Wrong reference in XINIT(1)?

[Frank Ebert]

Hi,

XINIT(1) refers to xdm(1). It should be xenodm(1) instead. Maybe
someone can check this?

HTH
Frank

Re: Single partition fs layout

[Frank Habicht]

On 13/02/2024 16:52, Odhiambo Washington wrote:

Thanks a million for such a nice explanation.
Let me now ask Google about those flags.

 ^^
you misspelled "the man pages"

Frank

Re: PF rules to block out every IP from a given country

[Frank Habicht]

Hi,

On 07/12/2022 18:36, Peter N. M. Hansteen wrote:
...> and can now be found at 
https://nxdomain.no/~peter/ripe2cidr_country.sh.txt --

as it says in the script itself, a trivial hack.

And I might add, it comes with *NO* warranties of any kind.


I think instead of :
grep allocated
in the two important lines, it should be :
egrep '(allocated)|(assigned)'

coz both can go to countries.

Frank

Re: Bootloader on USB stick fails with "root device not found"

[Frank Beuth]

On Tue, Feb 02, 2021 at 10:50:39PM +0100, Stefan Sperling wrote:

The idea of protecting key disks with a passphrase (two-factor auth) has
been raised before. It has not been implemented yet, simply because nobody
has done the work. A search of the mailing list archives should yield
some prior discussion.


How about backup keys, so I can have a backup passphrase stored 
somewhere safely that works even if I lose my keydisk?


FWIW I ran into the same problem as the OP when trying to put the 
bootloader on external media.

Re: Microsoft's war on plain text email in open source

[Frank Beuth]

On Wed, Aug 26, 2020 at 05:44:12PM -0700, Constantine A. Murenin wrote:
Why OpenBSD is to blame when Gmail -- after so many years -- still 
doesn't have proper support for sending text-based attachments the 
right way?


Because large corporations are always right, and the idea is to bend the 
world to suit the needs of the Microsofts and Googles.

Microsoft's war on plain text email in open source

[Frank Beuth]

"Linux kernel development  which is driven by plain-text email 
discussion  needs better or alternative collaborative tooling "to bring 
in new contributors and maintain and sustain Linux in the future," says 
Sarah Novotny, Microsoft's representative on the Linux Foundation board.


Said tooling could be "a text-based, email-based patch system that can 
then also be represented in a way that developers who have grown up in 
the last five or ten years are more familiar with," she added.


...

Should it migrate toward something more like, say, issues and pull 
requests on the Microsoft-owned GitHub? “I’m not saying that there will 
be a move in any time that I can see  my crystal ball’s broken  but I do 
think there needs to be expansions in the way people can enter that 
workflow,” said Novotny.


“It is a fairly specific workflow that is a challenge for some newer 
developers to engage with. As an example, my partner submitted a patch 
to OpenBSD a few weeks ago, and he had to set up an entirely new mail 
client which didn’t mangle his email message to HTML-ise or do other 
things to it, so he could even make that one patch. That’s a barrier to 
entry that’s pretty high for somebody who may want to be a first-time 
contributor.”"


https://www.theregister.com/2020/08/25/linux_kernel_email/

Re: Unbound Problems (Reverse Direction)

[Frank Habicht]

Hi,

On 09/07/2020 20:44, ken.hendrick...@l3harris.com wrote:
> stub-zone:
> name:  30.24.172.in-addr.arpa.
   good
> stub-addr: 127.0.0.1@53053
> stub-zone:
> name:  2.168.192.in-arpa.arpa.
   typo
> stub-addr: 127.0.0.1@53053
> stub-zone:
> name:  224.in-addr.arpa.
> stub-addr: 127.0.0.1@53053
> stub-zone:
> name:  255.in-addr.arpa.
>     stub-addr: 127.0.0.1@53053

Frank

Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

[Frank Beuth]

On Thu, May 28, 2020 at 01:27:15PM +0200, infoomatic wrote:

I just don't get it why some people put so much energy into bashing a
free product instead of just ignoring it if they really hate it. The
time would have been better spent on supporting/improving OpenBSD or
another project.


OpenBSD has mystique, a bunch of brilliant-but-prickly guys building a 
super-secure OS for their own use, everyone's heard of it but few 
actually use it, "ooh OpenBSD, that's hardcore." In a 
systemd-and-Microsoft world it starts to look something like the Man in 
the High Castle of operating systems, which is a tempting target for 
those who like the comfort of the majority.


Release poster idea: "The Pufferfish in the High Castle"

Re: OpenBSD sysupgrade rocks

[Frank Beuth]

On Wed, May 20, 2020 at 02:07:27PM -0400, Chris Bennett wrote:

Please don't beg for features.
That's very irritating and wastes everyone's time.

Please don't ask for features, once again.
Really, I mean it. Don't ask for features!


How about a counterpart to `sendbug` called `requestfeature`, which is 
an alias to `fortune` run with a file consisting of Theo's snarkiest 
remarks?

Re: Why isn't src included with OpenBSD? (documentation)

[Frank Beuth]

On Mon, May 18, 2020 at 11:10:59AM -0600, Theo de Raadt wrote:

People too young to have grown up with Unix need this sort of
documentation.  We can't live on man pages alone.


YES WE CAN.


Proposed release poster design:

Puffy with puffed out cheeks & paper sticking out of his mouth.

Headline: "Man pages are all you need to live!"

Alternate headlines:
"We *can* live on man pages alone!"
"Man pages: a complete breakfast!"
"Man pages: they're delicious and nutritious!"

Re: Managing multiple OpenBSD systems with a single base install

[Frank Beuth]

On Wed, Mar 25, 2020 at 09:28:52PM -0400, Demi M. Obenour wrote:

I am working on an OpenBSD-based QubesOS TemplateVM, and have run
into a few problems.


I don't have answers to your questions, but that sounds like an 
amazingly good and useful project and I wish you all the best in making 
it happen!

Re: Web documentation available offline by default?

[Frank Beuth]

On Tue, Mar 03, 2020 at 10:15:31AM -, Stuart Henderson wrote:

On 2020-03-02, Peter N. M. Hansteen  wrote:

I was thinking of the probably quite unlikely event that somebody who wants this
comes up with an actually reproducible way that could be turned into an 
otherwise
unremarkable make target.


From experience with other generated files: it won't get used by
everyone who updates the faq, meaning that it's another thing that
somebody has to watch out for and fix it.

IMHO the only way to fix this is to convert the faq to some other
format that is used to generate a variety of output files (such that
the html files aren't stored in the repository, only the "input"
files, so there's no chance of getting it wrong). And *that* has
enough implications that I don't think it will work well either.


You're right, but I wish you weren't!

Re: Web documentation available offline by default?

[Frank Beuth]

On Fri, Feb 28, 2020 at 07:24:50AM +0100, Ingo Schwarze wrote:

Hi Frank,

Frank Beuth wrote on Fri, Feb 28, 2020 at 04:22:27AM +:


Is the web documentation (FAQ etc) included in the base system by
default anywhere,


No it isn't.

I offered some years ago to translate the FAQ from HTML to mdoc(7)
and to include it in /usr/share/man/faq/ such that it would become
available for both -current and -stable both online and offline
without additional maintenance effort just like any other documentation
and such that it would automatically be included in apropos(1)
searches, but the proposal was rejected because the developers who
actually maintain the content of the FAQ consider it easier to
maintain in HTML than in mdoc(7) format.

We don't want to lose the valued contributions of those developers
who actually spend all the work maintaining the FAQ or make their
work any harder than it is now.


Thanks. Too bad the mdoc idea failed!

Web documentation available offline by default?

[Frank Beuth]

Is the web documentation (FAQ etc) included in the base system by 
default anywhere, or do we have to pull it from CVS manually?

Re: Trusted Boot with OpenBSD

[Frank Beuth]

On Mon, Feb 24, 2020 at 03:22:28PM +0100, Julius Zint wrote:

boot(8) supports the machine specific command "tpm". This allows a
user to:

1: read the current contents of the Platform Control Registers (PCR)
  with the "pcr" parameter

  machine tpm p[cr]

2: seal a user supplied secret to the current PCR values and store it
  in the second block on a disk, that can be altered via a parameter.
  WARNING: If there is any other data in this block, it will be
  overwritten without asking again.

  machine tpm s[eal] secret [DiskNumber]

3: unseal a previously sealed secrent and display it to the user. This
  command just reads the second block of the disk that can be
  specified by the user and unseals it via the TPM

  machine tpm u[nseal] [DiskNumber]


I hope you are enjoying your (well-earned) vacation.

I can't tell from the instructions how the FDE encryption key is stored 
-- do we manually seal it to the TPM and then manually unseal and 
copy/paste it every time we boot? Or is it assumed the user will write a 
script to handle this -- a script which itself will have to be measured 
by the TPM?

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Tue, Feb 18, 2020 at 08:05:29AM +0100, Paul de Weerd wrote:

On Tue, Feb 18, 2020 at 05:12:25AM +, Frank Beuth wrote:
| Yes, it's a cool way to combine things to get unexpected functionality.
| I haven't dug into the bootloader much... is there a reasonably easy way
| to get the USB-stick-bootloader to boot the hard drive partition by
| default?

Best way to dig into the bootloader is by starting at its fine manpage
which you can read online at http://man.openbsd.org/man8/amd64/boot.8

The quick answer is `echo 'boot sr0a:/bsd' > /etc/boot.conf` (on the
USB-stick's root filesystem).


Thanks!

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Mon, Feb 17, 2020 at 06:44:25PM +0100, Paul de Weerd wrote:

On Mon, Feb 17, 2020 at 01:35:38PM +, Frank Beuth wrote:
| > | This way the evil maid would have nothing to tamper with.
| >
| > Note that with this approach, a default OpenBSD install to your
| > machine will still install a bootloader on the physical disk inside
| > your machine.  It's then on you to NOT use that.
|
| That's a heck of a hack!

Not sure how you mean that - I don't think it's that much of a hack,
mostly an interesting side-effect of how the bootloader works in
general.  Taken in combination with a "normal" install to removable
media, you get basically exactly what you want at no additional cost.

Note that you don't have to do a full (or even minimal) install, if
all you really want is use the bootloader on the removable media.
It's just the easiest way to prepare it that I know of.  Besides, if
you do a 'normal' install, you have a convenient 'live' or 'rescue'
system to carry around with you whenever you go: I've got one of these
on my keychain :)


Yes, it's a cool way to combine things to get unexpected functionality.
I haven't dug into the bootloader much... is there a reasonably easy way
to get the USB-stick-bootloader to boot the hard drive partition by
default?

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Mon, Feb 17, 2020 at 04:09:57PM +0100, Julius Zint wrote:



I'm not really in a position to reflash my machine but I would still be
curious for details.


There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.

The prototype uses a Static Root of Trust for Measurment (SRTM) approach
where the Chain of Trust is extended from a small immutable firmware part
up to boot(8). Every component in the boot chain is responsible for measuring
the components, that it hands control over the system. Measuring just means
calculating the hash and sending it to the TPM. The following example is the
Chain of Trust from my test system Lenovo Thinkpad X240 with OpenBSD.

