Re: What happened with MySQL server on amd64 ?

[Tati Chevron]

On Tue, Dec 22, 2015 at 03:33:41PM +0100, Dusan Sukovic wrote:

Hvad happened with MySQL server ? Can't find  port or install package on
5.8 amd64
As far as I can see it, it was in 5.6 amd64.


Replaced with MariaDB.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: python uwsgi port/package

[Christopher Sean Hilton]

On Wed, Dec 02, 2015 at 07:22:27PM +, Stuart Henderson wrote:
> On 2015-12-02, Christopher Sean Hilton  wrote:
> >
> > Thanks for any information,
>
> I made a start at a port, I was going to use it for something but it
> didn't happen in the end so I left it in openbsd-wip in case anyone
> wants to pick it up. The basics are there (though may need updating)
> and IIRC it did work, it'll want a bit of polish though - rc script,
> probably its own uid/gid, maybe a readme etc.
>

Stuart,

Thank you very much for your port of uwsgi. I got it going on my test
instance without much trouble a couple of weeks ago and I'm putting it
into production. If you are interested, I read the docs on the rc.d
system and came up with this:

#!/bin/sh
#

daemon="/usr/local/sbin/uwsgi"

. /etc/rc.d/rc.subr

pexp="${daemon} .*--master"
rc_reload=NO

rc_cmd $1

## -

I kept with the emperor/vassals theme and created a directory:
/etc/uwsgi/vassals for configs and ran in master/emperor mode. To run
the script you'll want:

 uwsgi_flags="--daemonize --master --emperor /etc/uwsgi/vassals"

in your /etc/rc.conf.local

You'll also probably want to add a user or a few, perhaps one per
uwsgi service instance and create an ini file for each like this.

[uwsgi]
plugins = python
socket = 127.0.0.1:8001
uid = service_user
gid = service_user
chdir = /var/www/htdocs/my_django_site/code
module = my_django_service.wsgi:application

Thanks again for your help. Without it things would have been much
more difficult.

--
Chris

  __o  "All I was trying to do was get home from work."
_`\<,_   -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

build an openbsd router/modem

[Frank White]

I want build a router/modem with openbsd. My is that I don't want
anykind of linux code around. I don't have any problems to build a
router, my problem is to have a modem without any linux firmware.
Anyone know if there are any pure modem to use it ?
Or any chip I can connect on any "itx or what u want" motherboard ?
Thank u
Luigi

Re: BIOS call fallback

[Read, James C]

>The OpenBSD process is quite well understood.  Use the best methods,
>doubt what you do, refractor.  Simple in concept, but it takes a lot
>of time.

>Therefore I am looking forward to seeing what you and James can do.

>How long do you think it will take you?  Can we expect to see working
>code in a year... maybe two?

I guess in the absence of a seriously thought out wish list such a project
could be open ended. The more care spent in hardware design choices I guess
the more likely we could avoid the mess that various legacies have caused.

And my name is...

0x00

Re: build an openbsd router/modem

[Tati Chevron]

On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:

Hi,
Yes I am sorry, I want build a small embedded system with openbsd to
connect a lan to an adsl line. I want all the devices with openbsd,
included the adsl modem. So the embedded system must have one or more
ethernet nic and a modem.


The easiest way to do this, although not quite what you want, is to
use a normal ADSL router in 'bridge' mode, so that it passes all data
from the ADSL line directly to a single OpenBSD machine without doing
any routing.  That OpenBSD machine can then act as a firewall, router,
packet-logger, or whatever you want.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: build an openbsd router/modem

[Shady]

> On Dec 22, 2015, at 1:32 PM, Frank White  wrote:
>
> Hi,
> Yes I am sorry, I want build a small embedded system with openbsd to
> connect a lan to an adsl line. I want all the devices with openbsd,
> included the adsl modem. So the embedded system must have one or more
> ethernet nic and a modem.
>
>
>
>
> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
>> On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
>>>
>>> I want build a router/modem with openbsd. My is that I don't want
>>> anykind of linux code around. I don't have any problems to build a
>>> router, my problem is to have a modem without any linux firmware.
>>> Anyone know if there are any pure modem to use it ?
>>> Or any chip I can connect on any "itx or what u want" motherboard ?
>>
>>
>> Can you be more specific about what you are trying to do?
>>
>> Are you trying to build a small embedded system using OpenBSD, or
>> do you want to configure a normal desktop machine to route data
>> from a, (3g?  DSL?  Cable internet?), source to other machines
>> on the LAN?
>>
>> --
>> Tati Chevron
>> Perl and FORTRAN specialist.
>> SWABSIT development and migration department.
>> http://www.swabsit.com
>
I’m currently using a Soekris net6501 as a router. Works great with
OpenBSD, and comes with 4 ethernet ports.  As far as I’m aware they
don’t have any models that come with a modem, but if you can find a
supported MiniPCI or PCI modem, it should work fine.  Soekris officially
supports OpenBSD and has good documentation on installing it on their
hardware.  I’m not affiliated with Soekris in anyway other than being a
satisfied user.

Re: text-mode gui

[Tati Chevron]

On Tue, Dec 22, 2015 at 08:35:39PM +, Tati Chevron wrote:

So the average person installing OpenBSD with, 'full disk encryption',
is gaining virtually nothing by doing that, that they couldn't do by
installing the system on an unencrypted partition and using a softraid
volume for their own data storage, and maybe configuration and log files.


OK, this isn't quite true.

