03:a5:e7 sap 00 > > fe:e1:ba:d0:6a:df sap 17 I (s=0,r=16,C) len=108, 502527151889, S > HORTPRE, 2Mbit/s, chan 1, 11g, sig 43dBm, antenna 1> > > During bulk data transfer I see rates of up to 18Mbit/s being used. > Do you see any higher rates than that, and if so, over long intervals > of time or just occasionally? I saw mostly 18Mbit/s during bulk data transfer. There were some 24Mbit and 36Mbit lines, but only occasionally. Need to find out what I'm looking at, to understand it. Since you have similar hardware, It looks like I've reached device's speed limit on current OpenBSD. Hope there will be 11n soon, AR9280 supports it.
Re: Alix3d2 + AR9280 wireless access point performance
On 2015-01-14, Stefan Sperling wrote: > 15Mbit/s sounds as if it maxes out at 18Mbit/s (the highest QPSK rate) > and never switches to OFDM rates (24 - 54 Mbit/s). IEEE 802.11 still uses a shared medium and CSMA/CA, right? (Wikipedia says so.) So the transfer between two nodes is effectively half-duplex. The overhead from switching the transmission direction back and forth will alone reduce your throughput substantially. Leaving TCP ACKs aside, the 802.11 layer 2 protocol also acks data frames, so even strictly unidirectional data transfers on a higher layer will suffer from underlying carrier turnaround. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: usb ehci errors in 5.6-stable
On 01/14/15 13:13, Evgeny Zhavoronkov wrote: On 01/14/15 12:37, Evgeny Zhavoronkov wrote: Hi, All! I get these errors when actively use usb wifi adapter Jan 14 16:08:57 t4 /bsd: 0x4f4e5155 Jan 14 16:08:57 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:08:57 t4 last message repeated 1006 times Jan 14 16:08:57 t4 /bsd: athn0: could not wakeup chip Jan 14 16:09:22 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:10:40 t4 /bsd: 0x4f4e5155 Jan 14 16:10:40 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:10:40 t4 last message repeated 1006 times Jan 14 16:10:40 t4 /bsd: athn0: could not wakeup chip Jan 14 16:11:04 t4 /bsd: 0x4f4e5155 Jan 14 16:11:04 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:11:04 t4 last message repeated 1006 times Jan 14 16:11:04 t4 /bsd: athn0: could not wakeup chip Jan 14 16:12:20 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:12:28 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:15:12 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:24:21 t4 last message repeated 7 times Jan 14 16:32:25 t4 last message repeated 4 times it errased my dmesg, so I can't provide it. [demime 1.01d removed an attachment of type application/pgp-signature] look in: /var/run/dmesg.boot Fred Thanks, here it is: OpenBSD 5.6-stable (GENERIC.MP) #0: Sun Jan 11 20:07:24 MSK 2015 root@t4.local.:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8262713344 (7879MB) avail mem = 8033972224 (7661MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd21000 (62 entries) bios0: vendor LENOVO version "GJET61WW (2.11 )" date 10/02/2013 bios0: LENOVO 20AQ004TRT acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB FPDT UEFI SSDT DMAR acpi0: wakeup devices LID_(S4) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.65 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acpi0: bu
Re: integrity of commercial CD set
> I bought a can of this paint from a hardware store up in Lake Louise last > week. We already knew that.
Re: integrity of commercial CD set
I bought a can of this paint from a hardware store up in Lake Louise last week. On Wed, 14 Jan 2015, Theo de Raadt wrote: On 2015-01-14, mar...@martinbrandenburg.com wrote: "Buying a CD" in my case includes a 5.000 mile trip through multiple "five-eyes" nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian "naddy" Weisgerber na...@mips.inka.de They are not regularly intercepting CD shipments and replacing the CDs. It would not be unusual for an intelligence agency to attempt to intercept particular mails for particular people, but they can't do it at scale secretly. Finding them inside the global shipping system is easier than you think, because the CDs labels are printed using the radioactive paint they gave us.
Re: ARM Firewall Hardware
On Wed, Jan 14, 2015 at 3:39 PM, Jonathan Gray wrote: > I've updated the kernel at > http://jsg.id.au/openbsd/bsd.IMX.umg > And we have lift-off! ## Booting kernel from Legacy Image at 1080 ... Image Name: boot Created: 2015-01-14 14:13:27 UTC Image Type: ARM Linux Kernel Image (uncompressed) Data Size:3772972 Bytes = 3.6 MiB Load Address: 1080 Entry Point: 1080 Verifying Checksum ... OK Loading Kernel Image ... OK Starting kernel ... OpenBSD/imx booting ... arg0 0x0 arg1 0x10b1 arg2 0x1100 atag core flags 0 pagesize 0 rootdev 0 atag serial 0x: atag cmdline [sd0a] atag revision 0064 atag mem start 0x1000 size 0x4000 atag mem start 0x8000 size 0x4000 bootfile: sd0a bootargs: Allocating page tables freestart = 0x10b9a000, free_pages = 259174 (0x0003f466) IRQ stack: p0x10bc8000 v0xc0bc8000 ABT stack: p0x10bc9000 v0xc0bc9000 UND stack: p0x10bca000 v0xc0bca000 SVC stack: p0x10bcb000 v0xc0bcb000 Creating L1 page table at 0x10b9c000 Mapping kernel Constructing L2 page tables undefined page pmap [ using 302096 bytes of bsd ELF symbol table ] board type: Utilite Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2015 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.7-beta (GENERIC-IMX) #4: Thu Jan 15 01:09:46 AEDT 2015 j...