1: Core Static Root of Trust for Measurment (C-SRTM) (immutable part of the 
Firmware)
2: Firmware (including OptionROMS)
3: MBR (mbr(8))
4: PBR (biosboot(8))
5: boot(8) (residing in the softraid(4) metadata when FDE is enabled)

I changed the mbr(8) and biosboot(8) to support measuring their next component.
Because there is very little available space left in the 440 byte of the mbr(8)
startprogram, you have to choose between CHS and measurement support at compile 
time.

boot(8) got support via a machine specific command to seal and unseal a secret 
of
your choosing to any drive. Sealing and unsealing means encrypting/decrypting
data depending on the state of the Platform Control Registers (PCR). PCRs are in
the TPM NVRAM and store the measurements.

With the laptop being in a trusted state, you can seal a secret and store it on 
a
usb drive. When you want to verify, that the software components are unchanged, 
you
plug in the usb drive and unseal the secret. If the output shows the correct 
secret
and you were the only person knowing it, than there is a very high chance that 
the
early boot components are unchanged.

Some feedback from the OpenBSD community on this would also be appreciated. Are 
there
enought people interessted in a Trusted Boot with OpenBSD?


That's amazing if you can get it to work without reflashing. Are you
then sealing the disk encryption key?

Unfortunately I have to be a bit conservative with my laptop, but I
would be quite interested in testing this once it's
near-production-ready.

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Mon, Feb 17, 2020 at 11:56:24AM +0100, Paul de Weerd wrote:

But you can already do this.  If your machine supports booting from
USB, you can do a minimal install to a USB stick (using FDE, if you
want).  Now you have a portable OpenBSD environment you can boot on
any system capable of booting from USB (and supporting the same kernel
architecture).

What you can also do with this USB stick is use its bootloader to boot
the OS stored on the disk inside your machine (FDE encrypted or not).

I've used this to fix up installs gone sour on my machines in the
past.  Works a treat.  I don't use it to prevent the evil maid case
you describe though, but I think it would work just fine.

| This way the evil maid would have nothing to tamper with.

Note that with this approach, a default OpenBSD install to your
machine will still install a bootloader on the physical disk inside
your machine.  It's then on you to NOT use that.


That's a heck of a hack!

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Mon, Feb 17, 2020 at 11:13:27AM +0100, Julius Zint wrote:

I recently finished my masterthesis that solves this problem by including
the Trusted Platform Module (TPM) in the bootprocess of OpenBSD.

It extends the Chain of Trust up to boot(8) and allows you to seal a
secret of your choice to the platform state.

To check wether the unencrypted bootcomponents got tampered with, you
can unseal and verify the secret to ensure that the contents of the
MBR, PBR and boot(8) are unchanged.

it is not exactly the solution you were looking for but it should solves
the problem that you describe. Does this sound like something you were
willing to try and does your machine have a TPM 1.2 Chip?


That sounds absolutely fascinating. Are you familiar with the Heads
firmware? How is your approach different?

I'm not really in a position to reflash my machine but I would still be
curious for details.

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Sat, Feb 15, 2020 at 12:22:02PM +0100, no@s...@mgedv.net wrote:

>depends what you want to achieve, but my recommendation is booting from
USB
>and mount encrypted root from the HDD.
>you can safely remove the usb key after root mount and all your

configs/etc

>files are used from the encrypted storage.
>this ensures 2 things: bootloader + kernel on USB boot media cannot be
>attacked during system uptime and all bytes on disk are encrypted.
>another advantage is, you don't need (to type, write down or remember)

any

>passphrases but can use strong random data for crypto payload/keys.
>

How do you do this on OpenBSD?

@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk


That's telling me how to use a keydisk -- how to put the softraid FDE
encryption key material on a USB disk.

If an evil made came by and got access to my machine, they would still
be able to tamper with the bootloader code to harvest the FDE password
when I returned.

I want to put the whole bootloader (including the code used to decrypt
the softraid-FDE-encrypted root-partition-containing media) on a USB
disk.

This way the evil maid would have nothing to tamper with.

Re: Full disk encryption including /boot, excluding bootloader?

[Frank Beuth]

On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@s...@mgedv.net wrote:

depends what you want to achieve, but my recommendation is booting from USB
and mount encrypted root from the HDD.
you can safely remove the usb key after root mount and all your configs/etc
files are used from the encrypted storage.
this ensures 2 things: bootloader + kernel on USB boot media cannot be
attacked during system uptime and all bytes on disk are encrypted.
another advantage is, you don't need (to type, write down or remember) any
passphrases but can use strong random data for crypto payload/keys.



How do you do this on OpenBSD?

Re: How to hide my server's IP?

[Frank Beuth]

On Mon, Feb 03, 2020 at 10:46:03AM +0100, Janne Johansson wrote:

The attacker would thereby be able to find your IP
address.



By the time your opponent is running code on your server, this piece of
information is probably the least interesting part of the whole puzzle.


Not at all. For people running hidden/onion/i2p services (as I assume
the OP is doing) being able to hide the IP from an attacker can be very
important. If you run a server for the Hong Kong protests, you
probably don't want the authorities to be able to find out which
apartment block to raid, even if they find an exploit in the software.

Re: How to hide my server's IP?

[Frank Beuth]

On Sun, Feb 02, 2020 at 09:24:20PM +, Arthur Wayside wrote:

Hello.

Say I run a websapp inside a chroot and someone manages to hack it and gain 
shell access. Can I then somehow hide my server's IP from the likes of ifconfig?


If you want to hide your public IP from a particular application for
security reasons, the only way I know of to reliably do this is to run
that application on a physically separate server or inside a virtual
machine, and then bridge/port forward traffic to the VM. This way the
application (and any system components it has access to) can only ever
know the internal IP address of the server or virtual machine.

Otherwise it would be possible for an attacker to, for example, hack
your webapp to have it phone home to some external server controlled by
the attacker. The attacker would thereby be able to find your IP
address.

A less-secure approach would be a local firewall that only permits
outgoing network access to processes run by a specific user (which is
NOT the user account of your webapp) and then have the forwarding
handled by an application running under that user account. (this is the
approach taken by the TAILS Linux+Tor live USB)

Re: Question about marketability of OpenBSD Laptops

[Frank Beuth]

On Sat, Jan 25, 2020 at 07:26:35PM -0500, Chris Bennett wrote:

Try this. Put OpenBSD on a USB stick. Then try to get ANYONE to boot it
on their laptop/desktop. I gave up after about 25 tries over the years.

Next, try this. Give away a few laptops with OpenBSD already installed
for free. Check back with these people 3 months later. You won't find a
single one with OpenBSD still installed unless they just stuffed it in a
closet.


If I was going to do it, I would include at least 5-10 hours of
one-to-one training (how to use & set everything up, etc) then regular
check-backs at monthly intervals.

In other words, think of it more like a consulting arrangement (which
others already offer) than a hardware give-away or sale.

The reason is that -- in my experience -- the most important part of
computer security is the part which exists between the computer and the
chair.

If the end user has no clue, they will find a way to fuck up even
OpenBSD. Or they will just not use it.

You have to work out how to make OpenBSD a better solution than whatever
it is they currently have... then ensure they understand the situation
enough to use the setup securely.

OpenBSD won't stop you from clicking on a phishing email and entering
your credit card.

Re: Userland PCI drivers possible in OpenBSD?

[Frank Beuth]

On Fri, Jan 10, 2020 at 07:23:26PM -0500, gwes wrote:

On 1/9/20 10:58 PM, Joseph Mayer wrote:

Maybe this topic is better suited for tech@, you tell:

Is there some way I can implement PCI drivers in userland in OpenBSD?

Is there any reason not to write a conventional device driver and
build an OS including that driver?


You and/or the original poster may want to look at MirageOS: https://mirage.io/

Depending on the application, the custom-unikernel approach may offer an
otherwise-impossible combination of performance and security.

Re: perl popularity inside openbsd community? (Re: Suggestion: Replace Perl ...)

[Frank Beuth]

On Wed, Jan 01, 2020 at 03:30:44PM +0100, Marc Chantreux wrote:

why is this ? return is the perl yield. the only difference is that the
"exhausted" situation is on your own. so basically:

   def count_from(x):
   while True:
   yield x
   x = x + 1

   naturals = count_from(0)
   print(next(naturals))
   print(next(naturals))
   print(next(naturals))
   print(next(naturals))

is written in perl

   use experimental 'signatures';
   use feature 'say';

   sub count_from ($x) { sub { $x++ } }
   sub NEXT ($generator) { $generator->() }
   my $naturals = count_from 0;

   say NEXT $naturals;
   say NEXT $naturals;
   say NEXT $naturals;
   say NEXT $naturals;






* perl were about unix culture, mailing lists and so on: they setup a
 confortable cocoon to work together and this cocoon became an echo
 chamber when the other communities started to use third party services
 like stack overflow.


https://github.com/drathier/stack-overflow-import


* the python community was unfair comparing the langages (using ugly
 perl code and nice python counterparts). instead of taking time to
 explain all the biases, perl community repetedly asserted that the
 authors of those article were incompetents and gone away.


Not sure about anyone else, but comparing the Python vs Perl example you
gave above, I would still say Python is the nicer-looking language.

Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

[Frank Beuth]

On Wed, Jan 01, 2020 at 10:29:53AM +, e...@isdaq.com wrote:

But I don't want deeper point to get missed -- which is that if eecd
doesn't like the idea of regulating what the programmer can do, then the
programmer has to have the skills to safely write unsafe code.


no you're belying the point: the good programmer regulates himself 
while you

want to police everything and everyone else to compensate for your own
shortcomings


I don't think I suggested anywhere that I want to police anyone else. I
largely agree with what you write with respect to self-regulation.
However, I'm not sure that ranting about it on misc@ is the most
effective way to make positive progress in the desired direction.

Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

[Frank Beuth]

On Tue, Dec 31, 2019 at 11:56:46PM -0700, Bob Beck wrote:

read fucking code.  change fucking things. send some fucking diffs. get
fucking yelled at. learn from your fucking mistakes.  show some fucking
passion.  filter fucking misc@ and all this useless bleating into the
toilet.

none of us have time to spoon feed you in some “boot camp”

there are two types of programmers. the self taught, and the hopeless. it
is your job to turn yourself from the hopeless to the self taught.

shut up and fucking hack.


Well put.

But I don't want deeper point to get missed -- which is that if eecd
doesn't like the idea of regulating what the programmer can do, then the
programmer has to have the skills to safely write unsafe code.






On Tue, Dec 31, 2019 at 23:50 Frank Beuth  wrote:


On Wed, Jan 01, 2020 at 04:00:37AM +, e...@isdaq.com wrote:
>rather than the programmer being responsible for
>writing unsafe
>code we need to regulate what the programmer can do just like we need to
>regulate what the community can say, do, see, and think.

where do I sign up for OpenBSD write-perfect-C-code programmer training
bootcamp?

Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

[Frank Beuth]

On Wed, Jan 01, 2020 at 04:00:37AM +, e...@isdaq.com wrote:
rather than the programmer being responsible for 
writing unsafe

code we need to regulate what the programmer can do just like we need to
regulate what the community can say, do, see, and think.


where do I sign up for OpenBSD write-perfect-C-code programmer training 
bootcamp?

Re: regression tests (was: OpenBSD Errata: December 11th, 2019 (ldso))

[Frank Beuth]

On Sat, Dec 14, 2019 at 11:39:57AM +0100, Claus Assmann wrote:

On Sat, Dec 14, 2019, Frank Beuth wrote:


OpenBSD doesn't have unit tests (or if they are, they're not in the main


Hmm, what about src/regress/ ?


Ah, that's what I was looking for. Not sure how I missed that.

Re: OpenBSD Errata: December 11th, 2019 (ldso)

[Frank Beuth]

On Wed, Dec 11, 2019 at 01:51:18PM -0500, T.J. Townsend wrote:

Errata patches for ld.so have been released for OpenBSD 6.5 and 6.6.

ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
set-user-ID and set-group-ID executables in low memory conditions.


The security advisory connected with this bug indicates the patch was
published within 3 hours of reporting: 
https://www.openwall.com/lists/oss-security/2019/12/11/9

OpenBSD doesn't have unit tests (or if they are, they're not in the main
source tree). How does the project ensure that such wonderfully quick
fixes don't introduce new bugs?

Re: Skype alternatives for OpenBSD

[Frank Beuth]

On Sun, Nov 03, 2019 at 11:12:48AM +, Andrew Luke Nesbit wrote:

On 03/11/2019 10:55, Frank Beuth wrote:

Not sure about the original poster but I would be interested in
any end-to-end encrypted video/audio/chat programs that are
available.


Have a look at Tox.  It might work out for you on a technical level.


Are Tox and/or Matrix available on OpenBSD? I only see a FreeBSD version
of Tox, while 'matrix' is a fairly generic name so hard to say.

Re: Skype alternatives for OpenBSD

[Frank Beuth]

On Sun, Nov 03, 2019 at 04:51:48PM +1000, Stuart Longland wrote:

Do you need any video conferencing software (i.e. the group running the
online class is willing to switch to whatever you can get working?), or
do you specifically need Skype?


Not sure about the original poster but I would be interested in any
end-to-end encrypted video/audio/chat programs that are available.

Re: A promotional idea (related to quantum computing / hacking)

[Frank Beuth]

On Sat, Oct 26, 2019 at 02:53:42PM +0800, Jyri Hovila [Turvamies.fi] wrote:

Maybe OpenBSD could profile itself as *the* OS with all crypto related stuff is 
handled using post-quantum cryptography?


I don't think OpenBSD wants to "profile itself" as anything.

Are post-quantum algorithms well reviewed and stable enough to be worth
using as defaults for OpenBSD full disk encryption, OpenSSH,
LibreSSL...?

Do you or anyone else have the expertise to implement them?

Re: On blindly running code

[Frank Beuth]

On Fri, Oct 18, 2019 at 01:20:33PM +0100, cho...@jtan.com wrote:

Frank Beuth writes:

On Fri, Oct 18, 2019 at 11:54:18AM +0100, cho...@jtan.com wrote:
>Virtualisation is not a panacea. I have managed to achieve data loss through 
destructi
ve actions taken within a "safe" virtualised sandbox.

How did you manage that feat?


Basically assuming "safe" then taking actions to subvert that, namely
mounting an SMB share within the VM. rm(1) does not discriminate. My
own fault obviously but it's notable that the "virtual environment ==
safe" assumption was shattered so effectively, so easily, and by
actions which in most circumstances would be benign.


Poking holes in parachutes has been known to impair their function,
yes...

Re: Requesting vi tips

[Frank Beuth]

On Fri, Oct 18, 2019 at 03:12:37PM +0100, cho...@jtan.com wrote:

Alternatively is there something that would make vi do it on the fly, or
something akin to emacs' C-q or vim's gq. Although I appreciate the fact
that vi doesn't try to be clever.


1) select all text in visual mode (e.g with V, then gg)
2) :!fmt -w 72

disclaimer: vi is aliased to vim on my system so apologies if this
doesn't work

Re: On blindly running code

[Frank Beuth]

On Fri, Oct 18, 2019 at 11:54:18AM +0100, cho...@jtan.com wrote:

Virtualisation is not a panacea. I have managed to achieve data loss through destructive 
actions taken within a "safe" virtualised sandbox.


How did you manage that feat?



If the only thing that can demonstrate what a piece of code does is to run it 
blindly, rather than to work it out by reading and study, then the code is 
faulty and should be replaced. I expect the code I use to be in this state 
before I will even begin to trust its documentation because if the developer 
doesn't understand what it does how can his explanation be at all enlightening? 
Executing code in a test environment should only be to *verify* the assumptions 
and calculations you have *already made*.


In the world of malware analysis, running code blindly (in a virtual
machine) in order to figure out what it does (by comparing "before" and
"after" snapshots) is standard operating procedure.

(standard operating procedure doesn't necessarily make it a good idea,
but it is what it is)

Re: OpenBSD Project

[Frank Beuth]

On Sun, Jul 21, 2019 at 10:37:40AM -0600, Theo de Raadt wrote:

I'm mentioning this to highlight the false pattern of
believing "democracy is a required component" in a world where people
forget the most dominant models in all industries are a mix of
fascism, monarchies, or well ... plutocracy.

And what OpenBSD is doing is industry, plain and simple.


So you're saying OpenBSD is a... theocracy?

OpenBSD's FBI file

[Frank Beuth]

https://www.muckrock.com/foi/united-states-of-america-10/foia-fbi-openbsd-70084/

Earlier this year I FOIAed the FBI for details on allegations of backdoor installed 
in the IPSEC stack in 2010, originally discussed by OpenBSD devs 
(https://marc.info/?l=openbsd-tech&m=129236621626462 …) Today, I got an 
interesting but unexpected responsive record: 
https://www.muckrock.com/foi/united-states-of-america-10/foia-fbi-openbsd-70084/ … 
#FOIAfriday

The record I was provided by the FBI was created Sept. 2002, and details a 
separate investigation into an operation tiled 'OPERATION 0DAY COMPUTER 
INTRUSIONS': 
https://cdn.muckrock.com/foia_files/2019/07/19/Ecd74aeb090e009e1ede26e1a0fe860c184bb6797_Q52218_R348013_D2256726.pdf
 …

To my knowledge there are no other public agency records available regarding 
this.

There are a lot of redactions here, but it looks like the focus here might have 
been an exploit that lead also to the following OpenSSH vuln: 
https://web.archive.org/web/20080622172542/www.iss.net/threats/advise123.html …

"OpenBSD was compromised through the internet host http://cvs.openbsd.org  or 
http://ftp.openbsd.org ,.. [REDACTED] claimed on IRC channel [REDACTED] which he connects 
to from internet hosts in Australia, to have committed the hack."

https://twitter.com/RooneyMcNibNug/status/1152329067707928583

Re: Evernote Alternative?

[Frank Beuth]

git init a folder, keep your notes as plain text files in that folder, and use 
standard git commands to sync changes everywhere?


On Fri, Jun 28, 2019 at 01:58:34PM -0400, Christopher Turkel wrote:

Is there a how to about to use git for this? It sounds awesome.

On Friday, June 28, 2019, Chris Humphries  wrote:


Hrm, I'm not finding a leannote port available for OpenBSD. Is it
available in an alternate location.

http://openports.se/search.php?stype=folder&so=leannote

The screenshots and features look nice.

-Chris

On Fri, Jun 28, 2019 at 05:06:23PM +, drozdow wrote:
> leannote / just use git
>
> Inviato da ProtonMail mobile
>
>  Messaggio originale 
> On 28 giu 2019, 1:32 AM, Chris Humphries ha scritto:
>
> > Hello,
> >
> > I have been looking to migrate off of Evernote for a while, and now
> > that my daily driver is OpenBSD, I am more motivated to migrate from
> > Evernote to something else (nixnote2 isn't a port and looks to be a
> > pain to make a port of).
> >
> > I keep a lot of my brain in Evernote, and having a replacement is a
> > big productivity boost for me. I mainly want a way to categorize notes
> > into categories/labels/notebooks, be able to view all notes in that
> > category/label/notebook, and be able to search all notes.
> >
> > If I could also access that information from a mobile device, that
> > would be great but not required.
> >
> > I did a lot of searching and the only thing I see that comes close
> > that a port exists for is Zim, which looks like it could work on most
> > fronts.
> >
> > Have you made a transition from Evernote/Onenote before? If so, what
> > did you do?
> >
> > Thank you!
> >
> > --
> > Chris Humphries 
> > [5223 9548](tel:52239548) E1DE DE87 F509 1888 8141 8451 6338 DD29

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Mon, Jun 24, 2019 at 10:59:44AM +0200, David Sastre wrote:

I would not consider ansible as the right tool to provision a system
from scratch (as in PXE booting, etc...).
Ansible is better used on a system you can connect to using SSH and
perform actions as required, with or without doas, as you surely know.
You don't mention cloud providers/VPS you are trying to bootstrap
OpenBSD to, but the way I'd tackle this situation, if I have
understood your use case correctly, is as follows:

- Find out if the specific cloud provider is supported by packer [1]
(packer itself can be run in OpenBSD[2]).
 Custom builders can be written, but might be overkill for the task at hand.
- If the answer is yes, create a template to bootstrap an OpenBSD image.
 You can find many examples online[3]. The specifics of the packer
template vary depending on the cloud provider,
 but usually you can bootstrap the system from an ISO (or an existing
AMI, if in AWS), and finish provisioning
 the configuration using ansible.


And what if the answer is no? You didn't mention that :)

Yes, Ansible is not really the right tool for installing new images onto 
machines or re-imaging server. Yes, Packer and Terraform (both from the same 
company) are superb and wonderful ways of managing machines on AWS/Azure/the 
rest of the API-enabled IaaS crowd.


However great the Big Cloud providers are, though, sometimes they are not 
suitable for a project, and instead one is left in the position of bartering 
a cow in exchange for a VPS instance at HostElbonia, where you're lucky if the 
API is RFC 2549 compliant.


And in general, one of the things I like most about OpenBSD is the design for 
simplicity, emphasizing standard, boring interfaces that are extremely 
reliable and which don't require the "hot new shiny object" du jour. 

So while yes, automated provisioning of AWS over the API is an option, as is 
setting up the Linux VPS as a hypervisor running OpenBSD... it doesn't quite 
feel right.


It sounds like a custom bsd.rd with auto_install.conf, dropped onto the /boot 
partition by Ansible (or some other script or management tool!) is the way to 
go for this. 

Ihave a few other projects to deal with, but it is on my to-do list, and if I 
come up with something potentially useful to others then I will try and write 
it up in some form.

