Messages

61

19.1 Legacy Series / Re: problems updating to 19.1 on a Freebsd 12p3 bhyve VM, also with bhyveload

« on: February 06, 2019, 06:11:12 pm »

In this particular case, it's because we at HardenedBSD ported over a cool security feature from OpenBSD: disabling a specific Intel backdoor called Intel SDBG. We have to toggle a not-well-known MSR that FreeBSD's bhyve freaks out on. We implemented a workaround in HardenedBSD's bhyve that FreeBSD refuses to import upstream, though they initially promised they would.

62

19.1 Legacy Series / Re: 19.1 completely messed up my network

« on: February 06, 2019, 05:57:45 pm »

That i understand, but wouldnt it be a good idea to use 19.1.1 as the "first" version in te 19.1 range, and skip the 19.1 image alltogether, since these cause so much trouble with the automtu issue? Has given me a lot of headaches imho

It could even be so that duo to the automtu issue a user is unable to update to 19.1.1 alltogether. Took me multiple tries duo to a completely corrupted connection.

We'll look at generating new installation images once we address some of the other issues that popped up, including recent FreeBSD security announcements.

63

19.1 Legacy Series / Re: problems updating to 19.1 on a Freebsd 12p3 bhyve VM, also with bhyveload

« on: February 06, 2019, 04:32:46 pm »

If you're using FreeBSD as the host, make sure you're passing in the -w option to ignore unimplemented MSRs.

64

19.1 Legacy Series / Re: OPNsense 19.1 released update!

« on: February 03, 2019, 11:50:11 pm »

From a security perspective, it really depends on your threat landscape. I don't think the average person is likely to see network-based attacks targeting the various microarchitectural vulnerabilities plaguing SMT and speculative execution as of late. However, if you feel that you might be of interest to someone with the ability to carry out successful attacks remotely, it'd be best to leave SMT disabled.

In short: determine your risk and plan and mitigate accordingly.

65

19.1 Legacy Series / Re: VM of OPNsense on Hyper-V Win Svr 2019 Std - Fails

« on: February 02, 2019, 03:52:12 am »

bunchofreeds, could you also try booting with vm.pmap.pti set to 0?

66

19.1 Legacy Series / Re: Upgrade fail

« on: February 02, 2019, 12:27:07 am »

SecAficionado, try booting with the vm.pmap.pti tunable set to 0.

Thanks @lattera! That fixed the issue!

Awesome! Good to hear!

To give a little bit of background, FreeBSD implemented PTI, but created some detection logic to disable it for CPUs that don't technically need it. We at HardenedBSD feel that it's a really good security feature to keep enabled across-the-board, so we've disabled that detection logic and enabled it by default.

This means that some CPUs, especially older AMD CPUs, can have issues with the feature. For those edge cases, we instruct impacted users simply to disable PTI. I know it can cause some headaches, but I feel it's a good reminder to those with older CPUs to perhaps upgrade to newer CPUs that can take advantage of newer security features.

Sorry for the hassle, but I'm glad we found the issue.

67

19.1 Legacy Series / Re: OPNsense 19.1 released update!

« on: February 01, 2019, 03:48:48 pm »

Can you post a backtrace with the `bt` command (without the backticks)?

@lattera at the 'db>' prompt, it seems the keyboard mapping gets all messed up.  When I hit 'b', it actually prints 'mm'. When I hit 't', it prints 'zz'.  It then seems to get all locked up and non-responsive as I try different keys.  I tried in safe mode, but same thing.  Tried a different keyboard with the same result.

Ah, this is a problem that has plagued FreeBSD for a while. I take it your keyboard is not a US ASCII keyboard?

68

19.1 Legacy Series / Re: Upgrade fail

« on: February 01, 2019, 03:41:07 pm »

SecAficionado, try booting with the vm.pmap.pti tunable set to 0.

69

19.1 Legacy Series / Re: VM of OPNsense on Hyper-V Win Svr 2019 Std - Fails

« on: February 01, 2019, 12:44:48 am »

What's the output of the `bt` command (without the backticks, of course)?

70

19.1 Legacy Series / Re: OPNsense 19.1 released update!

« on: January 31, 2019, 09:28:47 pm »

Crash and Burn 
Fatal trap 12: Page fault while in kernel mode

18.7.10_3 appeared to update fine (but no reboot was required).  19.1 upgraded and would not reboot.

Running on a Dell Inspiron 3470
Screenshot attached

Can you post a backtrace with the `bt` command (without the backticks)?

71

18.7 Legacy Series / Re: Segmentation fault while installing

« on: January 27, 2019, 06:27:04 pm »

Can you post a screenshot or a picture of the crash?

72

19.1 Legacy Series / Re: cpdup failure in 19.1-rc1 installer

« on: January 24, 2019, 08:33:50 pm »

Good to know. I'll see about flashing an older BIOS. Thanks for the tip!

73

19.1 Legacy Series / Re: cpdup failure in 19.1-rc1 installer

« on: January 24, 2019, 07:39:12 pm »

Turns out it might be a hardware issue. When I exit the installer, I get a bunch of these errors in the serial console:

Code: [Select]

g_vfs_done():ada0p3[WRITE(offset=194326200320, length=32768)]error = 6
ahcich0: Timeout on slot 26 port 0
ahcich0: is 00000002 cs 00000000 ss 00000000 rs 04000000 tfd 50 serr 00000000 cmd 00407a17
(aprobe0:ahcich0:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich0:0:0:0): CAM status: Command timeout
(aprobe0:ahcich0:0:0:0): Error 5, Retries exhausted

I've tried several mSata drives. So I'll reach out to PC Engines for support. Do you want me to update this thread with their response?

I kinda/sorta wonder if something changed in FreeBSD's geom/cam layers between 11.1 and 11.2. OPNsense 18.7 installs fine, but 19.1 shows tons of the GEOM/CAM errors above.

74

19.1 Legacy Series / cpdup failure in 19.1-rc1 installer

« on: January 21, 2019, 08:59:30 pm »

Attempting to install 19.1-rc1/amd64 on an APU4c4, the installer fails when it's trying to cpdup into /usr/local. Screenshots linked below:

https://photos.app.goo.gl/DhCeDMHXTV4yMTcm6

https://photos.app.goo.gl/31FJd2xEDonahhrW9

https://photos.app.goo.gl/2kUkd2uHbVHTe1Z9A

75

19.1 Legacy Series / Re: ARM Support

« on: January 09, 2019, 09:47:35 pm »

So, take what I'm about to say with a bit of a grain of salt. In this case, I'm not speaking on behalf of the OPNsense project here. I'm just providing a little bit of background info.

With OPNsense 19.1, OPNsense will have switched fully to HardenedBSD as the base operating system. Yay! I've committed to providing basic 32-bit Intel (i386) support to OPNsense for 2019. Outside of this limited scope, HardenedBSD does not support 32-bit architectures. In 2020, OPNsense will drop i386 support as they migrate to HardenedBSD 12 (I will be guiding them along this process, of course).

It would make much more sense for OPNsense to start targeting arm64. The problem, though, is that all these little arm64 SoC dev boards require a slightly different version of U-Boot. So OPNsense would have to generate installation media for each board, whether it be the Raspberry Pi 3, Pine64, Pine64-LTS, Rock64, etc. This is very quite painful, because it takes a lot of resources. Now, OPNsense may deem it worthwhile, so that's not my place to say.

I'd be interested to see more arm64 systems like what SoftIron and Cavium provide, where UEFI is used instead of U-Boot. That would make it really easy for OPNsense to support arm64. It would be possible for OPNsense to do that regardless of the state of these SoC dev boards.