@armv7.jsg.id.au:/sys/arch/armv7/compile/GENERIC-IMX real mem = 2147483648 (2048MB) avail mem = 2091868160 (1994MB) warning: no entropy supplied by boot loader mainbus0 at root cortex0 at mainbus0 ampintc0 at cortex0 nirq 160 amptimer0 at cortex0: tick rate 396000 KHz armliicc0 at cortex0: rtl 7 waymask: 0x000f cpu0 at mainbus0: ARM Cortex A9 R2 rev 10 (ARMv7 core) cpu0: DC enabled IC enabled WB disabled EABT branch prediction enabled cpu0: 32KB(32b/l,4way) I-cache, 32KB(32b/l,4way) wr-back D-cache imx0 at mainbus0: i.MX6 Utilite imxocotp0 at imx0 imxccm0 at imx0: imx6 rev 1.2 CPU freq: 792 MHz imxiomuxc0 at imx0 imxdog0 at imx0 imxuart0 at imx0 console imxgpio0 at imx0 imxgpio1 at imx0 imxgpio2 at imx0 imxgpio3 at imx0 imxgpio4 at imx0 imxgpio5 at imx0 imxgpio6 at imx0 imxiic0 at imx0 iic0 at imxiic0 imxesdhc0 at imx0 sdmmc0 at imxesdhc0 ehci0 at imx0 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "i.MX6 EHCI root hub" rev 2.00/1.00 addr 1 imxenet0 at imx0 imxenet0: address 00:00:00:00:00:00 atphy0 at imxenet0 phy 0: F1 10/100/1000 PHY, rev. 4 ahci0 at imx0 AHCI 1.3 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed naa.5001b449fca55860 sd0: 30533MB, 512 bytes/sector, 62533296 sectors, thin sdmmc0: can't enable card uhub1 at uhub0 port 1 "Standard Microsystems product 0x2514" rev 2.00/b.b3 addr 2 uhidev0 at uhub1 port 4 configuration 1 interface 0 "KB USB Keyboard" rev 1.10/1.01 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0 uhidev1 at uhub1 port 4 configuration 1 interface 1 "KB USB Keyboard" rev 1.10/1.01 addr 3 uhidev1: iclass 3/1, 2 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets boot device: sd0 root on sd0a (62c54f8337f6f4b8.a) swap on sd0b dump on sd0b WARNING: CHECK AND RESET THE DATE! exec /sbin/init: error 8 init: not found panic: no init Stopped at Debugger+0x4: ldrbr15, [r15, r15, ror r15]! RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb>
Re: integrity of commercial CD set
Theo de Raadt wrote: Finding them inside the global shipping system is easier than you think One of the joys of growing old is watching the really bad sci fi you read as a youth all come true :) -- Jack Woehr # "There's too much emphasis on things Box 51, Golden CO 80402 # like pawn structure in modern chess. http://www.softwoehr.com # Checkmate ends the game." - N. Short
Re: integrity of commercial CD set
> > On 2015-01-14, mar...@martinbrandenburg.com > > wrote: > > > > >> "Buying a CD" in my case includes a 5.000 mile trip through multiple > > >> "five-eyes" nations, whose overzealous three letter agencies officially > > >> intercept physical shipments to install backdoors and hardware implants. > > > > > > Where have you heard that? > > > > Part of the Snowden revelations. Have you been living under a rock > > for the past 18 months? > > > > -- > > Christian "naddy" Weisgerber na...@mips.inka.de > > They are not regularly intercepting CD shipments and replacing the CDs. > It would not be unusual for an intelligence agency to attempt to intercept > particular mails for particular people, but they can't do it at scale > secretly. Finding them inside the global shipping system is easier than you think, because the CDs labels are printed using the radioactive paint they gave us.
Re: Alix3d2 + AR9280 wireless access point performance
On 2015-01-14, Ján Kušniar wrote: > Even though it's running 54Mbit 802.11g, I can't get over ~15Mbit/s. Uh, what figures do you expect? Those "54 Mbit/s" are raw modem speed. You'll never get throughput anywhere close to that. I get ~20 Mbit/s between my OpenBSD laptop with iwn(4) and a D-Link DAP-2310 access point; ifconfig shows "ODFM54 mode 11g", i.e., top wireless speed. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Alix3d2 + AR9280 wireless access point performance
On Wed, Jan 14, 2015 at 04:40:00PM +0100, Ján Kušniar wrote: > Hello, > > I've set up a small wifi AP using alix 3d2 computer board and Mikrotik > R52nM mini PCI wireless adapter. Works great except for wireless > throughput. It's running 5.6 stable, usual AP setup (wifi adapter in > hostap mode, dhcpd, nat in pf). No sysctls or anything not mentioned in > FAQ was modified. > > Adapter is: > athn0 at pci0 dev 12 function 0 "Atheros AR9280" rev 0x01: irq 9 > athn0: AR9280 rev 2 (2T2R), ROM rev 21, address 4c:5e:0c:11:c3:5f > > > AP configuration: > # ifconfig athn0 > athn0: flags=28843 mtu > 1500 > lladdr 4c:5e:0c:11:c3:5f > priority: 4 > groups: wlan > media: IEEE802.11 autoselect mode 11g hostap > status: active > ieee80211: nwid kusniarovci chan 11 bssid 4c:5e:0c:11:c3:5f > wpakey XXX wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp > wpagroupcipher tkip > inet 192.168.188.1 netmask 0xff00 broadcast 192.168.188.255 > > # cat /etc/hostname.athn0 > up media autoselect mediaopt hostap mode 11g chan 11 nwid kusniarovci \ > wpakey > inet 192.168.188.1 255.255.255.0 > > > Even though it's running 54Mbit 802.11g, I can't get over ~15Mbit/s. I'm > testing from Linux laptop with intel centrino wireless adapter (11abgn). > Tests are performeg using iperf: > > linux_client$ iperf -c 192.168.188.1 -i 1 -t 60 > ap# iperf -s > > Server listening on TCP port 5001 > TCP window size: 16.0 KByte (default) > > [ 4] local 192.168.188.1 port 5001 connected with 192.168.188.32 port > 48367 > [ ID] Interval Transfer Bandwidth > [ 4] 0.0-60.2 sec 111 MBytes 15.5 Mbits/sec > > > > pf disabled during tests. Are there any pointers to tune wireless > subsystem to better performance? Did I reach hardware limits? Is it > athn driver issue? During network load there seems to be a lot of > interrupts on athn reported by systat vmstat. There is also 100Mbit > ehternet adapter on alix board (vr0). It perfrorms really well > (~95Mbit/s according to iperf). > > > Thanks for any pointers OpenBSD's implementation of rate adaptation is basic. It's possible that you'll see the AP sending data frames at less than 54Mbit/s under normal conditions. You'll probably see better results with other OSs since they have better tuned wifi stacks. It's an interesting problem to look into but nobody is doing that right now. But how knows, there could also be a driver bug that prevents higher rates from being used. 15Mbit/s sounds as if it maxes out at 18Mbit/s (the highest QPSK rate) and never switches to OFDM rates (24 - 54 Mbit/s). Try this on your AP: # tcpdump -n -i athn0 -y