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Mon, Jun 24, 2019 at 11:43:36AM +0300, Gregory Edigarov wrote:
I don't want to re-open the hostilities, but installing OpenBSD via 
Ansible is very relevant to my interests. Previously discussed on 
this list was a very roundabout approach using Qemu -- is there a 
better way now?


it's all easy given it is some IaaS provider, just use terraform to 
create the ground, (terraform could also be used to upload keys, and 
do some preconfiguration) then call ansible.


Terraform looks great, but while some of the providers I need to support are 
listed (https://www.terraform.io/docs/providers/index.html ) that's not true of 
all of them, and probably never will be. In general, being bound to Big Cloud 
(AWS / DigitalOcean / et al) is not desirable.


On top of this, my objective for this project is to support the most generic 
and standardised possible interface ("image with the provider's web interface 
and SSH in after") rather than develop a system that implicitly encourages 
lock-in.


Nevertheless looks like a superb tool if it fits.

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Sun, Jun 23, 2019 at 10:49:22AM +0300, cho...@jtan.com wrote:

Frank Beuth writes:




You go ahead and continue to trust your VPS without taking any care to
consider where your software comes from.

It's choices like that which make "hardening" even be a thing. Have you
considered _not_ building a system on a foundation made of cheese?


Of course, but those are the constraints I have to deal with.

Naturally a dedicated bare-metal server would be preferable, but that is not 
always possible. Given the tremendous popularity of VPS hosting, it does seem 
like I am not alone.


Just because there is risk on the back-end of the system does not mean we 
should be careless in other respects.

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Sat, Jun 22, 2019 at 03:06:30AM +0100, Andrew Luke Nesbit wrote:

On 21/06/2019 19:02, Frank Beuth wrote:

I don't want to re-open the hostilities, but installing OpenBSD via
Ansible is very relevant to my interests.


I feel exactly the same way and am surprised that Ansible caused
hostilities.  Can you send me a link to the thread where this happened
please?  I want to know why, i.e., pros and cons.


It doesn't look to me like Ansible as such caused any trouble, it was someone's 
use of Ansible in an unsupported way (and probably many other configuration 
choices), leading to further problems, and then people got angry.


For details search the misc@ archives for "Reboot and re-link" (the subject 
line), things got spread across multiple threads:

https://marc.info/?l=openbsd-misc&w=2&r=1&s=Reboot+and+re-link&q=t

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Sat, Jun 22, 2019 at 10:29:22PM +0300, cho...@jtan.com wrote:


Ansible is not the correct tool for this job; it can only configure and
maintain an _extant_ system.

None of the recent plethora of configuration management tools have
considered the scenario *before* an operating system has been
installed. All of them expect the server to exist and for secured
communication channels to have been established between it and the
master control system before they are operable.


That's the interesting thing in my case (at least)... the system *IS* already 
extant!


It has a nice shiny new Ubuntu/Debian/Fedora/centOS install that has just been 
imaged onto it using the hosting provider's default tooling, and SSH is already 
configured. (without blindly saying "yes" to the unexpected-fingerprint prompt)


Normally in this situation one would just use Ansible to harden the default 
Linux install and configure whatever applications are needed. But in this case 
I feel like hardening the Linux install even more, by replacing it with OpenBSD 
:)


Maybe I'm wrong, but it seems like if this problem were well-solved then it 
would make easier to use OpenBSD in many more applications and situations.



FWIW I'm working on-and-off on a tool which specifically automates
*that* problem (build a new server/vm/chroot with zero human
interaction so Ansible et al. can subsequently and safely take over)
but what I've released so far is alpha quality at best.

Conveniently if you're only targetting OpenBSD then it's entirely
useless because, provided you can use PXE*, the OpenBSD developers have
already solved it.

Without Ansible.

Matthew

[*] The autoinstall/siteXX.tgz/etc. solution provided by the OpenBSD
developers is very good but there are some questions I have around
integrity on a potentially untrusted network. However as I'm trying to
target more than just OpenBSD, and I don't trust any network, I've
simply abandoned the idea of using PXE in my own environments so I
haven't looked into the answers to them. YMMV.


I'd love to see your tool. PXE is mostly not available for this case (in 
general I am trying to target the most generic possible situation).

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Sat, Jun 22, 2019 at 10:28:53AM -0700, Lyndon Nerenberg wrote:


We are looking forward to that.  *However*, there is a lot to be
said for regularly re-installing your hosts from scratch.  This
ensures your installer scripts don't rot as host system "features"
accrete over time.  This is prone to happen when you Ansible- or
Puppet-manage servers.  Things get added, things get removed.  Often
you miss hidden dependencies that sneak in; you don't want to be
discovering those when you're trying to reinstall a production host
after a catastrophic failure.


Yes, and being able to Ansible-manage even the re-installation would make the 
whole process that much nicer :)

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Sat, Jun 22, 2019 at 04:41:47AM +0100, Andrew Luke Nesbit wrote:

On 21/06/2019 19:02, Frank Beuth wrote:

I don't want to re-open the hostilities, but installing OpenBSD via
Ansible is very relevant to my interests.


I feel exactly the same way and am surprised that Ansible caused
hostilities.  Can you send me a link to the thread where this happened
please?  I want to know why, i.e., pros and cons.


It's the parent thread of this one (look for subject line "Reboot and 
re-link").


The issue was not Ansible, just that the original thread poster got very angry 
with people.

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Fri, Jun 21, 2019 at 01:20:44PM -0700, Misc User wrote:


You could stick bsd.rd onto a bootable partition then point grub to it.
You could also disable password login for root and just use a key pair.
That way you wouldn't be sending the password encrypted (or at most only
giving it a password that is useless without console access, then run
'doas passwd' the first chance you get to eliminate even that vector).
That temp password could even be a long string of random junk so long as
you enter it twice.

You could copy bsd.rd and a copy of your pub key into /boot, or carve
out a new partition using some unused disk space.



Yes, the goal is a fully automated and unattended (but "stock," supported, and 
rage-free) install.


The process of spinning up a new machine should be "add the IP address to the 
Ansible hosts file, run the playbook" as opposed to "dig out VNC and mess about 
with everything and get interrupted by someone with something urgent and come 
back and try to remember where I was..."


This seems pretty close to doable:

Ansible ought to be capable of dropping the bsd.rd into /boot and adding the 
relevant lines to grub, then triggering a restart.


Creating partitions seems unnecessary if we can just get the sets via HTTP, 
yes? Resizing partitions post-install would add complexity.


The autoinstall(8) man page (https://man.openbsd.org/autoinstall ) is a little 
unclear on whether we need to build a custom dhcpd.conf if we are using a local 
auto_install.conf, however I assume the answer is "no".


(If "yes," then Ansible would need to get the MAC address from the server 
initially, build the dhcpd.conf, and put it in the bsd.rd before uploading...)


Since parameters such as root password, user's username, user password, user 
SSH key, etc should be configured in the Ansible playbook or ancillary files, I 
wonder if there is a way to have Ansible build a custom autoinstall.conf (using 
templates) and insert it into bsd.rd immediately prior to uploading.


For that matter I can't find any instructions for editing bsd.rd or adding 
files to it, did I miss a manpage somewhere?


(It's too bad supplying the file locally requires editing the image, it would 
be nicer to drop the file onto /boot and then pass the filename as an argument 
when booting...)

Re: Ansible install Re: Reboot and re-link

[Frank Beuth]

On Fri, Jun 21, 2019 at 12:36:22PM -0700, Misc User wrote:

I use PXE + install.conf + siteXX.tgz + siteXX-%hostname%.tgz for my
installs.  I also have an rc.firsttime to download and install the
required packages.


Thanks, but neither this nor the autoinstall suggestion seem applicable for my 
use case.


I am dealing with virtualized servers which usually start out as 
Ubuntu/Debian/Fedora images, then the hosting provider supplies the IP address 
and root password for a first-time SSH login. 

In many cases it is not possible to upload an ISO to be used as server 
installation media, and VNC consoles (if available) are often not even 
encrypted. (How would you feel about installing OpenBSD and then having your 
root password sent in plaintext at the very beginning?)


I realize installing OpenBSD under these constraints is rather like installing 
a ship in a bottle, but it seemed worth it to ask...

Ansible install Re: Reboot and re-link

[Frank Beuth]

On Wed, Jun 19, 2019 at 11:29:32PM +0200, Maxim Bourmistrov wrote:

Installing via NOT RECOMMENDED WAY(following upgrade65.html) - scripting on
steroides (ansible).


I don't want to re-open the hostilities, but installing OpenBSD via Ansible is 
very relevant to my interests. Previously discussed on this list was a very 
roundabout approach using Qemu -- is there a better way now?

Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers

[Frank Groeneveld]

On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote:
> After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD 
> servers cannot be reached over HTTPS anymore. The error produced is 
> SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, 
> but also with https://cvsweb.openbsd.org/
> Anybody know what is going on? Chromium and openssl s_client on the 
> same system works fine and the same Firefox version in Ubuntu, Mac OS 
> and Windows don't have this problem.
> 
> Thanks in advance.

Sorry for the noise, apparently there is a bug in the Fedora side when 
connecting with newer versions of LibreSSL. Related bug report: 
https://bugzilla.redhat.com/show_bug.cgi?id=1713777

Regards,
Frank

SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers

[Frank Groeneveld]

After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD servers 
cannot be reached over HTTPS anymore. The error produced is 
SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, but also 
with https://cvsweb.openbsd.org/
Anybody know what is going on? Chromium and openssl s_client on the same system 
works fine and the same Firefox version in Ubuntu, Mac OS and Windows don't 
have this problem.

Thanks in advance.

--
Frank

Re: When will be created a great desktop experience for OpenBSD?

[Frank Haun]

On Tue, 7 May 2019 10:14:33 +, John Long wrote:

> On Tue, 7 May 2019 08:47:18 +0200
> Denis Fondras  wrote:
>
>> > user-friendly and easy-to-use
>> >  
>> 
>> Sounds like the exact description of current OpenBSD...
>
> +100
>
> This is exactly why I like and use it.

+1

Frank
-- 
OpenBSD orion.ka10.de 6.5 ORION#1 amd64
 2:50PM  up 12 days,  1:30, 5 users, load averages: 0.17, 0.17, 0.12
[Experimental Blog: http://ka10.de/~frank/]

Re: User who invoke doas

[Frank Shute]

On Thu, May 02, 2019 at 04:29:20AM +, Adam Steen wrote:
>
> Hi
> 
> In a shell script invoked by doas, is it possible to find which user
> invoke the script? my search a the moment has come up empty.
> 
> Cheers Adam
> 

Hi Adam,


Nowadays, I think the POSIX way is considered to be id(1) with
appropriate args: 

id -nur

(Untested)


Regards,

-- 

Frank

https://woodcruft.co.uk/

Re: GitLab

[Frank Groeneveld]

Hello Oleg,

Yes, I've hosted it for a few years on OpenBSD. It's a tough beast to get 
working though, because of all the dependencies and separate copmonents. If 
you're familiar with Ruby you can probably get it working, if not then I 
wouldn't advise you to try.

I've contributed a number of patches to upstream and could install most 
versions without manual steps. However, last install I did was almost a year 
ago.