Consider, for example, a machine which is physically insecure for some
period of time, (E.G. laptop left in a hotel room).  If you later gain
control of it again, and you suspect that the bootloader had been
compromised, as long as you make sure that you boot from a known clean
boot device before unlocking the crypto volume holding the root FS, then
you can be fairly confident that the contents of that filesystem hadn't
been modified, (well, they may have been modified by scribbling random
data over the partition, but not modified in any meaningful way).

But I still maintain that putting an option in the installer to create
softraid crypto volumes automatically just dumbs down OpenBSD
unnecessarily, and encourages people to be lazy instead of learning how
to use the system to it's full potential.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: text-mode gui

[Theo de Raadt]

> But I still maintain that putting an option in the installer to create
> softraid crypto volumes automatically just dumbs down OpenBSD
> unnecessarily, and encourages people to be lazy instead of learning how
> to use the system to it's full potential.

It's great that you have an opinion.

Unfortunately it is the wrong opinion.

And even if you have that opinion it has no impact at all, because
we will ignore it.

So you can stop writing it over and over.  It is being ignored,
at every step along the way!

And that isn't going to change.

Re: BIOS call fallback

[Theo de Raadt]

> >The OpenBSD process is quite well understood.  Use the best methods,
> >doubt what you do, refractor.  Simple in concept, but it takes a lot
> >of time.
> 
> >Therefore I am looking forward to seeing what you and James can do.
> 
> >How long do you think it will take you?  Can we expect to see working
> >code in a year... maybe two?
> 
> I guess in the absence of a seriously thought out wish list such a project
> could be open ended. The more care spent in hardware design choices I guess
> the more likely we could avoid the mess that various legacies have caused.

Wow, another email from you without a diff!  You are wasting valuable
time writing code to demonstrate you know better than we.

Re: build an openbsd router/modem

[Frank White]

ok, well the only way to not use any linux based bridged adsl modem is
try to find a pci modem supported by opensbd ?
I connect the pci modem to the soekris device and that's all ?
so the problem is find a supported pci modem..



2015-12-22 19:55 GMT+00:00 Shady :
>
>> On Dec 22, 2015, at 1:32 PM, Frank White  wrote:
>>
>> Hi,
>> Yes I am sorry, I want build a small embedded system with openbsd to
>> connect a lan to an adsl line. I want all the devices with openbsd,
>> included the adsl modem. So the embedded system must have one or more
>> ethernet nic and a modem.
>>
>>
>>
>>
>> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
>>> On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:

 I want build a router/modem with openbsd. My is that I don't want
 anykind of linux code around. I don't have any problems to build a
 router, my problem is to have a modem without any linux firmware.
 Anyone know if there are any pure modem to use it ?
 Or any chip I can connect on any "itx or what u want" motherboard ?
>>>
>>>
>>> Can you be more specific about what you are trying to do?
>>>
>>> Are you trying to build a small embedded system using OpenBSD, or
>>> do you want to configure a normal desktop machine to route data
>>> from a, (3g?  DSL?  Cable internet?), source to other machines
>>> on the LAN?
>>>
>>> --
>>> Tati Chevron
>>> Perl and FORTRAN specialist.
>>> SWABSIT development and migration department.
>>> http://www.swabsit.com
>>
> I’m currently using a Soekris net6501 as a router. Works great with
> OpenBSD, and comes with 4 ethernet ports.  As far as I’m aware they
> don’t have any models that come with a modem, but if you can find a
> supported MiniPCI or PCI modem, it should work fine.  Soekris officially
> supports OpenBSD and has good documentation on installing it on their
> hardware.  I’m not affiliated with Soekris in anyway other than being a
> satisfied user.

Re: build an openbsd router/modem

[Joost Runsink]

Some modem (Draytek comes to mind) allow you to set the modem in bridge
mode. At that point it is a atm to ethernet converter. Have a look at
Soekris and Alixboard, used a lot for this exact task.

On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:
> Hi,
> Yes I am sorry, I want build a small embedded system with openbsd to
> connect a lan to an adsl line. I want all the devices with openbsd,
> included the adsl modem. So the embedded system must have one or more
> ethernet nic and a modem.
> 
> 
> 
> 
> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
> > On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
> >>
> >> I want build a router/modem with openbsd. My is that I don't want
> >> anykind of linux code around. I don't have any problems to build a
> >> router, my problem is to have a modem without any linux firmware.
> >> Anyone know if there are any pure modem to use it ?
> >> Or any chip I can connect on any "itx or what u want" motherboard ?
> >
> >
> > Can you be more specific about what you are trying to do?
> >
> > Are you trying to build a small embedded system using OpenBSD, or
> > do you want to configure a normal desktop machine to route data
> > from a, (3g?  DSL?  Cable internet?), source to other machines
> > on the LAN?
> >
> > --
> > Tati Chevron
> > Perl and FORTRAN specialist.
> > SWABSIT development and migration department.
> > http://www.swabsit.com

Re: build an openbsd router/modem

[Frank White]

oh thank u very much, I think it's exactly what I am looking for.