IEEE802_11_RADIO -vvv | grep data This shows a broadcast frame sent at 1 Mbit/s (which is normal for broadcast since even old devices that only support 1 and 2 Mbit/s need to receive it): 17:19:44.890129 802.11 flags=42: data: 00:00:5e:00:01:01 sap 36 > 01:00:5e:00:00:12 sap 37 I (s=64,r=48,R) len=80, This shows a ping sent at 1 Mbit/s and the reply received at 2 Mbit/s: 2:18.085924 802.11 flags=42: data: fe:e1:ba:d0:6a:df sap 00 > 00:13:02:03:a5:e7 sap 12 I (s=0,r=16,C) len=104, 17:22:18.091566 802.11 flags=41: data: 00:13:02:03:a5:e7 sap 00 > fe:e1:ba:d0:6a:df sap 17 I (s=0,r=16,C) len=108, During bulk data transfer I see rates of up to 18Mbit/s being used. Do you see any higher rates than that, and if so, over long intervals of time or just occasionally? This access point pretty much matches your setup. athn0 at pci0 dev 17 function 0 "Atheros AR9280" rev 0x01: irq 15 athn0: AR9280 rev 2 (2T2R), ROM rev 16, address 00:0e:8e:24:52:7d $ ifconfig athn0 athn0: flags=28943 mtu 1500 lladdr 00:0e:8e:24:52:7d priority: 4 groups: wlan media: IEEE802.11 autoselect (autoselect mode 11g hostap) status: active ieee80211: nwid stsp.name chan 1 bssid 00:0e:8e:24:52:7d wpakey wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip
Re: integrity of commercial CD set
Christian Weisgerber wrote: > On 2015-01-14, mar...@martinbrandenburg.com > wrote: > > >> "Buying a CD" in my case includes a 5.000 mile trip through multiple > >> "five-eyes" nations, whose overzealous three letter agencies officially > >> intercept physical shipments to install backdoors and hardware implants. > > > > Where have you heard that? > > Part of the Snowden revelations. Have you been living under a rock > for the past 18 months? > > -- > Christian "naddy" Weisgerber na...@mips.inka.de They are not regularly intercepting CD shipments and replacing the CDs. It would not be unusual for an intelligence agency to attempt to intercept particular mails for particular people, but they can't do it at scale secretly. -- Martin
Re: integrity of commercial CD set
On 2015-01-14, mar...@martinbrandenburg.com wrote: >> "Buying a CD" in my case includes a 5.000 mile trip through multiple >> "five-eyes" nations, whose overzealous three letter agencies officially >> intercept physical shipments to install backdoors and hardware implants. > > Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: integrity of commercial CD set
On Wed, Jan 14, 2015 at 02:32:07PM +0100, Enos D'Andrea wrote: > "Buying a CD" in my case includes a 5.000 mile trip through multiple > "five-eyes" nations, whose overzealous three letter agencies officially > intercept physical shipments to install backdoors and hardware implants. ^ > "Cross-checking" of OpenBSD commercial CD sets at present can only be > partial, as no official full checksums seem to be provided. Even > cross-checking *all* files referenced by the ISO filesystem would still > allow a malicious boot sector to directly reference unallocated space. No need to worry. They won't need to mess with the CDs since your hardware is already bugged ;) > Let's call a spade a spade: the worst-case scenario is an APT > intercepting the shipment of a commercial CD set, substitute one or more > CDs and repackage it. Extremely unlikely for the average person, > not-so-much for IT security consultants with important clients. I understand where you're coming from, but what you're getting at is out of scope of this project. Questions which tickle someone into writing code to fix a problem are always well received. But if your problem is targeted surveillance, then sorry, we simply can't fix that any better than anyone else can, and we certainly can't fix it by adding more code to the CD verification process. Your scenario presents a political problem, not a technical one. If you believe that targeted surveillance won't work on you if you run a "verified" install of OpenBSD, you're fooling yourself.
Re: integrity of commercial CD set
"Enos D'Andrea" wrote: > On 14/01/2015 12:24, Stefan Sperling wrote: > > > Bootstrapping trust is always going to be hard no matter what we do > > and how hard we try. [...] Now the answer has become "buy a CD > > and cross-check it with signify" and it's still not enough. [...] > > > > "Buying a CD" in my case includes a 5.000 mile trip through multiple > "five-eyes" nations, whose overzealous three letter agencies officially > intercept physical shipments to install backdoors and hardware implants. > > "Cross-checking" of OpenBSD commercial CD sets at present can only be > partial, as no official full checksums seem to be provided. Even > cross-checking *all* files referenced by the ISO filesystem would still > allow a malicious boot sector to directly reference unallocated space. > > Let's call a spade a spade: the worst-case scenario is an APT > intercepting the shipment of a commercial CD set, substitute one or more > CDs and repackage it. Extremely unlikely for the average person, > not-so-much for IT security consultants with important clients. > > > > > Regards > > -- > Enos D'Andrea Where have you heard that? Intercepting physical mail secretly is really hard, especially if you don't want the post office to know about it. Think of everyone who would need to know. Anyone who doesn't know would be trying to get the package correctly delivered. Best case you plant somebody (multiple people; imagine if your plant was assigned to something else on the critical day) in the destination post office. It's extremely unlikely for anyone. Travel to Canada and receive it there. Oh wait, Canada is really friendly with all the governments you're scared of. Hopefully you don't live in one of these nations. Why are you not scared of your own government? They pose the greatest threat to your liberty. And since this software is developed out of Canada, how do you know it can be trusted to begin with? Why do you trust Theo exactly? He seems like a nice guy, and he's done a very good job with OpenBSD, but you don't know him. If he were a secret agent, that would be exactly what he'd want you to think. No, you trust Theo and OpenBSD because you have no better option. Don't pretend you increase your security by proving the software came from a source you can't prove is trustworthy. You'd do better to audit the source. Security is about pushing attacks out of your attackers' ability or price range. If your attackers' ability and price range is greater than what you're willing to expend on security, you're compromised. Are you willing to go to the effort that defending against your outlined attack requires? Probably not. Unless you're very very important, you eliminate the possibility of distribution attack by getting signify keys of CDs. -- Martin
