===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- www/73.html 2023/04/03 21:51:34 1.22
+++ www/73.html 2023/04/03 22:14:15 1.23
@@ -83,7 +83,6 @@
Various kernel improvements:
-
- Added support for the Rockchip RK3568 processor.
- Implemented the waitid(2) system call
@@ -713,62 +712,65 @@
- Security improvements:
- - Add Synthetic Memory Protections. These provide
-
- - Immutable memory mappings whose permissions and size cannot be
- changed anymore. A new system call mimmutable(2) enables
- this feature.
-
- Execute-Only permission on memory mappings. This uses hardware
- support where possible and emulation where the hardware does not have
- separate execute only features.
-
- Stack permission on mappings: On every system call the stack
- pointer is checked. It must point to a mapping that has MAP_STACK
- permissions.
-
- Pinning of syscall entry to a unique specific memory regions from
- which system calls can be made.
-
- The execute-only mappings are active on arm64, risc-v, hppa,
- aarch64, mips64, sparc64, amd64, mips, and power-pc platforms.
-
-
- - Implemented a --executable-only option in ld.bfd(1).
-
-
- Changed ld.so(1)
- to map certain regions of memory as immutable when loading shared
- libraries.
-
+
- Permissions (RWX, MAP_STACK, etc) on address space regions can
+ be made immutable,
+ so that mmap(2), mprotect(2) or munmap(2) fail with EPERM.
+ Most of the program static address space is now automatically
+ immutable (main program, ld.so, main stack, load-time shared
+ libraries, and dlopen()'d libraries mapped without RTLD_NODELETE).
+ Programmers can request non-immutable static data using the
+ "openbsd.mutable" section, or manually bring immutability to (page
+ aligned heap objects) using mimmutable(2).
+
- Some architectures now have non-readable code ("xonly"), both from
+ the perspective of userland reading its own memory, or the kernel
+ trying to read memory in a system call. Many sloppy practices in
+ userland code had to be repaired to allow this. The linker (ld.lld(1)) option
+ --execute-only is enabled by default. In order of development: arm64,
+ riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon. sparc64
+ (sun4u only, unfinished).
+
- On all architectures which lack hardware-enforcement of xonly,
+ system calls are now prevented from reading (via copyin(9)/copyinst)
+ inside the program's main text, ld.so text, sigtramp text, or libc.so
+ text.
+
- can still benefit from switching to --execute-only binaries if the
+ cpu generates different traps for instruction-fetch versus data-fetch.
+ The VM system will not allow memory to be read before it was executed
+ which is valuable together with library relinking. Architectures
+ switched over include loongson.
+
- ld.so(1) and crt0
+ register the location of the execve(2) stub with the
+ kernel using pinsyscall(2), after which the kernel only accepts an
+ execve call from that specific location.
- Added execve(2)
violations of pinsyscall(2) policy
to the daily mail, available by setting rc.conf.local(5)
accounting=YES.
-
- Added retguard to amd64 syscalls.
-
-
- Randomly relink and install sshd(8) on boot, resulting
- in a sshd with unknown address layout after every reboot.
-
+
- Added retguard (consistency-check the return address on the
+ stack) to amd64 syscalls.
+
- sshd random relinking at boot: Randomly relink and install sshd(8), resulting
+ in a sshd binary with unknown address layout after every reboot.
- Add another mitigation against classic BROP on systems without
execute-only mmu hardware-enforcement. A range-checking wrapper in
- front of copyin() and copyinstr() ensures the userland source address
- doesn't overlap the main program text and other text segments, thereby
- making this address ranges unreadable to the kernel. No programs have
- been discovered which require reading their own text segments with a
- system call.
-
+ front of copyin(9) and
+ href="https://man.openbsd.org/copyinstr.9">copyinstr(9) ensures
+ the userland source address doesn't overlap the main program text and
+ other text segments, thereby making this address ranges unreadable to
+ the kernel. No programs have been discovered which require reading
+ their own text segments with a system call.
- On arm64, introduce mitigation of the Spectre-BHB (Branch
History Injection) CPU vulnerability by using core-specific trampoline
vectors.
-
-
- Tightened the pledge(2) after ssh(1) session establishment.
-
-
- Enabled the Data Independent Timing (DIT) feature in both the kernel and
- userland on arm64 CPUs that support it to mitigate timing side-channel
+
- Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and
+ userland on CPUs that support it to mitigate timing side-channel
attacks.
-
- Changes in the network stack:
@@ -783,14 +785,11 @@
configuring IPv6. This allows non-multicast interfaces such as
point-to-point interfaces and the NBMA / point-to-multipoint
interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6.
-
- Use the new getnsecruntime(9)
timer to check the TCP_KEEPALIVE timer only against the system
runtime, not the uptime. Prevents TCP connections to fail after
wakeing up from suspend.
-
-
- Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
hash/flowid for pf(4) state
keys. With this change, pf will hash traffic the same way that
@@ -800,11 +799,9 @@
queues too. using the same algorithm throughout the stack encourages
affinity of packets to rings and softnet threads the whole way
through.
-
- Prevented possible kernel crashes by dropping TCP packets with
destination port 0 in pf(4)
and the stack.
-
- Fixed a endian swap bug causing problems with vlans(4) on em(4) sparc64 systems.
@@ -826,7 +823,6 @@
half second even if there is nothing to read. By default this buffer
is infinite and must be filled to become readable.
- Avoided enabling TSO on interfaces which are already attached to a bridge.
-
Routing daemons and other userland network improvements:
@@ -956,11 +952,6 @@
When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the optional CMS signing-time, and
non-optional X.509 notBefore, and X.509 notAfter timestamps.
-
-
- In snmpd(8),
-
Switched tftpd(8) to