2015-12-22 20:05 GMT+00:00 Joost Runsink :
> Some modem (Draytek comes to mind) allow you to set the modem in bridge
> mode. At that point it is a atm to ethernet converter. Have a look at
> Soekris and Alixboard, used a lot for this exact task.
>
> On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:
>> Hi,
>> Yes I am sorry, I want build a small embedded system with openbsd to
>> connect a lan to an adsl line. I want all the devices with openbsd,
>> included the adsl modem. So the embedded system must have one or more
>> ethernet nic and a modem.
>>
>>
>>
>>
>> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
>> > On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
>> >>
>> >> I want build a router/modem with openbsd. My is that I don't want
>> >> anykind of linux code around. I don't have any problems to build a
>> >> router, my problem is to have a modem without any linux firmware.
>> >> Anyone know if there are any pure modem to use it ?
>> >> Or any chip I can connect on any "itx or what u want" motherboard ?
>> >
>> >
>> > Can you be more specific about what you are trying to do?
>> >
>> > Are you trying to build a small embedded system using OpenBSD, or
>> > do you want to configure a normal desktop machine to route data
>> > from a, (3g?  DSL?  Cable internet?), source to other machines
>> > on the LAN?
>> >
>> > --
>> > Tati Chevron
>> > Perl and FORTRAN specialist.
>> > SWABSIT development and migration department.
>> > http://www.swabsit.com

Re: text-mode gui

[Ted Unangst]

Tati Chevron wrote:
> I have never understood exactly why people have so much difficulty installing
> a recent OpenBSD system on an encrypted partition.
> 
> Assuming amd64 or i386:
> 
> Basically, you boot bsd.rd as normal, and drop to a shell.

Which nobody does for an otherwise normal install.

And then...

> If the disk you want to use previously had unencrypted data on it that you
> want to erase, you can blank the disk with dd if=/dev/zero 
> of=/dev/your_device.

> Then invoke 
> 
> Then invoke 
> 
> Then invoke 
> 
> Make a device node 
> 
> Blank the first part 
> 
> Repeat the fdisk step 

If you have done this once, it's possible to do it again. But let's be honest.
This is not obvious. At all. It requires not just knowing which commands to
run, but also extensive knowledge about how disks and softraid work behind the
scenes.

Re: build an openbsd router/modem

[Tati Chevron]

On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:

I want build a router/modem with openbsd. My is that I don't want
anykind of linux code around. I don't have any problems to build a
router, my problem is to have a modem without any linux firmware.
Anyone know if there are any pure modem to use it ?
Or any chip I can connect on any "itx or what u want" motherboard ?


Can you be more specific about what you are trying to do?

Are you trying to build a small embedded system using OpenBSD, or
do you want to configure a normal desktop machine to route data
from a, (3g?  DSL?  Cable internet?), source to other machines
on the LAN?

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: text-mode gui

[Tati Chevron]

On Tue, Dec 22, 2015 at 10:20:16PM +0200, li...@wrant.com wrote:

Tue, 22 Dec 2015 13:36:38 -0500 "Ted Unangst" 

Tati Chevron wrote:
> I have never understood exactly why people have so much difficulty installing
> a recent OpenBSD system on an encrypted partition.
>
> Basically, you boot bsd.rd as normal, and drop to a shell.

Which nobody does for an otherwise normal install.


If you mess the options, you can break out with Ctrl-C and exit with
Ctrl-D to restart the process.  It is still considered a drop to a
shell, albeit a short and not very productive one.

For an otherwise "normal" install, the entire discussion is not really
needed.


Installing on a softraid crypto volume is NEVER going to be a, 'normal'
install.  Just about any sensible usage of it requires you to sit down
and plan out a partitioning scheme anyway, by which point you might as
well do it all at the command line manually, rather than using the
installer.

Think about it: on a system with one physical disk, (many desktops, and
most laptops), a lot of people lazily make one huge softraid crypto
partition spanning the whole disk, and then proceed to partition that
volume in the same way they would do if they were doing a, 'normal',
installation on a non-encrypted disk.

Why?

Because you want to test the softraid crypto code and the performance
of your hardware to the maximum?  Great!  That's one genuine use case.

If, on the other hand, you think that having the system files encrypted
prevents modification of them difficult, think again - the bootloader
is unencrypted and could be trojaned easily by anyone with physical
access or who has gained root access over the LAN.

So the average person installing OpenBSD with, 'full disk encryption',
is gaining virtually nothing by doing that, that they couldn't do by
installing the system on an unencrypted partition and using a softraid
volume for their own data storage, and maybe configuration and log files.

Putting a simple option in the installer to build a single softraid
crypto volume spanning the whole disk would just discourage people from
learning how to use it correctly.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: Progress on adding support for Perle Speed8 LE

[Jordon]