Alix3d2 + AR9280 wireless access point performance
Hello, I've set up a small wifi AP using alix 3d2 computer board and Mikrotik R52nM mini PCI wireless adapter. Works great except for wireless throughput. It's running 5.6 stable, usual AP setup (wifi adapter in hostap mode, dhcpd, nat in pf). No sysctls or anything not mentioned in FAQ was modified. Adapter is: athn0 at pci0 dev 12 function 0 "Atheros AR9280" rev 0x01: irq 9 athn0: AR9280 rev 2 (2T2R), ROM rev 21, address 4c:5e:0c:11:c3:5f AP configuration: # ifconfig athn0 athn0: flags=28843 mtu 1500 lladdr 4c:5e:0c:11:c3:5f priority: 4 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid kusniarovci chan 11 bssid 4c:5e:0c:11:c3:5f wpakey XXX wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet 192.168.188.1 netmask 0xff00 broadcast 192.168.188.255 # cat /etc/hostname.athn0 up media autoselect mediaopt hostap mode 11g chan 11 nwid kusniarovci \ wpakey inet 192.168.188.1 255.255.255.0 Even though it's running 54Mbit 802.11g, I can't get over ~15Mbit/s. I'm testing from Linux laptop with intel centrino wireless adapter (11abgn). Tests are performeg using iperf: linux_client$ iperf -c 192.168.188.1 -i 1 -t 60 ap# iperf -s Server listening on TCP port 5001 TCP window size: 16.0 KByte (default) [ 4] local 192.168.188.1 port 5001 connected with 192.168.188.32 port 48367 [ ID] Interval Transfer Bandwidth [ 4] 0.0-60.2 sec 111 MBytes 15.5 Mbits/sec pf disabled during tests. Are there any pointers to tune wireless subsystem to better performance? Did I reach hardware limits? Is it athn driver issue? During network load there seems to be a lot of interrupts on athn reported by systat vmstat. There is also 100Mbit ehternet adapter on alix board (vr0). It perfrorms really well (~95Mbit/s according to iperf). Thanks for any pointers
Re: integrity of commercial CD set
> >> Please how is one supposed to verify the integrity of an official > >> OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and > >> received by physical mail? [...] > > > > Each directory on the CD is signed using signify and the 5.6 keys > > listed at http://www.openbsd.org/56.html [...] > > > Thanks, but I was hoping for a method that would also verify the CD boot > process, and that would not require downloading and installing a second > image or trusting the CD to verify itself. Don't see a nice way of doing what you want. > On a side note, CD #2 (amd64, powerpc, song) includes more than 15Mb of > space not directly allocated in files (excluding the audio track): The ISO format that allows an audio track after a data track unfortunately requires a pretty significant gap, and a pad after the audio. I've lost hair over this. Really wish I had access to a CD expert who could help me improve this. So you've hashed the whole CDs. There are very few people who will do this as a verification method, so few that it feels unreasonable.
Re: Symon on 5.6
Steve Shockley wrote: > I've installed Symon/Symux/Syweb on a 5.6 machine for testing. > Symon+Symux are up and running. I installed apache-httpd-openbsd (at > least until I'm familiar with httpd), set up the virtual host, and I ran > > the chroot enable script from rrdtool. > > When I view configtest.php, I get the error: > apache or php setup faulty: cannot execute /usr/local/bin/rrdtool > > For testing, I temporarily copied /bin/sh to /var/www/bin/sh, and it > started working. Removing it breaks it again. > > Should I need to copy sh to the chroot, or am I doing something else > wrong? > > Thanks. I had the same question two months ago. To quote Antoine That's not enough. As documented in the rrdtool pkg-readme, you must do: /usr/local/share/examples/rrdtool/rrdtool-chroot enable You should look under /usr/local/share/doc/pkg-readmes/, it comes with a *lot* of OpenBSD specific information.. It worked perfectly for me. Please check out whole thread http://marc.info/?t=14157651275&r=1&w=2 Cheers, Predrag
Re: How to Selectively route DESTINATIONS via wan1_gw and via wan2_gw
On 01/14/2015 07:19 AM, Indunil Jayasooriya wrote: Hi misc, I have /etc/ip_list1 file containing some destinations. format of /etc/ip_list1 is given below. 