version 1.22, 2023/04/03 21:51:34 |
version 1.23, 2023/04/03 22:14:15 |
|
|
|
|
<li>Various kernel improvements: |
<li>Various kernel improvements: |
<ul> |
<ul> |
|
|
<li>Added support for the Rockchip RK3568 processor. |
<li>Added support for the Rockchip RK3568 processor. |
<li>Implemented the <a |
<li>Implemented the <a |
href="https://man.openbsd.org/waitid.2">waitid(2)</a> system call |
href="https://man.openbsd.org/waitid.2">waitid(2)</a> system call |
|
|
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li>Add Synthetic Memory Protections. These provide |
<li>Permissions (RWX, MAP_STACK, etc) on address space regions can |
<ul> |
be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>, |
<li>Immutable memory mappings whose permissions and size cannot be |
so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a |
changed anymore. A new system call <a |
href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a |
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> enables |
href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with EPERM. |
this feature. |
Most of the program static address space is now automatically |
<li>Execute-Only permission on memory mappings. This uses hardware |
immutable (main program, ld.so, main stack, load-time shared |
support where possible and emulation where the hardware does not have |
libraries, and dlopen()'d libraries mapped without RTLD_NODELETE). |
separate execute only features. |
Programmers can request non-immutable static data using the |
<li>Stack permission on mappings: On every system call the stack |
"openbsd.mutable" section, or manually bring immutability to (page |
pointer is checked. It must point to a mapping that has MAP_STACK |
aligned heap objects) using <a |
permissions. |
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>. |
<li>Pinning of syscall entry to a unique specific memory regions from |
<li>Some architectures now have non-readable code ("xonly"), both from |
which system calls can be made. |
the perspective of userland reading its own memory, or the kernel |
</ul><br> |
trying to read memory in a system call. Many sloppy practices in |
The execute-only mappings are active on arm64, risc-v, hppa, |
userland code had to be repaired to allow this. The <a |
aarch64, mips64, sparc64, amd64, mips, and power-pc platforms. |
href="https://man.openbsd.org/ld.lld.1">linker (ld.lld(1))</a> option |
<!-- XXX xonly checks on copyin(9) are not described yet --> |
--execute-only is enabled by default. In order of development: arm64, |
|
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon. sparc64 |
<li>Implemented a --executable-only option in <a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>. |
(sun4u only, unfinished). |
|
<li>On all architectures which lack hardware-enforcement of xonly, |
<li>Changed <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> |
system calls are now prevented from reading (via <a |
to map certain regions of memory as immutable when loading shared |
href="https://man.openbsd.org/copyin.9">copyin(9)</a>/copyinst) |
libraries. |
inside the program's main text, ld.so text, sigtramp text, or libc.so |
|
text. |
|
<li>can still benefit from switching to --execute-only binaries if the |
|
cpu generates different traps for instruction-fetch versus data-fetch. |
|
The VM system will not allow memory to be read before it was executed |
|
which is valuable together with library relinking. Architectures |
|
switched over include loongson. |
|
<li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> and crt0 |
|
register the location of the <a |
|
href="https://man.openbsd.org/execve.2">execve(2)</a> stub with the |
|
kernel using pinsyscall(2), after which the kernel only accepts an |
|
execve call from that specific location. |
<li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a> |
<li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a> |
violations of <a |
violations of <a |
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy |
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy |
to the daily mail, available by setting rc.conf.local(5) |
to the daily mail, available by setting rc.conf.local(5) |
accounting=YES. |
accounting=YES. |
<li>Added retguard to amd64 syscalls. |
<li>Added retguard (consistency-check the return address on the |
|
stack) to amd64 syscalls. |
<li>Randomly relink and install <a |
<li>sshd random relinking at boot: Randomly relink and install <a |
href="https://man.openbsd.org/sshd.8">sshd(8)</a> on boot, resulting |
href="https://man.openbsd.org/sshd.8">sshd(8)</a>, resulting |
in a sshd with unknown address layout after every reboot. |
in a sshd binary with unknown address layout after every reboot. |
|
|
<li>Add another mitigation against classic BROP on systems without |
<li>Add another mitigation against classic BROP on systems without |
execute-only mmu hardware-enforcement. A range-checking wrapper in |