> On Dec 22, 2015, at 6:20 PM, Stuart Henderson  wrote:
>
> On 2015-12-22, Jordon >
wrote:
>> I have actually made some progress on this serial port card!  I looked at
how
>> FreeBSD has it configured, tried to map the values to the OpenBSD struct,
and
>> actually got something working!
>>
>>
>>
>> I added the following to pcidevs:
>>
>> vendor  PERLE   0x155f  Perle
>> vendor  COMTROL 0x11fe  Comtrol
>>
>> product PERLE   R35583  0xb008  Speed8 LE
>> product COMTROL 5002265 0x0805  RocketPort uPCI Octa
>>
>>
>>
>> I added the following to pucdata.c:
>>
>>{
>>{   PCI_VENDOR_PERLE, PCI_PRODUCT_PERLE_R35583, 0, 0 },
>>{   0x, 0x, 0, 0 },
>>{
>>{ PUC_COM_POW2(0), 0x10, 0x },
>>{ PUC_COM_POW2(0), 0x10, 0x0008 },
>>{ PUC_COM_POW2(1), 0x10, 0x0010 },
>>{ PUC_COM_POW2(1), 0x10, 0x0018 },
>>{ PUC_COM_POW2(2), 0x10, 0x0020 },
>>{ PUC_COM_POW2(2), 0x10, 0x0028 },
>>{ PUC_COM_POW2(3), 0x10, 0x0030 },
>>{ PUC_COM_POW2(3), 0x10, 0x0038 },
>>},
>>},
>>
>> And much to my surprise, it shows up (with some issues) and when i connect
2
>> of the ports with a null modem adapter, i can cu from one to another!
>> (For now, I’m not too concerned about the RocketPort card)
>>
>>
>>
>> The dmesg looks like this:
>>
>> puc0 at pci0 dev 9 function 0 "Perle Speed8 LE" rev 0x00: ports: 8 com
>> com4 at puc0 port 0 apic 2 int 18: st16650, 32 byte fifo
>> com4: probed fifo depth: 16 bytes
>> com5 at puc0 port 1 apic 2 int 18: st16650, 32 byte fifo
>> com5: probed fifo depth: 16 bytes
>> com6 at puc0 port 2 apic 2 int 18: st16650, 32 byte fifo
>> com6: probed fifo depth: 16 bytes
>> com7 at puc0 port 3 apic 2 int 18: st16650, 32 byte fifo
>> com7: probed fifo depth: 16 bytes
>> puc0: couldn't get subregion for port 4
>> puc0: couldn't get subregion for port 5
>> puc0: couldn't get subregion for port 6
>> puc0: couldn't get subregion for port 7
>> puc1 at pci0 dev 9 function 1 "Perle Speed8 LE" rev 0x00: ports: 8 com
>> com8 at puc1 port 0 apic 2 int 18: st16650, 32 byte fifo
>> com9 at puc1 port 1 apic 2 int 18: st16650, 32 byte fifo
>> com10 at puc1 port 2 apic 2 int 18: st16650, 32 byte fifo
>> com11 at puc1 port 3 apic 2 int 18: st16650, 32 byte fifo
>> puc1: couldn't get subregion for port 4
>> puc1: couldn't get subregion for port 5
>> puc1: couldn't get subregion for port 6
>> puc1: couldn't get subregion for port 7
>> "Comtrol RocketPort uPCI Octa" rev 0x01 at pci0 dev 10 function 0 not
>> configured
>
> Assuming you have one card not two connected, it looks like you should
> set the device as 4 ports not 8.

Wow.  I understood that it was 2 chips with 4 ports each, but I still set it
up as an 8 port device anyway!
After removing the bottom 4 devices and rebuilding/rebooting, it did this:

puc0 at pci0 dev 9 function 0 "Perle Speed8 LE" rev 0x00: ports: 4 com
com4 at puc0 port 0 apic 2 int 18: st16650, 32 byte fifo
com4: probed fifo depth: 16 bytes
com5 at puc0 port 1 apic 2 int 18: st16650, 32 byte fifo
com5: probed fifo depth: 16 bytes
com6 at puc0 port 2 apic 2 int 18: st16650, 32 byte fifo
com6: probed fifo depth: 16 bytes
com7 at puc0 port 3 apic 2 int 18: st16650, 32 byte fifo
com7: probed fifo depth: 16 bytes
puc1 at pci0 dev 9 function 1 "Perle Speed8 LE" rev 0x00: ports: 4 com
com8 at puc1 port 0 apic 2 int 18: st16650, 32 byte fifo
com9 at puc1 port 1 apic 2 int 18: st16650, 32 byte fifo
com10 at puc1 port 2 apic 2 int 18: st16650, 32 byte fifo
com11 at puc1 port 3 apic 2 int 18: st16650, 32 byte fifo

Much better!

>
>>
>> Now some questions:
>>
>> I first listed all 8 ports with PUC_COM_POW2(3) because I think I saw a
>> similar device (a Boca card or something) using it.  it worked fine (one
of
>> the ports was connected to a different machine an cu could pass text).  I
then
>> changed the numbers passed in (to 0, 1, 2, 3) just to see if anything
changed,
>> and the first and second ports can still talk to each other.  What exactly
>> does that value do?
>
> Sets the clock multiplier - even if this is set wrongly a null-modem
> between ports on the card will still work so be sure to test all the
> ports to a different machine and make sure the speeds are right;
> sometimes not all ports have the same multiplier.

I will do some experimenting with the multiplier.  I’ll probably just take
this system with me when I go home for Christmas.

>> Why do the first four ports probe to 16 bytes but not the next four?
>
> unsure.

This is still strange.

>
>> This is my first real attempt at development of this type so I am pretty
happy
>> about this.  I would love for 5.9 to have support for this card.
>
> It probably only needs a few 

RackTables

[Predrag Punosevac]

Hi Misc,

I am trying to deploy www/racktables with httpd (from the base). I am
following 5.8 stable

# uname -a OpenBSD oko.bagdala2.net 5.8 GENERIC.MP#2 amd64

httpd tested with static files OK
httpd tested with PHP 5.6.11 php_fpm OK PmWiki works like a charm
mysqld configured for chroot and tested OK
racktables_db created and racktables_user granted privilages. 

Installation script http://localhost/install.php works as a charm until
very last step when I get

Pdo exception: PDOException

SQLSTATE[HY000]: General error: 1419 You do not have the SUPER privilege
and binary logging is enabled (you *might* want to use the less safe
log_bin_trust_function_creators variable) (HY000)
at file /racktables/wwwroot/inc/dictionary.php, line 43

/racktables/wwwroot/inc/dictionary.php:43 query('CREATE TRIGGER
`trigger_test` BEFORE INSERT ON `innodb_test` FOR EACH ROW BEGIN END')
/racktables/wwwroot/inc/install.php:359 isInnoDBSupported()
/racktables/wwwroot/inc/install.php:66 init_database_static()
/racktables/wwwroot/index.php:284 renderInstallerHTML()
/htdocs/racktables/index.php:1 require('/racktables/wwwroot/index.php')

Error info:

Array
(
[0] => HY000
[1] => 1419
[2] => You do not have the SUPER privilege and binary logging is
enabled (you *might* want to use the less safe
log_bin_trust_function_creators variable)
)


That looks very much like 

https://bugs.racktables.org/view.php?id=1233

Can anybody who is running racktables on OpenBSD give me a hint what am
I doing wrong?