1.2.3.4 1.6.3.0/24 I want to route ALL DESTINATIONS listed in /etc/ip_list1 via wan1_gw. The rest of trafficc , I want to route via wan2_gw . I have enabled below things in sysctl.conf file (including multipath routing) net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets net.inet.ip.multipath=1 # 1=Enable IP multipath routing net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects my 2 gatewys wan1_gw= "192.168.2.100" wan2_gw= "192.168.1.1" my hostname.xxx files like these. my wan1 interface # cat /etc/hostname.rl0 inet 192.168.2.35 255.255.255.0 !route add -mpath default 192.168.2.100 my wan2 interface # cat /etc/hostname.rl1 inet 192.168.1.11 255.255.255.0 !route add -mpath default 192.168.1.1 my lan interface # cat /etc/hostname.bge0 inet 192.168.100.208 255.255.255.0 my pf.conf file looks like this. # macros int_if="bge0" wan1_if="rl0" wan2_if="rl1" lan_net="192.168.100.0/24" #lan_net="192.168.101.0/24" wan1_gw= "192.168.2.100" wan2_gw= "192.168.1.1" table persist file "/etc/ip_list1" # options set block-policy return set loginterface $wan1_if set skip on lo #THIS IS THE RULE TO ROUTE VIA WAN1_GW pass out quick log from any to route-to ($wan1_if $wan1_gw) # match rules match out on $wan1_if from $lan_net nat-to ($wan1_if) match out on $wan2_if from $lan_net nat-to ($wan2_if) # filter rules block in log #block out log pass out quick log antispoof quick for { lo $int_if } pass in log inet proto icmp all icmp-type $icmp_types I still can NOT traceroute to destinations in /etc/ip_list1 via wan1_gw and the rest via wan2_gw How to achive this goal? Hi, I've snipped full rules set to show needed lines, hope this will help you. I'm sure that I didn't enable multipath. /etc/mygate contains any A or B gw address. In case you won't achieve policy based routing with this example I'll send you full pf.conf that works well for years. ext_if_a = "xl0" ext_gw_a = "195.26.92.129" ext_if_b = "fxp1" ext_gw_b = "188.230.122.53" int_if = "fxp0" table { 192.168.16.0/24 } table{ 192.168.16.5 } match out on $ext_if_a inet proto tcp from to ! nat-to $ext_if_a match out on $ext_if_b inet from , to ! nat-to $ext_if_b pass in on $int_if inet proto tcp from to any port { www, smtp, https, smtps } route-to ($ext_if_a $ext_gw_a) pass in on $int_if inet proto tcp from to any route-to ($ext_if_b $ext_gw_b) pass out inet from $ext_if_a route-to ($ext_if_a $ext_gw_a) pass out inet from $ext_if_b route-to ($ext_if_b $ext_gw_b) pass out on { $ext_if_a, $ext_if_b }
Re: ARM Firewall Hardware
On Tue, Jan 13, 2015 at 06:52:00PM +0100, Christer Solskogen wrote: > On Tue, Jan 13, 2015 at 5:45 PM, Jonathan Gray wrote: > > > > Your earlier mail had a different load address than what I'd expect. > > Try 0x1880 > > Same. I've tried the following staring adresses: 0x1060 - > 0x1880 - 0x1080 > The last one is what I use to boot bitrig. I've updated the kernel at http://jsg.id.au/openbsd/bsd.IMX.umg Includes changes similiar to those made in the following Bitrig commits: commit f2fb0a86fc740253d02c7eb3f6d26ea48346be55 Author: Patrick Wildt Date: Thu Jan 16 15:37:54 2014 +0100 When restoring SPSR, use spsr_fsxc so bits[23-8] are restored. Spsr_all doesn't restore all bits! This should fix use of simd instructions that rely on the GE bits. Also, this fixes our cold boot crash on the Utilite and Nitrogen 6x. From NetBSD. ok drahn@ commit 6ea8cdd3daffb2edde3eadf87d3fea6d2f47384c Author: Patrick Wildt Date: Sat Dec 7 15:04:09 2013 +0100 Load additional memory space into UVM. Also bump the amount of 'space' to 2. More space has not been observed yet. ok drahn@ Index: arm/arm/cpufunc_asm_sa1.S === RCS file: /cvs/src/sys/arch/arm/arm/cpufunc_asm_sa1.S,v retrieving revision 1.3 diff -u -p -r1.3 cpufunc_asm_sa1.S --- arm/arm/cpufunc_asm_sa1.S 20 Sep 2011 22:11:40 - 1.3 +++ arm/arm/cpufunc_asm_sa1.S 14 Jan 2015 13:06:40 - @@ -46,9 +46,9 @@ * addresses that are about to change. */ ENTRY(sa1_setttb) - mrs r3, cpsr_all + mrs r3, cpsr orr r1, r3, #(I32_bit | F32_bit) - msr cpsr_all, r1 + msr cpsr_fsxc, r1 stmfd sp!, {r0-r3, lr} bl _C_LABEL(sa1_cache_cleanID) @@ -69,7 +69,7 @@ ENTRY(sa1_setttb) mov r0, r0 mov r0, r0 - msr cpsr_all, r3 + msr cpsr_fsxc, r3 mov pc, lr /* @@ -131,12 +131,12 @@ _C_LABEL(sa1_cache_clean_size): .word _C_LABEL(sa1_cache_clean_size) #defineSA1_CACHE_CLEAN_BLOCK \ - mrs r3, cpsr_all; \ + mrs r3, cpsr; \ orr r0, r3, #(I32_bit | F32_bit); \ - msr cpsr_all, r0 + msr cpsr_fsxc, r0 #defineSA1_CACHE_CLEAN_UNBLOCK \ - msr cpsr_all, r3 + msr cpsr_fsxc, r3 #ifdef DOUBLE_CACHE_CLEAN_BANK #defineSA1_DOUBLE_CACHE_CLEAN_BANK \ Index: arm/arm/cpufunc_asm_xscale.S === RCS file: /cvs/src/sys/arch/arm/arm/cpufunc_asm_xscale.S,v retrieving revision 1.4 diff -u -p -r1.4 cpufunc_asm_xscale.S --- arm/arm/cpufunc_asm_xscale.S20 Sep 2011 22:11:40 - 1.4 +++ arm/arm/cpufunc_asm_xscale.S14 Jan 2015 13:06:40 - @@ -128,9 +128,9 @@ ENTRY(xscale_control) * addresses that are about to change. */ ENTRY(xscale_setttb) - mrs r3, cpsr_all + mrs r3, cpsr orr r1, r3, #(I32_bit | F32_bit) - msr cpsr_all, r1 + msr cpsr_fsxc, r1 stmfd sp!, {r0-r3, lr} bl _C_LABEL(xscale_cache_cleanID) @@ -152,7 +152,7 @@ ENTRY(xscale_setttb) CPWAIT(r0) - msr cpsr_all, r3 + msr cpsr_fsxc, r3 mov pc, lr /* @@ -244,12 +244,12 @@ _C_LABEL(xscale_cache_clean_size): .word _C_LABEL(xscale_minidata_clean_size) #defineXSCALE_CACHE_CLEAN_BLOCK \ - mrs r3, cpsr_all; \ + mrs r3, cpsr; \ orr r0, r3, #(I32_bit | F32_bit); \ - msr cpsr_all, r0 + msr cpsr_fsxc, r0 #defineXSCALE_CACHE_CLEAN_UNBLOCK \ - msr cpsr_all, r3 + msr cpsr_fsxc, r3 #defineXSCALE_CACHE_CLEAN_PROLOGUE \ XSCALE_CACHE_CLEAN_BLOCK; \ Index: arm/arm/exception.S === RCS file: /cvs/src/sys/arch/arm/arm/exception.S,v retrieving revision 1.3 diff -u -p -r1.3 exception.S --- arm/arm/exception.S 20 Sep 2011 22:02:10 - 1.3 +++ arm/arm/exception.S 14 Jan 2015 13:06:41 - @@ -169,8 +169,8 @@ abortdatamsg: * it like a Data Abort. */ ASENTRY_NP(address_exception_entry) - mrs r1, cpsr_all - mrs r2, spsr_all + mrs r1, cpsr + mrs r2, spsr mov r3, lr adr r0, Laddress_exception_msg bl _C_LABEL(printf)/* X
Re: [wip] Firefox 35.0rc3
