Hi, I'm trying to make a relatively secure computer setup, so I want to try OpenBSD as the "main" kernel (aka the one that will run on the real hardware, and that will be the host for the VMs).
I'm coming from Linux (various distros), and I had configured my system to be immutable: the root system (with apps, settings, users) was built atomically into a SquashFS (a compressed immutable FS), which would then be mounted on root via an OverlayFS + tmpfs. Writes would go to memory, so changes would be erased on reboot. I think that immutability is a great feature for security, as it prevents attackers or threats to stay installed on the system. Also, it ensures predictability and determinism between boots: if you mess something up, it won't impact future boots. Does anyone here have some advice/idea/experience on how to do immutable systems with OpenBSD? I think I need somthing more complex that read-only mounts: I need to be able to verify that the root hasn't been altered (by hashing it for example). I also need write access to the FS, even if it doesn't persist between reboots. https://geodsoft.com/howto/harden/OpenBSD/no_changes.htm Btw, the read-only option for security was mentioned in this blog, and it seems kind of unsuitable for my purpose (in the blog, the guy had issues with softwares wanting write access, and other joyful errors) Something I found that may be part of a solution is `union_mount`. This seems to be like OverlayFS on Linux. The problem is that the feature seems to have disapeared from OpenBSD in release 3.8, even if I couldn't find any mention of it in the changelogs (I may have missed it). - manpage for 3.7 (exists): https://man.openbsd.org/OpenBSD-3.7/mount_union - manpage for 3.8 (doesn't): https://man.openbsd.org/OpenBSD-3.8/mount_union - 3.8 changelogs: https://www.openbsd.org/plus38.html Yet, even if the feature still exists, I would still be unable to hash or checksum the FS properly (maybe I could hash a digest of all the files? what a hacky way!). It's also not as portable as a SquashFS file. Lastly, please tell me if my message is too long, or anything else. I'm trying to be concise and explicit, but it's one of my first time mail-list-ing :D --- Pattled Buquor (absolutely my real name)