Best,
Predrag

Re: build an openbsd router/modem

[Stuart Henderson]

On 2015-12-22, Joost Runsink  wrote:
> Some modem (Draytek comes to mind) allow you to set the modem in bridge
> mode. At that point it is a atm to ethernet converter. Have a look at
> Soekris and Alixboard, used a lot for this exact task.

You can avoid Linux with this approach and careful selection, but then
you're probably running VxWorks instead. But at least this way your other
OS is little more than a media converter, only the OpenBSD box needs to
deal with externally sourced IP traffic..

Most ADSL "modems" can bridge ADSL to Ethernet which is fine for PPPoE
ISPs or those doing IP directly (fairly rare) but they won't usually
work with PPPoA-only ISPs, exception being the couple of Draytek
models that 'translate' PPPoA to PPPoE, and some old speedtouch boxes
do the same to PPTP. But for most ISPs that's not needed and a normal
bridge is enough.

> On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:
>> Hi,
>> Yes I am sorry, I want build a small embedded system with openbsd to
>> connect a lan to an adsl line. I want all the devices with openbsd,
>> included the adsl modem. So the embedded system must have one or more
>> ethernet nic and a modem.

Doing this strictly OpenBSD-only is going to be a _lot_ of work unless
you find a ueagle(4) device from a museum and run an ancient OpenBSD
release from before the driver and subsystem was removed.

Re: Boot loader uses INT 13h [WAS BIOS call fallback]

[Dragos Ruiu]

Ok let me short circuit this meta discussion by saying that AFAIK now that
the new Intel Skylake chips fixed many virtualization bugs and it's possible
to efficiently nest VMs there might not be a way to discover if you are
running on bare metal. I too would find it useful to be able to lock a
kernel so it only runs on bare metal not a VM, but according to folks who
know more about this than I do it is now very hard to do this given you can
run VT inside VT, and very efficiently on Xeons.

I would be interested in any code that can knowingly break inside a VM to
verify unvirtualized status, esp. on Skylake. Older processors can probably
use the virtualization bugs in the hardware for this function.

Cheers,
--dr

P.s. Also interested in code that can detect emulated UEFI.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Read, James C
Sent: December 22, 2015 9:51 AM
To: Theo de Raadt 
Cc: OpenBSD general usage list 
Subject: Re: Boot loader uses INT 13h [WAS BIOS call fallback]

>> a security consideration, as far as I can see the bootloader loads 
>> using
INT
>> 13h calls. How can the kernel be sure it is really operating in ring 
>> 0 and
not
>> in some VM given that this is the case?

>Hey, it looks like you are just trying to be a dick.

On the assumption that you are not suggesting I would like to change my name
to Richard I can only reply that I have never tried to stick my head into a
warm and wet but very smelly hole for pleasure and/or to attempt to
reproduce with it.

>Does your mother know?

Given that she is deceased I find that highly unlikely.

However, insults reminiscent of primary school days aside, you may or may
not be surprised to find that actually that was a genuine question.

Re: Progress on adding support for Perle Speed8 LE

[Stuart Henderson]

On 2015-12-22, Jordon  wrote:
> I have actually made some progress on this serial port card!  I looked at how
> FreeBSD has it configured, tried to map the values to the OpenBSD struct, and
> actually got something working!
>
>
>
> I added the following to pcidevs:
>
> vendor  PERLE   0x155f  Perle
> vendor  COMTROL 0x11fe  Comtrol
>
> product PERLE   R35583  0xb008  Speed8 LE
> product COMTROL 5002265 0x0805  RocketPort uPCI Octa
>
>
>
> I added the following to pucdata.c:
>
> {
> {   PCI_VENDOR_PERLE, PCI_PRODUCT_PERLE_R35583, 0, 0 },
> {   0x, 0x, 0, 0 },
> {
> { PUC_COM_POW2(0), 0x10, 0x },
> { PUC_COM_POW2(0), 0x10, 0x0008 },
> { PUC_COM_POW2(1), 0x10, 0x0010 },
> { PUC_COM_POW2(1), 0x10, 0x0018 },
> { PUC_COM_POW2(2), 0x10, 0x0020 },
> { PUC_COM_POW2(2), 0x10, 0x0028 },
> { PUC_COM_POW2(3), 0x10, 0x0030 },
> { PUC_COM_POW2(3), 0x10, 0x0038 },
> },
> },
>
> And much to my surprise, it shows up (with some issues) and when i connect 2
> of the ports with a null modem adapter, i can cu from one to another!
> (For now, I’m not too concerned about the RocketPort card)
>
>
>
> The dmesg looks like this:
>
> puc0 at pci0 dev 9 function 0 "Perle Speed8 LE" rev 0x00: ports: 8 com
> com4 at puc0 port 0 apic 2 int 18: st16650, 32 byte fifo
> com4: probed fifo depth: 16 bytes
> com5 at puc0 port 1 apic 2 int 18: st16650, 32 byte fifo
> com5: probed fifo depth: 16 bytes
> com6 at puc0 port 2 apic 2 int 18: st16650, 32 byte fifo
> com6: probed fifo depth: 16 bytes
> com7 at puc0 port 3 apic 2 int 18: st16650, 32 byte fifo
> com7: probed fifo depth: 16 bytes
> puc0: couldn't get subregion for port 4
> puc0: couldn't get subregion for port 5
> puc0: couldn't get subregion for port 6
> puc0: couldn't get subregion for port 7
> puc1 at pci0 dev 9 function 1 "Perle Speed8 LE" rev 0x00: ports: 8 com
> com8 at puc1 port 0 apic 2 int 18: st16650, 32 byte fifo
> com9 at puc1 port 1 apic 2 int 18: st16650, 32 byte fifo
> com10 at puc1 port 2 apic 2 int 18: st16650, 32 byte fifo
> com11 at puc1 port 3 apic 2 int 18: st16650, 32 byte fifo
> puc1: couldn't get subregion for port 4
> puc1: couldn't get subregion for port 5
> puc1: couldn't get subregion for port 6
> puc1: couldn't get subregion for port 7
> "Comtrol RocketPort uPCI Octa" rev 0x01 at pci0 dev 10 function 0 not
> configured