On 01/13/15 16:26, Landry Breuil wrote: [ .. snip .. ] >> On 1/10/15, Landry Breuil wrote: [ .. snip .. ] >> >> Interesting, your cpu doesnt have SSSE3 nor SSE4.1, while binutils/the >> configure script detects so.. that might explain why it built here and >> not on your machine. That doesnt explain why configure things they're >> here though... [ .. snip .. ] > so fixed this way in my git repo: > > http://cgit.rhaalovely.net/mozilla-firefox/commit/?h=release&id=41cef5a7e563083c40cb52f8c764f10ef32bfe8b > > Thx for the testing! > > Landry Without the above patch, I had the same problem as . With this latest patch, firefox-35.0rc3 has been working well for about an hour. Here's the associated dmesg: OpenBSD 5.7-beta (GENERIC.MP) #756: Mon Jan 12 00:38:13 MST 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8304197632 (7919MB) avail mem = 8079261696 (7704MB) warning: no entropy supplied by boot loader mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f000 (72 entries) bios0: vendor American Megatrends Inc. version "2701" date 10/08/2010 bios0: ASUSTeK Computer INC. M3A78-EM acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) RLAN(S4) PCE7(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2M(S4) PS2K(S4) UAR1(S4) P0PC(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Phenom(tm) 9550 Quad-Core Processor, 2212.21 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 201MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Phenom(tm) 9550 Quad-Core Processor, 2211.90 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Phenom(tm) 9550 Quad-Core Processor, 2211.90 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu2: AMD erratum 721 detected and fixed cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Phenom(tm) 9550 Quad-Core Processor, 2211.90 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu3: AMD erratum 721 detected and fixed cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus 2 (PCE4) acpiprt5 at acpi0: bus -1 (PCE5) acpiprt6 at acpi0: bus 3 (PCE6) acpiprt7 at acpi0: bus 4 (P0PC) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpicpu2 at acpi0: PSS
Re: usb ehci errors in 5.6-stable
> On 01/14/15 12:37, Evgeny Zhavoronkov wrote: > >Hi, All! > > > >I get these errors when actively use usb wifi adapter > >Jan 14 16:08:57 t4 /bsd: 0x4f4e5155 > >Jan 14 16:08:57 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >not busy 0x4f4e5155 > >Jan 14 16:08:57 t4 last message repeated 1006 times > >Jan 14 16:08:57 t4 /bsd: athn0: could not wakeup chip > >Jan 14 16:09:22 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >Jan 14 16:10:40 t4 /bsd: 0x4f4e5155 > >Jan 14 16:10:40 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >not busy 0x4f4e5155 > >Jan 14 16:10:40 t4 last message repeated 1006 times > >Jan 14 16:10:40 t4 /bsd: athn0: could not wakeup chip > >Jan 14 16:11:04 t4 /bsd: 0x4f4e5155 > >Jan 14 16:11:04 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 > >not busy 0x4f4e5155 > >Jan 14 16:11:04 t4 last message repeated 1006 times > >Jan 14 16:11:04 t4 /bsd: athn0: could not wakeup chip > >Jan 14 16:12:20 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >Jan 14 16:12:28 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >Jan 14 16:15:12 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! > >Jan 14 16:24:21 t4 last message repeated 7 times > >Jan 14 16:32:25 t4 last message repeated 4 times > > > > > >it errased my dmesg, so I can't provide it. > > > >[demime 1.01d removed an attachment of type application/pgp-signature] > > > > look in: /var/run/dmesg.boot > Fred Thanks, here it is: OpenBSD 5.6-stable (GENERIC.MP) #0: Sun Jan 11 20:07:24 MSK 2015 root@t4.local.:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8262713344 (7879MB) avail mem = 8033972224 (7661MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd21000 (62 entries) bios0: vendor LENOVO version "GJET61WW (2.11 )" date 10/02/2013 bios0: LENOVO 20AQ004TRT acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB FPDT UEFI SSDT DMAR acpi0: wakeup devices LID_(S4) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.65 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL ,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,PO PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F SGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL ,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,PO PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F SGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL ,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,PO PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F SGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL ,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,PO PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F SGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acp
Re: usb ehci errors in 5.6-stable
On 01/14/15 12:37, Evgeny Zhavoronkov wrote: Hi, All! I get these errors when actively use usb wifi adapter Jan 14 16:08:57 t4 /bsd: 0x4f4e5155 Jan 14 16:08:57 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:08:57 t4 last message repeated 1006 times Jan 14 16:08:57 t4 /bsd: athn0: could not wakeup chip Jan 14 16:09:22 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:10:40 t4 /bsd: 0x4f4e5155 Jan 14 16:10:40 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:10:40 t4 last message repeated 1006 times Jan 14 16:10:40 t4 /bsd: athn0: could not wakeup chip Jan 14 16:11:04 t4 /bsd: 0x4f4e5155 Jan 14 16:11:04 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:11:04 t4 last message repeated 1006 times Jan 14 16:11:04 t4 /bsd: athn0: could not wakeup chip Jan 14 16:12:20 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:12:28 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:15:12 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:24:21 t4 last message repeated 7 times Jan 14 16:32:25 t4 last message repeated 4 times it errased my dmesg, so I can't provide it. [demime 1.01d removed an attachment of type application/pgp-signature] look in: /var/run/dmesg.boot hth Fred
Re: integrity of commercial CD set