Good luck!

Frank

On Wed, Mar 27, 2019, at 16:51, Oleg Pahl wrote:
> Hi all,
> 
> is it possible to install GitLab on OpenBSD? If yes .. any doc's?
> 
> BR
> 
> Oleg Pahl
> 
>

Re: Block/allow outgoing traffic by user or application?

[Frank Beuth]

On Mon, Feb 25, 2019 at 12:31:42PM -, Stuart Henderson wrote:

I've not done much with ssh tun forwarding, but I have previously had
to run openvpn over TCP and didn't find that it really get in the
way in practice, even with connections over wifi. It would depend
on connection characteristics though.

The sshuttle documentation mostly talks about lack of feedback into
TCP's congestion control mechanism; that could be mitigated by
"regenerating" the TCP sessions on the tunnel endpoint, I think
it maybe possible to bodge this together using relayd's "forward
to destination". But I would only mess about with that if I had
tried it and was seeing things working poorly, rather than just
for the sake of maybe making things faster.


Alright, that seems reasonable enough. Thanks!

Re: Block/allow outgoing traffic by user or application?

[Frank Beuth]

On Sun, Feb 24, 2019 at 03:12:31PM +, Stuart Henderson wrote:

Basically I'm trying to say, if you wanted to do it the other way round
(pass by default, block certain traffic) you wouldn't be able to block
everything.

If you're trying to stop all possible paths something on the system
might use to exfiltrate information then this is important (for example
if ping(1) is available and you're not blocking ICMP, this could be used
even as non-root with ping -p).


I see. "If you're in a situtation that requires blocking everything, then you 
should block by default" seems logical enough.


Not sure if there's any situation where you want to block by default but allow 
ICMP, that might be a bigger issue.



I had no idea there was such a thing as SSH tun forwarding, thanks for
telling me about it! :)


A useful addition to the toolkit :)


Do you know how (or how well!) it handles the performance issues associated 
with TCP-over-TCP? e.g

http://sites.inka.de/bigred/devel/tcp-tcp.html
https://unix.stackexchange.com/questions/34499/are-there-disadvantages-in-ssh-tunneling

apropos:
https://github.com/sshuttle/sshuttle

Re: Block/allow outgoing traffic by user or application?

[Frank Beuth]

On Sun, Feb 24, 2019 at 09:56:12AM -, Stuart Henderson wrote:

PF 'user' should do the trick. Note: it only works for TCP/UDP but for
this you should be able to do something like

block all
pass inet proto tcp to 192.0.2.1 port 22 user sshtunnel


Thanks. You say "only works for TCP/UDP", what other things should I be aware 
of? ICMP?



However if possible I would suggest either ssh tun forwarding or a VPN.
ssh socks forwarding is only for TCP which might be a bit restrictive,
plus you'll need special setup for applications with socks that you won't
need with tun forwarding or VPN.


I had no idea there was such a thing as SSH tun forwarding, thanks for telling 
me about it! :)

Re: Block/allow outgoing traffic by user or application?

[Frank Beuth]

On Sun, Feb 24, 2019 at 09:09:06AM +0100, Denis Fondras wrote:

On Sun, Feb 24, 2019 at 01:43:08PM +0700, Frank Beuth wrote:

Is it possible to restrict network access on a per-user or per-application
(rather than per-port) basis?

pf does not seem to have any capability to do this, maybe I missed something.



Don't know what you are aiming to do but pf rules have a "user" keyword.



Example: start an SSH tunnel with a SOCKS listener on localhost:8080, then 
ensure all outgoing application traffic uses the SSH tunnel instead of the 
shady public WiFi network I am connected to.


In this case, it looks like that can be done by creating a user `sshtunnel`, 
starting the SSH tunnel as that user, and then using the pf rule to block all 
egress traffic which is not either to localhost or from user `sshtunnel`.


Does that make sense?

Block/allow outgoing traffic by user or application?

[Frank Beuth]

Is it possible to restrict network access on a per-user or per-application 
(rather than per-port) basis?


pf does not seem to have any capability to do this, maybe I missed something.

Re: Research and OpenBSD: How can I help?

[Frank Beuth]

On Wed, Feb 20, 2019 at 09:16:04PM -0500, James Huddle wrote:

Personally, I envision a sort of "open source BIOS"
library in the distant future.  Something we jack in on jtag
if we have to.  There is no harm in *starting.*  Meanwhile,
my super productive Dell laptop can't keep me from wondering
what the SMM is doing during the SMI, while obsd or any other
OS sleeps.


There is Coreboot, but it's not a complete solution to the problem yet
- it does address SMM/SMI but as far as I can tell not necessarily on all 
 platforms,
- options for removing Intel ME/AMD PSP are limited, 
- and of course it does not cover e.g onboad ARM coprocessors, embedded 
 controllers, keyboard controllers, hard disk controllers which may be smart 
 enough to run a whole Linux kernel and edit your files behind your back 
 , etc...

Re: Research and OpenBSD: How can I help?

[Frank Beuth]

On Thu, Feb 14, 2019 at 04:22:05AM +, Paul Swanson wrote:

I have some general areas of interest, such as embedded
computing, but nothing is set in stone yet, so I thought it'd
be fun to hear from those in know about areas of priority need
within the OpenBSD community.

Are there particular problems that could benefit from new
ideas or solutions?


An area that I am personally interested in is running OpenBSD on fully 
open-source / binary-blob-free hardware: hardware where there is no proprietary 
firmware that could hide vendor backdoors, and ideally where even the design of 
the chip is available to the user for review.


The trouble is it's VERY hard to find "fully open" hardware, and the hardware 
which is known to exist (loongson, OpenPOWER, RISC V) is difficult to get, 
expensive or not very good, and (except for loongson) not supported by OpenBSD.

Re: Raspberry Pi support in 6.4

[Frank Beuth]

On Sat, Jan 19, 2019 at 04:21:50PM +0200, Mihai Popescu wrote:

Why not an AMD Opteron A1100 based board?


Because I haven't looked into it yet.

This all started because I'm on vacation in a major electronics hub and saw a 
Raspberry Pi at a local mall, thought it would be a fun project and 
want to get away from Intel ME/AMD PSP binary blob-istan.


Would love to have a totally open computer where all the code is auditable, 
and have it be small enough to pack into my carryon for the flight home...

Re: Raspberry Pi support in 6.4

[Frank Beuth]

On Fri, Jan 18, 2019 at 08:19:29PM +, Stuart Henderson wrote:

On 2019-01-18, Frank Beuth  wrote:

(misc got dropped?)


Yes, your mail was off-list so I replied off-list.


Ah, ok. Mea culpa, must have hit the wrong key.

Re: Raspberry Pi support in 6.4

[Frank Beuth]

On Fri, Jan 18, 2019 at 07:02:11AM +, Michael Joy wrote:
I'd be more than willing to a Pinebook for testing. I wanted one anyway. 


If I end up buying one, I'll buy one for you too :)

Re: Raspberry Pi support in 6.4

[Frank Beuth]

(misc got dropped?)

On Thu, Jan 17, 2019 at 04:28:05PM +, Stuart Henderson wrote:

> I'll take a look at that. Why would you prefer the PINE64 over the RBP?

Partly due to the improved storage/connectivity options (especially on
rockpro64) but largely because there seems a bit more developer interest
in them than in the rpi.


Is it binary-blob-free?

The Pinebook looks great, and a quick glance at the archives raises hopes that 
the answer is "yes, the proprietary firmware has been replacd by u-boot":

https://marc.info/?l=openbsd-tech&m=150417320727503&w=2
https://marc.info/?l=openbsd-tech&m=150416800125742&w=2
https://marc.info/?l=openbsd-misc&m=150324117732158&w=2

Still can't tell whether you need a 3.3v serial console adapter to install on 
the Pinebook. (it has a built in display!)

Re: Raspberry Pi support in 6.4

[Frank Beuth]

(misc got dropped?)

On Thu, Jan 17, 2019 at 04:28:05PM +, Stuart Henderson wrote:

I'll take a look at that. Why would you prefer the PINE64 over the RBP?


Partly due to the improved storage/connectivity options (especially on
rockpro64) but largely because there seems a bit more developer interest
in them than in the rpi.


Is it binary-blob-free?

The Pinebook looks great, and a quick glance at the archives raises hopes that 
the answer is "yes, the proprietary firmware has been replacd by u-boot":

https://marc.info/?l=openbsd-tech&m=150417320727503&w=2
https://marc.info/?l=openbsd-tech&m=150416800125742&w=2
https://marc.info/?l=openbsd-misc&m=150324117732158&w=2

Still can't tell whether you need a 3.3v serial console adapter to install on 
the Pinebook. (it has a built in display!)

Raspberry Pi support in 6.4

[Frank Beuth]

(resending as 1st message didn't go through?)


Has OpenBSD's support for Raspberry Pi devices improved much with 6.4? All the
documentation I can find online regarding this platform and OpenBSD refers to
6.3, and suggest that the Raspberry Pi support is very limited (no packages?).

The changelog for 6.4 notes for example:
"Implemented an EFI driver to allow PXE boot over EFIs Simple Network
Protocol, allowing TFTP boot on U-Boot based armv7 and arm64 machines."

Does this allow installing without a serial console?

These posts seems to suggest booting from the microSD card (vs needing external
USB drive) may be possible, but it's not very clear:
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-current-doesn-t-boot-on-Raspberry-Pi-3-Model-B-td352103.html
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-on-Raspberry-pi-3-model-B-td332780.html#a343278

Re: Automated remote install

[Frank Beuth]

On Wed, Dec 19, 2018 at 07:24:12AM -0800, andrew fabbro wrote:

Virtually all of the better KVM hosts offer an OpenBSD ISO, and in my
experience, 100% will add it to their library if you request it.


I did a quick survey, and found that of the providers I currently work with who 
offer OpenBSD ISOs, most/all of them:


- Require using VNC during installation (no automated install)
- Do not offer encrypted VNC

... "Now I remember why I started this thread!"

While setting up SSH key-based auth as part of the install process will 
mitigate someone sniffing passwords and using them to log in, if you have any 
suggestions for securing this kind of setup further, they would be welcome.


(No, switching to Vultr/Linode/etc is not an option)

Re: Automated remote install

[Frank Beuth]

On Wed, Dec 19, 2018 at 07:24:12AM -0800, andrew fabbro wrote:

Virtually all of the better KVM hosts offer an OpenBSD ISO, and in my
experience, 100% will add it to their library if you request it.