Assuming you have one card not two connected, it looks like you should
set the device as 4 ports not 8.

>
> Now some questions:
>
> I first listed all 8 ports with PUC_COM_POW2(3) because I think I saw a
> similar device (a Boca card or something) using it.  it worked fine (one of
> the ports was connected to a different machine an cu could pass text).  I then
> changed the numbers passed in (to 0, 1, 2, 3) just to see if anything changed,
> and the first and second ports can still talk to each other.  What exactly
> does that value do?

Sets the clock multiplier - even if this is set wrongly a null-modem
between ports on the card will still work so be sure to test all the
ports to a different machine and make sure the speeds are right;
sometimes not all ports have the same multiplier.

> Why do the first four ports probe to 16 bytes but not the next four?

unsure.

> What is up with the “couldn’t get subregion” message?  I did a search
> and couldn’t find anything about that string on the Internet.

Presumably because it's 2x 4-port so the 'extra' 4 ports aren't really there.

> This is my first real attempt at development of this type so I am pretty happy
> about this.  I would love for 5.9 to have support for this card.

It probably only needs a few tweaks so there might well be time for this.

Re: Boot loader uses INT 13h [WAS BIOS call fallback]

[Read, James C]

>> a security consideration, as far as I can see the bootloader loads using
INT
>> 13h calls. How can the kernel be sure it is really operating in ring 0 and
not
>> in some VM given that this is the case?

>Hey, it looks like you are just trying to be a dick.

On the assumption that you are not suggesting I would like to change my name
to Richard I can only reply that I have never tried to stick my head into a
warm and wet but very smelly hole for pleasure and/or to attempt to reproduce
with it.

>Does your mother know?

Given that she is deceased I find that highly unlikely.

However, insults reminiscent of primary school days aside, you may or may not
be surprised to find that actually that was a genuine question.

Re: build an openbsd router/modem

[Frank White]

Hi,
Yes I am sorry, I want build a small embedded system with openbsd to
connect a lan to an adsl line. I want all the devices with openbsd,
included the adsl modem. So the embedded system must have one or more
ethernet nic and a modem.




2015-12-22 19:08 GMT+00:00 Tati Chevron :
> On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
>>
>> I want build a router/modem with openbsd. My is that I don't want
>> anykind of linux code around. I don't have any problems to build a
>> router, my problem is to have a modem without any linux firmware.
>> Anyone know if there are any pure modem to use it ?
>> Or any chip I can connect on any "itx or what u want" motherboard ?
>
>
> Can you be more specific about what you are trying to do?
>
> Are you trying to build a small embedded system using OpenBSD, or
> do you want to configure a normal desktop machine to route data
> from a, (3g?  DSL?  Cable internet?), source to other machines
> on the LAN?
>
> --
> Tati Chevron
> Perl and FORTRAN specialist.
> SWABSIT development and migration department.
> http://www.swabsit.com

Re: Boot loader uses INT 13h [WAS BIOS call fallback]

[Theo de Raadt]

> >> a security consideration, as far as I can see the bootloader loads using=
>  INT
> >> 13h calls. How can the kernel be sure it is really operating in ring 0 a=
> nd not
> >> in some VM given that this is the case?
> 
> >Hey, it looks like you are just trying to be a dick.
> 
> On the assumption that you are not suggesting I would like to change my nam=
> e to Richard I can only reply that I have never tried to stick my head into=
>  a warm and wet but very smelly hole for pleasure and/or to attempt to repr=
> oduce with it.
> 
> >Does your mother know?
> 
> Given that she is deceased I find that highly unlikely.=20
> 
> However, insults reminiscent of primary school days aside, you may or may n=
> ot be surprised to find that actually that was a genuine question.

Wow, yet another email with code in it!  I read that you are PHD
student.  Don't they teach you how to write code?

To achieve merit, you must do the homework you assigned yourself.

Re: text-mode gui

[Tati Chevron]

On Tue, Dec 22, 2015 at 01:36:38PM -0500, Ted Unangst wrote:

Tati Chevron wrote:

I have never understood exactly why people have so much difficulty installing
a recent OpenBSD system on an encrypted partition.

Assuming amd64 or i386:

Basically, you boot bsd.rd as normal, and drop to a shell.


Which nobody does for an otherwise normal install.


Your point being?  Am I giving instructions for a 'normal install'?