On 14/01/2015 12:24, Stefan Sperling wrote: > Bootstrapping trust is always going to be hard no matter what we do > and how hard we try. [...] Now the answer has become "buy a CD > and cross-check it with signify" and it's still not enough. [...] "Buying a CD" in my case includes a 5.000 mile trip through multiple "five-eyes" nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. "Cross-checking" of OpenBSD commercial CD sets at present can only be partial, as no official full checksums seem to be provided. Even cross-checking *all* files referenced by the ISO filesystem would still allow a malicious boot sector to directly reference unallocated space. Let's call a spade a spade: the worst-case scenario is an APT intercepting the shipment of a commercial CD set, substitute one or more CDs and repackage it. Extremely unlikely for the average person, not-so-much for IT security consultants with important clients. Regards -- Enos D'Andrea
Re: Misc questionning about DNS
On Wed, Jan 14, 2015 at 4:41 AM, Craig Skinner wrote: > On 2015-01-13 Tue 16:26 PM |, sven falempin wrote: >> >> I would like to internally and externally solve some domain names >> differently (so some service are accessible from inside and outside >> without some fancy NAT or worse), I found out 'some' call this setup a >> 'split-dns', often use for internal mail server. > > See this post (& thread) for an example of NSD & unbound on OpenBSD 5.5: > http://marc.info/?l=openbsd-misc&m=141113669300630&w=2 > > Cheers. > -- > Canadian podcast: The Truth About Edward Snowden > http://www.youtube.com/watch?v=9hmOAFFzxj0&feature=related > Thank you all, NSD was the part i was missing :-) and it WAS in the man page : << If authoritative DNS is needed as well using nsd (8) careful setup is required because authoritative nameservers and resolvers are using the same port number (53). >> *facepalm* Have a nice Day :-) -- - () ascii ribbon campaign - against html e-mail /\
usb ehci errors in 5.6-stable
Hi, All! I get these errors when actively use usb wifi adapter Jan 14 16:08:57 t4 /bsd: 0x4f4e5155 Jan 14 16:08:57 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:08:57 t4 last message repeated 1006 times Jan 14 16:08:57 t4 /bsd: athn0: could not wakeup chip Jan 14 16:09:22 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:10:40 t4 /bsd: 0x4f4e5155 Jan 14 16:10:40 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:10:40 t4 last message repeated 1006 times Jan 14 16:10:40 t4 /bsd: athn0: could not wakeup chip Jan 14 16:11:04 t4 /bsd: 0x4f4e5155 Jan 14 16:11:04 t4 /bsd: usb_insert_transfer: xfer=0xfe821cb7c348 not busy 0x4f4e5155 Jan 14 16:11:04 t4 last message repeated 1006 times Jan 14 16:11:04 t4 /bsd: athn0: could not wakeup chip Jan 14 16:12:20 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:12:28 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:15:12 t4 /bsd: ehci_idone: ex=0xfe821cb7c348 is done! Jan 14 16:24:21 t4 last message repeated 7 times Jan 14 16:32:25 t4 last message repeated 4 times it errased my dmesg, so I can't provide it. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD on Intel Galileo
> Am 14.01.2015 um 09:43 schrieb Stuart Henderson : > > On 2015-01-13, Patrick Wildt wrote: >> Hi, >> >> Yes, it’s kinda possible. I tried that early 2014 or so. You need to have >> some kind of EFI-Grub2 on an sdcard iirc. Then you exit the in-built grub, >> open the EFI shell and have it boot grub2. >> >> Using kopenbsd you can try to load an OpenBSD kernel, but it doesn’t work >> out of the box. >> >> The serial line is not in the ISA(?) space, but memory mapped somewhere >> else, so you do not get serial output. The grub boot options pass the >> actual address to the linux kernel, so that’s where you can find out which >> one it is. >> >> After doing a hack to make that work, I got the following output: >> http://gbpaste.org/Pd5Vv >> >> I fear I do not have the diffs and blobs anymore. > > If you can have grub chain to OpenBSD's boot loader, you can set the port > address > with 'machine comaddr'. > Yes, that is right. But it does not fix two other issues. First, you need I386_BUS_SPACE_MEM instead of I386_BUS_SPACE_IO. The console is memory mapped and not accessible via outb/inb. Second, registers need to be accessed in 4x space mode. Means, the register you want to access has to be multiplied by 4 before accessing it. All those issues are caused by the console being connected via PCI (puc(4)) as far as I can see.
Re: integrity of commercial CD set
On Wed, Jan 14, 2015 at 10:49:01AM +0100, Enos D'Andrea wrote: > Thanks, but I was hoping for a method that would also verify the CD boot > process, and that would not require downloading and installing a second > image or trusting the CD to verify itself. Bootstrapping trust is always going to be hard no matter what we do and how hard we try. Since releases have been signed (since 5.4) people have been asking for even more verification than they used to ask for. This puzzles me. Before signify the answer to the trust problem was "buy a CD" and most paranoid people went with that. Now the answer has become "buy a CD and cross-check it with signify" and it's still not enough. What's next, should we invite everyone to Theo's house to run a collective install fest from his NFS server? >From the developer point of view it seems to be more a problem of managing expectations rather than a technical one. :-/ Speaking of which: Are you sure you can trust the hardware you're booting this CD on? Is it by chance a laptop that supports Intel vPro? In this case it likely runs SOAP/TLS(OpenSSL)/Kerberos code in firmware and the OS can't make any hard guarantees about the safety of your machine anyway: https://software.intel.com/sites/default/files/71/eb/mngstages.jpg In other words, if you really want to argue trust down to the very last bit the discussion becomes pointless very quickly. It is never going to be perfect.
Re: integrity of commercial CD set
> Thanks, but I was hoping for a method that would also verify the CD boot > process, and that would not require downloading and installing a second > image or trusting the CD to verify itself. Next time, it is better to ask what you hope for. You asked how to check and you got the answer, then you moved to something else ...