That's an excellent idea, especially from the perspective of making OpenBSD 
adoption easier for others as well. ("click the button" vs "don't forget the 
`--hail-puffy-full-of-grace` flag on `ansible-playbook`")


In this particular case -- where I frequently need to spin up servers in exotic 
and unusual places -- it's not ideal, of course.

connecting to adsl

[Frank White]

Hi,
I am trying to connect to adsl, but I have the following problems:

Sep  3 12:06:34 myhost /bsd: pppoe0: received unexpected PADO
Sep  3 12:07:31 myhost /bsd: pppoe0: received unexpected PADO
Sep  3 12:08:28 myhost /bsd: pppoe0: host unique tag found, but it
belongs to a connection in state 3
Sep  3 12:08:28 myhost /bsd: pppoe: received PADO but could not find
request for it
Sep  3 12:09:25 myhost /bsd: pppoe0: host unique tag found, but it
belongs to a connection in state 3
Sep  3 12:09:25 myhost /bsd: pppoe: received PADO but could not find
request for it

those are my configuratin files:
# cat /mnt/hostname.em0
up
# cat /mnt/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em0 authproto pap \
authname 'myusername' authkey 'mypassword' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

and my ifconfig output:

lo0: flags=8049 mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
em0: flags=8843 mtu 1500
lladdr 00:23:24:0b:0c:27
index 1 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
pppoe0: flags=8851 mtu 1492
index 4 priority 0 llprio 3
dev: em0 state: session
sid: 0xf6da PADI retries: 3 PADR retries: 0 time: 00:00:33
sppp: phase terminate authproto pap authname "myusername"
groups: pppoe egress
status: no carrier
inet 0.0.0.0 --> 0.0.0.1 netmask 0x

Thanks for help!

Re: x260 hang at halt/reboot

[Frank Groeneveld]

On Wed, Aug 15, 2018, at 15:02, Stuart Henderson wrote:
> Thanks for the suggestion, currently OpenBSD and UEFI only.
> I'll give it a try with MBR when I can afford a better SSD and rebuild it
> on that.
> 

I need CSM mode enabled on my X260 to get it working correctly. Is it disabled 
for you?

--
Frank

Re: Kaby Lake software rendering on Intel NUC

[Frank Groeneveld]

On Fri, Jul 13, 2018, at 16:51, Frank Groeneveld wrote:
> After sending the email I noticed the first line in the Xorg log 
> (machdep.aperture=1) and that also doesn't seem to fix the software 
> rendering.

Anybody have an idea?

Thanks in advance.

Frank

Re: Kaby Lake software rendering on Intel NUC

[Frank Groeneveld]

After sending the email I noticed the first line in the Xorg log 
(machdep.aperture=1) and that also doesn't seem to fix the software rendering.

Frank

Kaby Lake software rendering on Intel NUC

[Frank Groeneveld]

Dear all,

I'm trying to get OpenBSD 6.3 with Gnome working on an Intel NUC based on Intel 
Kaby Lake. I found that the amd64 webpage at https://www.openbsd.org/amd64.html 
states there is support for Intel Kaby Lake. Does that mean it should not 
fallback to software rendering? Because on this machine it does fallback to 
software rendering. Attached the dmesg and Xorg logs.

Thanks,

Frank
[   470.923] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
	(Operation not permitted)
	Check that you have set 'machdep.allowaperture=1'
	in /etc/sysctl.conf and reboot your machine
	refer to xf86(4) for details
[   470.923] 	linear framebuffer access unavailable
[   470.935] (--) Using wscons driver on /dev/ttyC4
[   470.939] 
X.Org X Server 1.19.6
Release Date: 2017-12-20
[   470.939] X Protocol Version 11, Revision 0
[   470.939] Build Operating System: OpenBSD 6.3 amd64 
[   470.939] Current Operating System: OpenBSD elliot.ivaldi.nl 6.3 GENERIC.MP#4 amd64
[   470.939] Build Date: 24 March 2018  02:38:24PM
[   470.940]  
[   470.940] Current version of pixman: 0.34.0
[   470.940] 	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
[   470.940] Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[   470.940] (==) Log file: "/var/log/Xorg.0.log", Time: Fri Jul 13 16:18:22 2018
[   470.940] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d"
[   470.940] (==) No Layout section.  Using the first Screen section.
[   470.940] (==) No screen section available. Using defaults.
[   470.940] (**) |-->Screen "Default Screen Section" (0)
[   470.940] (**) |   |-->Monitor ""
[   470.940] (==) No monitor specified for screen "Default Screen Section".
	Using a default monitor configuration.
[   470.940] (==) Automatically adding devices
[   470.940] (==) Automatically enabling devices
[   470.940] (==) Not automatically adding GPU devices
[   470.940] (==) Max clients allowed: 256, resource mask: 0x1f
[   470.940] (==) FontPath set to:
	/usr/X11R6/lib/X11/fonts/misc/,
	/usr/X11R6/lib/X11/fonts/TTF/,
	/usr/X11R6/lib/X11/fonts/OTF/,
	/usr/X11R6/lib/X11/fonts/Type1/,
	/usr/X11R6/lib/X11/fonts/100dpi/,
	/usr/X11R6/lib/X11/fonts/75dpi/
[   470.940] (==) ModulePath set to "/usr/X11R6/lib/modules"
[   470.940] (II) The server relies on wscons to provide the list of input devices.
	If no devices become available, reconfigure wscons or disable AutoAddDevices.
[   470.940] (II) Loader magic: 0xa5d7da42000
[   470.940] (II) Module ABI versions:
[   470.940] 	X.Org ANSI C Emulation: 0.4
[   470.940] 	X.Org Video Driver: 23.0
[   470.940] 	X.Org XInput driver : 24.1
[   470.940] 	X.Org Server Extension : 10.0
[   470.940] (--) PCI:*(0:0:2:0) 8086:5927:8086:2068 rev 6, Mem @ 0xdb00/16777216, 0x9000/268435456, I/O @ 0xf000/64
[   470.940] (II) LoadModule: "glx"
[   470.941] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[   470.942] (II) Module glx: vendor="X.Org Foundation"
[   470.942] 	compiled for 1.19.6, module version = 1.0.0
[   470.942] 	ABI class: X.Org Server Extension, version 10.0
[   470.942] (==) Matched wsfb as autoconfigured driver 0
[   470.942] (==) Assigned the driver to the xf86ConfigLayout
[   470.942] (II) LoadModule: "wsfb"
[   470.942] (II) Loading /usr/X11R6/lib/modules/drivers/wsfb_drv.so
[   470.942] (II) Module wsfb: vendor="X.Org Foundation"
[   470.942] 	compiled for 1.19.6, module version = 0.4.1
[   470.942] 	ABI class: X.Org Video Driver, version 23.0
[   470.942] (II) wsfb: driver for wsdisplay framebuffer: wsfb
[   470.942] (WW) Falling back to old probe method for wsfb
[   470.943] (II) wsfb(0): using default device
[   470.943] (II) wsfb(0): Creating default Display subsection in Screen section
	"Default Screen Section" for depth/fbbpp 24/32
[   470.943] (==) wsfb(0): Depth 24, (--) framebuffer bpp 32
[   470.943] (==) wsfb(0): RGB weight 888
[   470.943] (==) wsfb(0): Default visual is TrueColor
[   470.943] (==) wsfb(0): Using gamma correction (1.0, 1.0, 1.0)
[   470.943] (II) wsfb(0): Vidmem: 9000k
[   470.943] (==) wsfb(0): DPI set to (96, 96)
[   470.943] (**) wsfb(0): Using "Shadow Framebuffer"
[   470.943] (II) Loading sub module "shadow"
[   470.943] (II) LoadModule: "shadow"
[   470.943] (II) Loading /usr/X11R6/lib/modules/libshadow.so
[   470.943] (II) Module shadow: vendor="X.Org Foundation"
[   470.943] 	compiled for 1.19.6, module version = 1.1.0
[   470.943] 	ABI class: X.Org ANSI C Emulation, version 0.4
[   470.943] (II) Loading sub module "fb"
[   470.943] (II) LoadModule: "fb"
[   470.944] (II) Loading /usr/X11R6/lib/modules/libfb.so
[   470.944] (II) Module fb: vend

Re: SNI PCD-5T - MP operation on OpenBSD 6.3-current

[Frank Scheiner]

Hi Daniel,

On 03/30/2018 02:20 AM, Daniel Dickman wrote:

Hi Frank —


I got this nice old "workstation" from the mid 90ies with dual P54C
processors and i430NX chipset and want to operate it in MP mode with
OpenBSD. Unfortunately this doesn't work as expected currently.


Are you able to describe "doesn't work as expected" a bit more? Does it hang 
after the dmesg? do you get to login? Something else?


Sorry, right, I actually missed the point.

The machine works with OpenBSD, but just not in MP mode, only one CPU is 
activated/found:


```
OpenBSD/i386 (pcd-5t.domain.tld) (tty00)

login: root
Password:
Last login: Wed Mar 28 11:10:35 on tty00
OpenBSD 6.3 (GENERIC.MP) #491: Sat Mar 24 14:38:11 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.
[...]
pcd-5t# sysctl hw
hw.machine=i386
hw.model=Intel Pentium (P54C) ("GenuineIntel" 586-class)
hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=fd0:
hw.diskcount=1
hw.cpuspeed=139
hw.physmem=167264256
hw.usermem=167251968
hw.ncpufound=1
hw.allowpowerdown=1
```




I've
already tried with 6.1, 6.2 and 6.3-current-1521924436. Find attached
the full dmesg output for 6.3-[...] below, but I suspect that the
following message is the most relevant one:

```
[...]
bios0: MP default configuration 6 not supported
[...]
```

I actually don't know the meaning of it, can someone perhaps shed some
light on it?


It means you got to this bit of code (see sys/arch/i386/i386/mpbios.c):

if (mp_fps->pap == 0) {
if (mp_fps->mpfb1 == 0)
printf("%s: MP fps invalid: "
"no default config and no configuration table\n",
self->dv_xname);
else
printf("%s: MP default configuration %d not "
"supported\n", self->dv_xname, mp_fps->mpfb1);
goto err;
}


Yes, I also found this part later on with a string search, but couldn't 
make much out of it due to missing knowledge you did provide below - 
thanks for that. :-)




mp_fps is the "MP floating point structure" (see 4.1 in the MP spec). Now, we 
know the pap (Physical Address Pointer) is zero which means the MP config table doesn't 
exist on your system. So when there's no config table, the spec wants to use a default 
setup. (see section 5 of the spec).

To know which default config to use we’d need to use the MP information byte #1 
according to the spec. Your dmesg shows the value is 6 and the spec says a 
value of 6 refers to 2 cpus with EISA+PCI bus and integrated APIC).

It may be the case that more work is needed to add support for this setup. 
Haven’t looked much further than that so far...


The message mentioning that "MP default configuration 6 not supported" 
sounded like specifically default config 6 isn't supported in my case.
But it actually looks like this affects all systems that don't have an 
MP config table, i.e. no MP operation if there's no MP config table but 
just a default config.


I'll try to find out how NetBSD handles default configurations. Maybe 
this can be applied to OpenBSD, too.


Cheers and thanks for the explanations
Frank

SNI PCD-5T - MP operation on OpenBSD 6.3-current

[Frank Scheiner]

Dear all,

posting to misc as I don't know if this is a bug in OpenBSD or in my
hardware.