I use the shell option during install all the time.  If you don't like it, don't
use it, but to imply that it's some kind of strange corner case is completely
wrong.


And then...


If the disk you want to use previously had unencrypted data on it that you
want to erase, you can blank the disk with dd if=/dev/zero of=/dev/your_device.



Then invoke

Then invoke

Then invoke

Make a device node

Blank the first part

Repeat the fdisk step


If you have done this once, it's possible to do it again. But let's be honest.
This is not obvious. At all. It requires not just knowing which commands to
run, but also extensive knowledge about how disks and softraid work behind the
scenes.


Rubbish.  If you have no UNIX knowledge at all, it's not obvious.

If you have used any PC based OS before, you will know about fdisk.  If you have
used any BSD-like UNIX system before, you will know about disklabel.  If you
have basic UNIX knowledge, you will know about device nodes.  No advanced level
knowledge whatsoever involved in this.

Every step apart from the use of bioctl is either completely obvious or can be
learned with five minutes of reading manpages.

If you haven't ever used UNIX before, or have difficulty reading a manpage, then
gaining a basic knowledge of the system should be a priority before worrying
about softraid, anyway.

Maybe it's not obvious for you, but it didn't take me long to work it out the
first time I wanted to install on a softraid volume.

Besides, I included steps that were not even necessary.  You don't need to
blank the disk first, nor repeat the manual fdisk step on the softraid device.
So, at a minimum you can just:

1. Drop to a shell
2. Fdisk
3. Disklabel
4. Bioctl
5. Return to installer

...and everything should work.  Fdisk within the installer will complain about
the corrupt partition table, but really you're being unrealistic by suggesting
that the whole process of setting up a softraid volume during install is at
beyond someone with a basic knowledge of computers and a degree of patience.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: APU-2: Changing Installer Image

[Chris Cappuccio]

Kapfhammer, Stefan [sk...@skapf.de] wrote:
> Hello,
> 
> I want to install OpenBSD 5.8 on an APU-2 board with a mSATA SSD installed.
> 
> I have to redirect the output to serial console with a change in 
> /etc/boot.conf (2 lines)
> 
> How do I write the change to a USB-Stick, so that the installer boots from 
> the APU? Or is there a better way to install the APU?
> 

You'll have to edit /etc/boot.conf on the USB stick:

stty com0 115200
set tty com0

Re: text-mode gui

[Tati Chevron]

On Tue, Dec 22, 2015 at 02:00:26PM -0700, Theo de Raadt wrote:

But I still maintain that putting an option in the installer to create
softraid crypto volumes automatically just dumbs down OpenBSD
unnecessarily, and encourages people to be lazy instead of learning how
to use the system to it's full potential.


It's great that you have an opinion.

Unfortunately it is the wrong opinion.


That's just your opinion.

The OpenBSD defaults are VERY wrong for my needs.  But I've fixed that for
myself.  I don't come whining on -misc asking for my hand to be held every
time something breaks.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: text-mode gui

[Theo de Raadt]

> On Tue, Dec 22, 2015 at 02:00:26PM -0700, Theo de Raadt wrote:
> >> But I still maintain that putting an option in the installer to create
> >> softraid crypto volumes automatically just dumbs down OpenBSD
> >> unnecessarily, and encourages people to be lazy instead of learning how
> >> to use the system to it's full potential.
> >
> >It's great that you have an opinion.
> >
> >Unfortunately it is the wrong opinion.
> 
> That's just your opinion.
> 
> The OpenBSD defaults are VERY wrong for my needs.  But I've fixed that for
> myself.  I don't come whining on -misc asking for my hand to be held every
> time something breaks.

It isn't just my opinion!  It is our shared effort.  It is how it works,
after concerted WORK by people.

It didn't get written by whiny pricks on the mailing list.

Noone cares if it is wrong for your needs.  NOONE!  Run something else!
We don't care!

You want want to hand-configure everything from the shell, you CAN,
so please stop your whining!

> I don't come whining on -misc asking for my hand to be held every
> time something breaks.

That's a load of bull.  You are doing nothing here except frothing at
the mouth about how it fails to serve your purposes and we should
change it.

You play absolutely no part in the decisions that got OpenBSD to where
it is.

Your opinions count for zero.

Re: text-mode gui

[Mike Larkin]

On Tue, Dec 22, 2015 at 09:57:46PM +, Tati Chevron wrote:
> On Tue, Dec 22, 2015 at 02:00:26PM -0700, Theo de Raadt wrote:
> >>But I still maintain that putting an option in the installer to create
> >>softraid crypto volumes automatically just dumbs down OpenBSD
> >>unnecessarily, and encourages people to be lazy instead of learning how
> >>to use the system to it's full potential.
> >
> >It's great that you have an opinion.
> >
> >Unfortunately it is the wrong opinion.
> 
> That's just your opinion.
> 
> The OpenBSD defaults are VERY wrong for my needs.  But I've fixed that for
> myself.  I don't come whining on -misc asking for my hand to be held every
> time something breaks.
> 
> -- 
> Tati Chevron
> Perl and FORTRAN specialist.
> SWABSIT development and migration department.
> http://www.swabsit.com
>

And yet you whine when people offer suggestions to make improvements (eg,
the recent multitouch discussion).

How be possible program and use software and hardware that no include non-free firmware can contain backdoors, blobs and all other evils that are include in software and hardware that no are really no

[françai s]

I deleted my account OpenBSD Nabble to do more research, know what I am
doing for non make people mad.

Please I ask that excuse me because I have posted on OpenBSD lists and
other lists that made people mad.