Re: integrity of commercial CD set
On 12/01/2015 20:34, Theo de Raadt wrote: >> Please how is one supposed to verify the integrity of an official >> OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and >> received by physical mail? [...] > > Each directory on the CD is signed using signify and the 5.6 keys > listed at http://www.openbsd.org/56.html [...] Thanks, but I was hoping for a method that would also verify the CD boot process, and that would not require downloading and installing a second image or trusting the CD to verify itself. On a side note, CD #2 (amd64, powerpc, song) includes more than 15Mb of space not directly allocated in files (excluding the audio track): # mount -o ro /dev/sr0 /mnt/cdrom # df -B KB /dev/sr0 Filesystem 1kB-blocks Used Available Use% Mounted on /dev/sr0 630047kB 630047kB 0kB 100% /mnt/cdrom # du -B KB -s /mnt/cdrom/ 614111kB/mnt/cdrom/ For the records: # sha256sum /dev/sr0 #CD1 a9958a206d7acb12a4b544f5df301261a92c4bec06b85c3964dd834ef622a22a # cat /dev/sr0 > cd2.iso #CD2 cat: /dev/sr0: Input/output error # du -b cd2.iso 630345728 # sha256sum cd2.iso 72f2201021168c9132bea3e6ebf1fe250b394528c3c766ace2556a614bc8dd7e # sha256sum /dev/sr0 #CD3 466e4f4c0506711bcbb4bd31601f0fb16c154df2e52c4d9596c9fa91efeddee4 Regards -- Enos D'Andrea
Re: Misc questionning about DNS
On 2015-01-13 Tue 16:26 PM |, sven falempin wrote: > > I would like to internally and externally solve some domain names > differently (so some service are accessible from inside and outside > without some fancy NAT or worse), I found out 'some' call this setup a > 'split-dns', often use for internal mail server. See this post (& thread) for an example of NSD & unbound on OpenBSD 5.5: http://marc.info/?l=openbsd-misc&m=141113669300630&w=2 Cheers. -- Canadian podcast: The Truth About Edward Snowden http://www.youtube.com/watch?v=9hmOAFFzxj0&feature=related
Re: OpenBSD on Intel Galileo
On 2015-01-13, Patrick Wildt wrote: > Hi, > > Yes, it’s kinda possible. I tried that early 2014 or so. You need to have > some kind of EFI-Grub2 on an sdcard iirc. Then you exit the in-built grub, > open the EFI shell and have it boot grub2. > > Using kopenbsd you can try to load an OpenBSD kernel, but it doesn’t work out > of the box. > > The serial line is not in the ISA(?) space, but memory mapped somewhere else, > so you do not get serial output. The grub boot options pass the actual > address to the linux kernel, so that’s where you can find out which one it is. > > After doing a hack to make that work, I got the following output: > http://gbpaste.org/Pd5Vv > > I fear I do not have the diffs and blobs anymore. If you can have grub chain to OpenBSD's boot loader, you can set the port address with 'machine comaddr'.
Re: Misc questionning about DNS
On 14/01/15 02:33, Jason Adams wrote: On 01/13/2015 01:26 PM, sven falempin wrote: Dear OpenBSD users, Recently unbound made his way in base, pushing the complex bind/named out for our own good. I would like to internally and externally solve some domain names differently (so some service are accessible from inside and outside without some fancy NAT or worse), I found out 'some' call this setup a 'split-dns', often use for internal mail server. I also found out BIND got a feature for this and internet gossip << Unbound doesn't support split-horizon DNS. It's primarily meant as a recursive and caching nameserver, and has only limited support for serving authoritative answers. Of course i imagine ran two unbound with two different IP address binding I feel like I am missing something. If I want to manage my domain , shall I use bind on the 'main' server ? Best regards. Split DNS is a very good reason for using bind, and its not that hard to set up. I could private email you an example. If unbound doesn't do this, it is missing one of the main reasons people and institutions run their own dns servers (whether or not they are behind nat). I don't agree with the comment above. Bind combines split-horizon in one process but it's not the recommended way to do it. Ideally you need 3 types of DNS servers 1) External/Public authoritative DNS server serving your public zones to the internet 2) Internal/Private authoritative DNS server serving your intra zones to the internal network. Can have the same zones as in 1) but with different NS records and probably with different entries inside. 3) Internal/Private caching/recursive DNS server for your internal clients. These servers should query type 2 servers for local zones Type 2 and 3 should NOT be accessed from the internet. In advance an authoritative server should NOT be doing recursive queries cause you're subject to DNS poisoning attacks. G ps. in addition one can add a type 4 which would be a hidden authoritative master to push the zones to rest authoritative servers.
Re: missing packages for SPARC
On 2015-01-13, Jeremy Evans wrote: > On Tue, Jan 13, 2015 at 12:58 PM, Riccardo Mottola < > riccardo.mott...@libero.it> wrote: > >> do we really need bash to build ruby? and... why ruby for subversion? not >> counting shells one ends up having perl, python, tcl and ruby! what a mess. > > > You do need bash to build ruby 2.0, but not any earlier or later version. > There were bugs in ruby 2.0's configure script, and they were unable to > backport the necessary fixes to it. > > ruby is needed to build subversion for the ruby-subversion subpackage, but > you can build with the no_ruby PSUEDO_FLAVOR to not require ruby or build > that subpackage. Same with no_python. But if you want to see those missing packages in 5.7 release, start by sending information about the bash crash, preferably to ports@ rather than misc. A backtrace would be a good start (especially from a copy of bash built with debug symbols: clean, then "make package DEBUG=-g", reducing the script that triggers the problem to a simplified test case would be even better.
Re: Misc questionning about DNS
On 2015-01-13, sven falempin wrote: > Dear OpenBSD users, > > Recently unbound made his way in base, pushing the complex bind/named > out for our own good. > > I would like to internally and externally solve some domain names > differently (so some service are accessible from inside and outside > without some fancy NAT or worse), I found out 'some' call this setup a > 'split-dns', often use for internal mail server. > > I also found out BIND got a feature for this and internet gossip > ><< > Unbound doesn't support split-horizon DNS. It's primarily meant as a > recursive and caching nameserver, and has only limited support for > serving authoritative answers. >>> > > Of course i imagine ran two unbound with two different IP address binding > > I feel like I am missing something. > > If I want to manage my domain , shall I use bind on the 'main' server ? > > Best regards. > > The main confusion people have when moving from a BIND setup on a small installation is that BIND allows mixing resolver (client lookups for every domain) and authoritative (lookups from the world for your local domain) on the same IP address. This is not recommended even with BIND, and not supported at all by most other DNS software. For the simplest way to do split-horizon: run unbound listening on an internal address. Run NSD listening on an external address for the main DNS zone that you are publishing. Use local-data statements in unbound.conf to override lookup for internal addresses. You can alternatively use unbound and two copies of NSD, one for external, one to talk to unbound (using stub-zone in unbound.conf), but it's more complicated - in particular, the rc script system isn't setup to handle running multiple copies of a single daemon.