I got this nice old "workstation" from the mid 90ies with dual P54C
processors and i430NX chipset and want to operate it in MP mode with
OpenBSD. Unfortunately this doesn't work as expected currently. I've
already tried with 6.1, 6.2 and 6.3-current-1521924436. Find attached
the full dmesg output for 6.3-[...] below, but I suspect that the
following message is the most relevant one:

```
[...]
bios0: MP default configuration 6 not supported
[...]
```

I actually don't know the meaning of it, can someone perhaps shed some
light on it?

For comparison I also tried with NetBSD 7.1 which can operate in MP mode
on this machine:

```
NetBSD 7.1 (LEGACY.201703111743Z)
total memory = 159 MB
avail memory = 140 MB
kern.module.path=/stand/i386/7.1/modules
mainbus0 (root)
ACPI BIOS Error (bug): A valid RSDP was not found (20131218/tbxfroot-223)
acpi_probe: failed to initialize tables
ACPI Error: Could not remove SCI handler (20131218/evmisc-311)
mainbus0: Intel MP Specification (Version 1.1)
mainbus0: MP default configuration 6
cpu0 at mainbus0 apid 0: Intel 586-class, 165MHz, id 0x52c
cpu1 at mainbus0 apid 1: Intel 586-class, id 0x252c
[...]
```
...and either supports "MP default configuration 6" or just ignores it.
Hence I assume the machine is in working order.

Cheers,
Frank



Full dmesg output:
```
OpenBSD 6.3 (GENERIC.MP) #491: Sat Mar 24 14:38:11 MDT 2018
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium (P54C) ("GenuineIntel" 586-class) 139 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC
real mem  = 167264256 (159MB)
avail mem = 150855680 (143MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/04/98, BIOS32 rev. 0 @ 0xf04b3
apm at bios0 function 0x15 not configured
bios0: MP default configuration 6 not supported
pcibios0 at bios0: rev 2.0 @ 0xf/0x4db
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x800
cpu0 at mainbus0: (uniprocessor)
cpu0: F00F bug workaround installed
pci0 at mainbus0 bus 0: configuration mode 2 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82434LX/NX" rev 0x11
"Intel 82375EB EISA" rev 0x04 at pci0 dev 1 function 0 not configured
"PC Technology RZ1000" rev 0x01 at pci0 dev 2 function 0 not configured
xl0 at pci0 dev 13 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 15, 
address 00:04:75:12:34:56
exphy0 at xl0 phy 24: 3Com internal media interface
eisa0 at mainbus0
eisa0: can't map i/o space for slot 14
isa0 at mainbus0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
vga0 at isa0 port 0x3b0/48 iomem 0xa/131072
wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
PXE boot MAC address 00:04:75:12:34:56, interface xl0
nfs_boot: using interface xl0, with revarp & bootparams
nfs_boot: client_addr=172.16.2.96
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
nfs_boot: server_addr=172.16.0.1 hostname=pcd-5t
root on 172.16.0.9:/srv/nfs/pcd-5t/root
swap on 172.16.0.9:/srv/nfs/pcd-5t/swap
```

Re: Switching swap partition

[Frank Groeneveld]

On Tue, Oct 10, 2017, at 10:22, leo_...@volny.cz wrote:
> Instead of sd0b? Then it appears fine.

Yes, that was my point, everything seemed fine until I found that line
in dmesg.
 
> >> You might want to keep sd0b around as a dump partition though, just in
> >> case it ever panics before going multiluser...
> >
> > The point of this operation was to reclaim that space for other use ;-)
> 
> You could even just shrink it significantly -- I don't think a dump at
> early boot would take up *that* much space...

Good suggestion, I might do it like that indeed. Thanks!

Frank

Re: Switching swap partition

[Frank Groeneveld]

On Tue, Oct 10, 2017, at 09:48, leo_...@volny.cz wrote:
> It'd seem more wrong to me if it'd try to swap to a nonexistent
> partition ;) Just in case, what is the output of 'swapctl -l' straight
> after boot, preferably when still single-user? 

swapctl -l always lists /dev/sd1b correctly.

> You might want to keep sd0b around as a dump partition though, just in
> case it ever panics before going multiluser... 

The point of this operation was to reclaim that space for other use ;-)

Frank

Switching swap partition

[Frank Groeneveld]

I recently switched the swap partition on a server from sd0b to sd1b.
I've modified /etc/fstab accordingly and after a reboot swapctl -l lists
it as being the only used swap partition correctly. Today I noticed this
line in dmesg:
root on sd0a (4340b9bfa4cdde0a.a) swap on sd0b dump on sd0b

It still lists the old partition (which I modified to be of the
"unknown" type in the disklabel, but removing the partition doesn't fix
it either) as being the swap partition. How can I change this? I found a
kernel compile option, but recompiling a kernel because I want swap on a
different partition seems wrong.

Thanks for any hints!

Frank

Re: How do I try uwacom with a Graphire tablet

[Frank Groeneveld]

On Thu, May 18, 2017, at 09:01, Alfred Morgan wrote:
> How difficult would it be to get the Wacom Graphire (it says ET-0405-U on
> the bottom of my tablet) to work with the uwacom driver which claims to
> only support the CTL-490?

The uwacom driver was written for newer tables which have a broken usb
descriptor. I believe your device is older and might already work
without uwacom but needs modifications to pick up the fixes in
/usr/src/sys/dev/usb/uhidev.c.

Frank

Re: thinkpad x270

[Frank Groeneveld]

On Thu, May 18, 2017, at 14:42, Pau wrote:
> Is anybody using a thinkpad x270? If so, could you please send me your
> dmesg? Is it working fine?

I have an x260 and it works fine when using the efifb driver, except for
suspend/resume.

> More importantly: Is the laptop resuming X/connection after suspending
> if you disable TPM in bios?

I have an x260 and it seems to me that we need a working graphics driver
before we can start fixing suspend/resume.

Frank

Re: Intuos Draw (uwacom) question

[Frank Groeneveld]

On Wed, Apr 12, 2017, at 08:16, Peter J. Philipp wrote:
> I'm interested in buying an Wacom Intuos Draw which is supported in
> 6.1.  However when I go to reichelt.de the model that's available says
> CTL-490DW I don't know if DW is supported, can someone let me know?
> 
> https://www.reichelt.de/Grafiktabletts-stifte/WACOM-CTL-490DW/3/index.html?ACTION=3&LA=5&ARTICLE=160633&GROUPID=6271&artnr=WACOM+CTL-490DW
> 
> Any feedback would be appreciated.
> 
> Regards,
> 
> -peter
> 

Hello Peter,

Yes, that will work. I'm the author of the driver and use it with a
CTL-490DW-N (where -N probably means Dutch). It won't register pressure
levels or proximity. I use the tablet as mouse replacement about 40
hours a week to prevent getting RSI.

Two things of note though:
1. Unplugging while X is running results in the X log getting spammed
(this happens with more devices, search tech@ for wacom). The fix is to
restart X.
2. Once in a while the cursor jumps to the top left corner and back when
you click something. This happens only a few times a day and doesn't
cause me issues, but I want to fix it and haven't been able to so far.
It seems the Linux driver just cuts of the lowest bit of the coordinates
and I haven't figured out yet whether this will fix it or whether they
use a different trick for it.

Regards,

Frank

Re: help with pf filtering on enc

[Frank Groeneveld]

On Tue, Mar 21, 2017, at 16:56, Marko Cupać wrote:
> ...
>
> What exactly I should pass on enc interface so that the above packet
> passes?
>
> Thank you in advance.

Hi,

You probably need to allow ipencap protocol packets. I also need l2tp
packets, but that depends on whether you use it.

--
Frank

strange packets

[Frank White]

Hi, I have a new openbsd firewall but I have one strange problem... it is
really slow for surfing internet.
I have discovered that if I use squid as proxy (installed on the firewall)
the internet speed is ok. If I don't use squid the browsing is very very
slow... also if I ping google from a client I loose 25% of packets... if I
ping google from the fw I dont lose any packets. Using tcpdump on the
egress IF I see that the packets from the lan client go out but I don't
receive any reply... I mean the 25% of packets..
My lan has 150 users... and the firewall is a cluster with 2 nodes and 2 GB
ram each..
it worked fine from the born.. about 2 or 3 weeks ago.
I changed the pf.conf with an old one ... for old I mean 10 days ago... but
nothing was changed.
Any help ?

bandwidth monitoring

[Frank White]

Hi,
how can I monitor the bandwidth and know what client is occupying the
bandwidth ?
Thank u.

Re: hairpin nat with pf ?

[Frank White]

yes it works well. But it's very interesting the use of tag.
Is egress:0 the if alias ?



2017-03-01 16:09 GMT+01:00 Stuart Henderson :

> On 2017-03-01, Frank White  wrote:
> > Hi,
> > anyone know how to configure pf to make hairpin nat ?
>
> Should be something like this.
>
> pass in quick inet proto tcp to self port 7755 rdr-to $SOMEHOST port 80
> tag hairpin
> pass out quick inet tagged hairpin nat-to egress:0

hairpin nat with pf ?

[Frank White]

Hi,
anyone know how to configure pf to make hairpin nat ?

Re: two ip with carp

[Frank White]

ok.. I'll try.
I use the google dns ip as example for my static public ip address.
fw1 carp0 8.8.8.8  ## (internet shared ip <--  lan)
fw1 carp1 192.168.1.1  ## (lan shared ip default gw)
fw1 carp2 10.1.1.1  ## (dmz shared ip)
fw1 bnx0 8.8.8.7  ## (internet)
fw1 bge0 192.168.1.2  ## (lan)
fw1 bnx1 10.1.1.2  ## (dmz)
fw1 bge1 192.168.254.1 ## (pfsync)

fw2 carp0 8.8.8.8
fw2 carp1 192.168.1.1
fw2 carp2 10.1.1.1
fw2 bnx0 8.8.8.6
fw2 bge0 192.168.1.3
fw2 bnx1 10.1.1.3
fw2 bge1 192.168.1.254.2 # (pfsync)

Now I want add 8.8.8.10 static and public ip to flow the traffic to the dmz
because 8.8.8.8 flow traffic to the lan.
As I understand I have to add the following lines to IF configuration files:

fw1 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw1 hostname.bnx0: inet alias 8.8.8.11 255.255.255.255 NONE

fw2 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw2 hostname.bnx0: inet alias 8.8.8.12 255.255.255.255 NONE

is that right ?