execute-only mmu hardware-enforcement. A range-checking wrapper in |
front of copyin() and copyinstr() ensures the userland source address |
front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and |
doesn't overlap the main program text and other text segments, thereby |
href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures |
making this address ranges unreadable to the kernel. No programs have |
the userland source address doesn't overlap the main program text and |
been discovered which require reading their own text segments with a |
other text segments, thereby making this address ranges unreadable to |
system call. |
the kernel. No programs have been discovered which require reading |
|
their own text segments with a system call. |
<li>On arm64, introduce mitigation of the Spectre-BHB (Branch |
<li>On arm64, introduce mitigation of the Spectre-BHB (Branch |
History Injection) CPU vulnerability by using core-specific trampoline |
History Injection) CPU vulnerability by using core-specific trampoline |
vectors. |
vectors. |
|
<li>Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and |
<li>Tightened the <a |
userland on CPUs that support it to mitigate timing side-channel |
href="https://man.openbsd.org/pledge.2">pledge(2)</a> after <a |
|
href="https://man.openbsd.org/ssh.1">ssh(1)</a> session establishment. |
|
|
|
<li>Enabled the Data Independent Timing (DIT) feature in both the kernel and |
|
userland on arm64 CPUs that support it to mitigate timing side-channel |
|
attacks. |
attacks. |
|
|
</ul> |
</ul> |
|
|
<li>Changes in the network stack: |
<li>Changes in the network stack: |
|
|
configuring IPv6. This allows non-multicast interfaces such as |
configuring IPv6. This allows non-multicast interfaces such as |
point-to-point interfaces and the NBMA / point-to-multipoint |
point-to-point interfaces and the NBMA / point-to-multipoint |
interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6. |
interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6. |
|
|
<li>Use the new <a |
<li>Use the new <a |
href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a> |
href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a> |
timer to check the TCP_KEEPALIVE timer only against the system |
timer to check the TCP_KEEPALIVE timer only against the system |
runtime, not the uptime. Prevents TCP connections to fail after |
runtime, not the uptime. Prevents TCP connections to fail after |
wakeing up from suspend. |
wakeing up from suspend. |
|
|
|
|
<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a |
<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a |
hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state |
hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state |
keys. With this change, pf will hash traffic the same way that |
keys. With this change, pf will hash traffic the same way that |
|
|
queues too. using the same algorithm throughout the stack encourages |
queues too. using the same algorithm throughout the stack encourages |
affinity of packets to rings and softnet threads the whole way |
affinity of packets to rings and softnet threads the whole way |
through. |
through. |
|
|
<li>Prevented possible kernel crashes by dropping TCP packets with |
<li>Prevented possible kernel crashes by dropping TCP packets with |
destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
and the stack. |
and the stack. |
|
|
<li>Fixed a endian swap bug causing problems with <a |
<li>Fixed a endian swap bug causing problems with <a |
href="https://man.openbsd.org/vlan.4">vlans(4)</a> on <a |
href="https://man.openbsd.org/vlan.4">vlans(4)</a> on <a |
href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems. |
href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems. |
|
|
half second even if there is nothing to read. By default this buffer |
half second even if there is nothing to read. By default this buffer |
is infinite and must be filled to become readable. |
is infinite and must be filled to become readable. |
<li>Avoided enabling TSO on interfaces which are already attached to a bridge. |
<li>Avoided enabling TSO on interfaces which are already attached to a bridge. |
|
|
</ul> |
</ul> |
|
|
<li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
|
|
<li>When decoding and validating an individual RPKI file using filemode |
<li>When decoding and validating an individual RPKI file using filemode |
(rpki-client -f file), display the optional CMS signing-time, and |
(rpki-client -f file), display the optional CMS signing-time, and |
non-optional X.509 notBefore, and X.509 notAfter timestamps. |
non-optional X.509 notBefore, and X.509 notAfter timestamps. |
</ul> |
|
|
|
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, |
|
<ul> |
|
<!-- XXX --> |
|
</ul> |
</ul> |
|
|
<li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to |
<li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to |