2017-02-28 15:07 GMT+01:00 Igor V. Gubenko :

> It's not completely clear -
>
> 4) - is the IP 10.1.1.2 on a separate interface? What did you configure
> carp2 on?
>
> Can you restate your question and/or describe how you want the traffic
> to flow, as well as your network topology?
>
> - Igor
>
>
> On 2/27/17 6:07 AM, Frank White wrote:
> > hi,
> > I have 2 firewall in cluster with carp. The following is my configuration
> > (8.x.x.x are examples for wan ip):
> > first firewall
> > 1) bnx0 8.8.8.7 (internet)
> > 2) bge0 192.168.100.2 (lan)
> > 3) bnx1 pfsync
> > 4) 10.1.1.2 dmz
> >
> > carp0 8.8.8.8 (internet)
> > carp1 192.168.100.1 (gateway for the lan)
> > carp2 10.1.1.1 (gateway for the dmz)
> >
> > now I want add the ip 8.8.8.10 to redirect all traffic from it to the
> dmz...
> > how should I configure it ?
> > I know how to redirect the traffic with pf.. my question concern how to
> > configure carp and the nic..
> > for example should I create a new carp with ip 8.8.8.10 and an alias for
> > the bnx0 with ip 8.8.8.11 ?

two ip with carp

[Frank White]

hi,
I have 2 firewall in cluster with carp. The following is my configuration
(8.x.x.x are examples for wan ip):
first firewall
1) bnx0 8.8.8.7 (internet)
2) bge0 192.168.100.2 (lan)
3) bnx1 pfsync
4) 10.1.1.2 dmz

carp0 8.8.8.8 (internet)
carp1 192.168.100.1 (gateway for the lan)
carp2 10.1.1.1 (gateway for the dmz)

now I want add the ip 8.8.8.10 to redirect all traffic from it to the dmz...
how should I configure it ?
I know how to redirect the traffic with pf.. my question concern how to
configure carp and the nic..
for example should I create a new carp with ip 8.8.8.10 and an alias for
the bnx0 with ip 8.8.8.11 ?

console fonts

[Frank White]

Hi,
I tried the following command to change console fonts:

wsfontload -h 8 -e ibm /usr/share/misc/pcvtfonts/vt220l.808

but I have the following error:

wsfontload: WSDISPLAYIO_LDFONT: Invalid argument

???

carp and squid

[Frank White]

Hi, does 2 nodes clustered openbsd firewall work with squid ?
is there any specific configuration ?

Re: Kernel panic on 6.0-stable

[Frank Groeneveld]

On Sun, Nov 20, 2016 at 03:21:32PM +0100, Martin Pieuchot wrote:
> On 20/11/16(Sun) 13:58, Frank Groeneveld wrote:
> > A few week back there was an outage at my ISP. Afterwards, I kept
> > getting crashed on igmpproxy after changing channels on the tv a few
> > times:
> 
> This has been fixed in -current.

Thanks for the pointer. Does it fix both the igmpproxy crash and the
kernel crash? Or just the igmpproxy crash?

Frank

Kernel panic on 6.0-stable

[Frank Groeneveld]

A few week back there was an outage at my ISP. Afterwards, I kept
getting crashed on igmpproxy after changing channels on the tv a few
times:

-
Note: RECV Leave message  from 192.168.1.2 to 224.0.0.2 (ip_hl
24, data 8)
Debu: Got leave message from 192.168.1.2 to 224.0.251.136. Starting last
member detection.
Debu: Leaving group 224.0.251.136 upstream on IF address 10.36.229.63
Note: leaveMcGroup: 224.0.251.136 on vlan4
Debu: SENT Membership query   from 192.168.1.1 to 224.0.251.136
Debu: Sent membership query from 192.168.1.1 to 224.0.251.136. Delay: 10
Debu: Created timeout 18 (#6) - delay 5 secs
Debu: (Id:12, Time:1) 
Debu: (Id:13, Time:0) 
Debu: (Id:14, Time:1) 
Debu: (Id:15, Time:1) 
Debu: (Id:16, Time:1) 
Debu: (Id:17, Time:1) 
Debu: (Id:18, Time:5) 
Debu: (Id:10, Time:7) 
Debu: About to call timeout 12 (#0)
Debu: Aging Origin 213.75.167.6 Dst 224.0.251.126 PktCnt 1022 -> 1022
Debu: Origin 213.75.167.6 Vif bits : 0x0002
Debu: Setting TTL for Vif 1 to 1
Debu: Identified VIF #2 as upstream.
Note: Removing MFC: 213.75.167.6 -> 224.0.251.126, InpVIf: 2
igmpproxy(18177) in free(): error: use after free 0x1116efc3b400
Abort trap (core dumped) 
-

Because I didn't have time to debug it, I started igmpproxy in a while
true loop and was able to watch television with some minor hickups now and
then.

Today I finally had time to have a go at it, but wasn't able to figure
out the cause. Still being on 5.9-stable I decided to first upgrade to
6.0-stable and see whether that helped. This made my problem worse,
because now as soon as igmpproxy was running it would panic (full dmeg
attached with the panic at the bottom).

I found mention of said panic in plus60.html:
> In pf(4), don't panic if an mbuf(9) already has a statekey. This should
> help finding the remaining corner cases of packets looped back in the
> stack. 

This leads me to believe that my panic should not occur, but it still
is. Does anybody have a clue how I can work around this? Is there maybe
something wrong with my pf rules? I've attached them and the
igmpproxy.conf as well.

For now I've downgraded to 5.9-stable again.

Thanks in advance,

Frank
booting hd0a:/bsd: 6893364+2179280+267272+0+663552 [72+726864+483332]=0xab3a20
entry point at 0x1001000 [7205c766, 3404, 24448b12, 3be0a304]
[ using 1210912 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2016 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 6.0-stable (GENERIC.MP) #6: Sun Nov 20 10:16:50 CET 2016
frank@phenom.local:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 
ff
real mem = 4246003712 (4049MB)
avail mem = 4112846848 (3922MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdf16d820 (7 entries)
bios0: vendor coreboot version "4.0" date 09/08/2014
bios0: PC Engines APU
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT
acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) 
PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3) 
UOH4(S3) UOH5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD G-T40E Processor, 1000.14 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD G-T40E Processor, 1000.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpiprt0 at acpi0: bus -1 (AGPB)
acpiprt1 at acpi0: bus -1 (HDMI)
acpiprt2 at acpi0: bus 1 (PBR4)
acpiprt3 at acpi0: bus 2 (PBR5)
acpiprt4 at a

Re: ldapd(8) database bootstrap error

[Frank Groeneveld]

On Sat, Oct 29, 2016 at 10:14:00AM +0800, Zhang Huangbin wrote:
> You must create the root dn (dc=example,dc=com) first. For example:
> 
> dn: dc=example,dc=com
> objectclass: dcObject
> objectclass: organization
> dc: example
> o: example
> 
> 
> Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
> Time zone: GMT+8 (China/Beijing).

That's it, thanks! I was under the wrong assumption that the namespace
objects would already be there.

Frank

ldapd(8) database bootstrap error

[Frank Groeneveld]

I'm trying to get ldapd working on 6.0-stable. Using the man page and
/etc/examples/ldapd.conf I've created the following configuration file:

schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"

listen on lo0 secure

namespace "dc=example,dc=com" {
rootdn  "cn=admin,dc=example,dc=com"
rootpw  "secret"
}

Starting ldapd as root gives the following output:

# ldapd -vd
Oct 28 20:31:20.800 [83362] parsing config /etc/ldapd.conf
Oct 28 20:31:20.800 [83362] parsing schema file
'/etc/ldap/core.schema'
Oct 28 20:31:20.804 [83362] parsing schema file
'/etc/ldap/inetorgperson.schema'
Oct 28 20:31:20.805 [83362] parsing schema file
'/etc/ldap/nis.schema'
Oct 28 20:31:20.806 [83362] parsing namespace dc=example,dc=com
Oct 28 20:31:20.807 [83362] startup
Oct 28 20:31:20.812 [46832] listening on 127.0.0.1:389
Oct 28 20:31:20.812 [46832] listening on fe80:3::1:389
Oct 28 20:31:20.812 [46832] listening on ::1:389
Oct 28 20:31:20.812 [46832] opening namespace dc=example,dc=com
Oct 28 20:31:20.812 [46832] ldape: entering event loop

All seems fine up until here. I try to add the following ldif:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

This results in:

$ ldapadd -D 'cn=admin,dc=example,dc=com' -x -w secret -f in.ldif 
adding new entry "ou=people,dc=example,dc=com"
ldap_add: No such object (32)

The server gives this output for the ldapadd commands received:

Oct 28 20:35:56.526 [60646] accepted connection from 127.0.0.1 on fd
11
Oct 28 20:35:56.526 [60646] consumed 46 bytes
Oct 28 20:35:56.527 [60646] got request type 0, id 1
Oct 28 20:35:56.527 [60646] bind dn = cn=admin,dc=example,dc=com
Oct 28 20:35:56.527 [60646] successfully authenticated as
cn=admin,dc=example,dc=com
Oct 28 20:35:56.527 [60646] sending response 1 with result 0
Oct 28 20:35:56.527 [60646] consumed 91 bytes
Oct 28 20:35:56.527 [60646] got request type 8, id 2
Oct 28 20:35:56.527 [60646] adding entry ou=people,dc=example,dc=com
Oct 28 20:35:56.528 [60646] dc=example,dc=com: dn not found
Oct 28 20:35:56.528 [60646] sending response 9 with result 32
Oct 28 20:35:56.528 [60646] consumed 7 bytes
Oct 28 20:35:56.529 [60646] got request type 2, id 3
Oct 28 20:35:56.529 [60646] current bind dn =
cn=admin,dc=example,dc=com
Oct 28 20:35:56.529 [60646] end-of-file on connection 11
Oct 28 20:35:56.529 [60646] closing connection 11

So it seems it can't find the baseDN or namespace somehow. What am I
doing wrong? The database files seem to be created just fine in
/var/db/ldap/.

Cheers,
Frank

Re: php7.0 fail on stable

[Frank Groeneveld]

On Thu, Aug 18, 2016 at 09:09:38PM +0200, Thuban wrote:
> Hello,
> I was trying to build php7.0 with ports, but it fails (see configure
> failure below).
> 
> I'm running on 5.9 with stable patches (for both ports and src of
> course).
> 
> It seems that configure doesn't recognise the "--with-apxs" option".

It's missing a dependency, see this thread:
http://marc.info/?t=14605309296&r=1&w=2

This should be fixed in 6.0, but for 5.9 you can work around it by
installing apache-httpd before compiling php.

Frank

Re: Trying to get Wacom CTL-490 to work

[Frank Groeneveld]

On Mon, Jul 18, 2016 at 09:54:02AM +0200, Philip Guenther wrote:
> 
> The privilege separation code in xenocara has a compiled in list of
> devices that are permitted to be opened; of the uhid devices it only
> currently includes /dev/uhid0 through /dev/uhid3.  You can either
> a) update the list and recompile the X server
> b) symlink it to a different name that's already in the allowed list
> but that's not used by OpenBSD (e.g., "/dev/ttyJ0")
> c) ???

Great tip, thank you! The permission denied error is gone indeed.
Unfortunately it seems the drive cannot do anythin with the raw uhid
devices, it complains about missing X & Y directions.

Frank

Re: Trying to get Wacom CTL-490 to work

[Frank Groeneveld]

On Sun, Jul 17, 2016 at 08:53:50PM +0200, Frank Groeneveld wrote:
> [46.602] (EE) xf86OpenSerial: Cannot open device /dev/uhid6
> Operation not permitted.
> [46.602] (EE) Error opening /dev/uhid6: Operation not permitted

Forgot to mention: I had changed the file permissions on uhid6 to be
worl readable and writable.

Frank