I ask this because I probably be in future a good programmer famous and I
do not want to talk about the topics that I should not have posted here in
openbsd mailing lists.

I decided prevent substantial harm to important relationships that probably
I will have in future with other developers.

I want to talk the following outflow:

If OpenBSD is the only operating system that is really all free and if
happen the  finish of OpenBSD,  how be possible to program and use software
and hardware really all free?

How be possible program and use software and hardware quality code?

How be possible program and use software and hardware that no include
non-free firmware can contain backdoors, blobs and all other evils that are
include in software and hardware that no are really non-free?

How be possible to prevent use of BLOBs?

You have no clue what's in them and what they do, because you can't see
the code from it!

So, putting BLOB in your systems, is a way for any outsiders to have
access to your systems without you knowing it, regardless how you look
at it!

Please, excuse me the outflow.

Re: text-mode gui

[lists]

Tue, 22 Dec 2015 13:36:38 -0500 "Ted Unangst" 
> Tati Chevron wrote:
> > I have never understood exactly why people have so much difficulty 
> > installing
> > a recent OpenBSD system on an encrypted partition.
> > 
> > Basically, you boot bsd.rd as normal, and drop to a shell.  
> 
> Which nobody does for an otherwise normal install.

If you mess the options, you can break out with Ctrl-C and exit with
Ctrl-D to restart the process.  It is still considered a drop to a
shell, albeit a short and not very productive one.

For an otherwise "normal" install, the entire discussion is not really
needed.

When one learns the tricks, and if they want the disk encryption stuff
(duh), re-install with the safety pin off.  Then put back the backed up
details.  Who's lazy, the user with the feature creep or the developers
here?  Can we stop this endless thread already, please.

Of course, Luke wants the encryption goodies but says he needs a text
mode menu system or anything like a "gui".  Who's gonna hack if for him?
Who else uses this soft raid thingy daily to install the system?  For
real.

Full disk encryption in the install, is that the original request of
the interactive stuff that blocks all sane management with some monthly
shuffle of the wording and options order?  Further enhanced with a
domain specific language, so we can get riddles in a more thought
provocative way during install time.

Now, back to normality, what the fuss?

Re: build an openbsd router/modem

[torsten]

A quick question, how do these boards with Intel atom CPU's cope with gigabit
traffic and sslVPN. I love the look of them.
I use the Supermicro Intel i3/E3 midi boards with add-on NIC's at the moment


>oh thank u very much, I think it's exactly what I am looking for.


2015-12-22 20:05 GMT+00:00 Joost Runsink :
> Some modem (Draytek comes to mind) allow you to set the modem in
> bridge mode. At that point it is a atm to ethernet converter. Have a
> look at Soekris and Alixboard, used a lot for this exact task.
>
> On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:
>> Hi,
>> Yes I am sorry, I want build a small embedded system with openbsd to
>> connect a lan to an adsl line. I want all the devices with openbsd,
>> included the adsl modem. So the embedded system must have one or more
>> ethernet nic and a modem.
>>
>>
>>
>>
>> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
>> > On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
>> >>
>> >> I want build a router/modem with openbsd. My is that I don't want
>> >> anykind of linux code around. I don't have any problems to build a
>> >> router, my problem is to have a modem without any linux firmware.
>> >> Anyone know if there are any pure modem to use it ?
>> >> Or any chip I can connect on any "itx or what u want" motherboard ?
>> >
>> >
>> > Can you be more specific about what you are trying to do?
>> >
>> > Are you trying to build a small embedded system using OpenBSD, or
>> > do you want to configure a normal desktop machine to route data
>> > from a, (3g?  DSL?  Cable internet?), source to other machines on
>> > the LAN?
>> >
>> > --
>> > Tati Chevron
>> > Perl and FORTRAN specialist.
>> > SWABSIT development and migration department.
>> > http://www.swabsit.com

Re: text-mode gui

[lists]

Mon, 21 Dec 2015 09:03:09 -0600 Luke Small 
> I don't need a special need case.

Your own use case is deviating from the minimum required to install the
system in a supported by the installer way.  And yes, you don't need a
special "need" case (giggling).

> I have already configured the system I need,

Then why this rant?

> but it would have been nice to know about these configuration
> options earlier.

Aha, so you missed on some critical to your mind entropy extra feature
since 4.8 but you never did take care to try it out with a re-install.
How deceptive of OpenBSD to not provide you these possibilities back in
time.  Perhaps you could have sorted another crisis.

Dmitrij explained this part.  It is not the installer's obligation to
give you suggestions of possible use case for your operating system.

It is up to you to figure out what you want and need from the system.
The demand for some functionality of the installer is to make it easier
for you in case every installation needs it, once you know how to
handle it efficiently (better than your "Go moku" solution).

> It was only because of Linux that I became aware of
> some of the stuff like what vlc

In translation, you found some software with the help of the casual use
of other operating systems.  Good for you, but unrelated so far to your
thread topic.  Imagine what you could do if you've been using the
almighty OpenBSD since day one of your computing life.  The installer's
fault.  Again.

> is and I fooled around with Web pages
> and virtual HDs enough, along with a couple few thousand line c
> programs one to recursively glob search through directory listing

$ man find

> return them in stdout (which some similar program undoubtedly exists)
> and one to search through file contents and return a roundrobin array
> snippet of file contents showing the context in which the search value
> is used.

$ man grep

I'll let you find sed(1) and awk(1) in your post graduate courses, who
are we kidding, you seriously did not fool us, you already have plans to
rewrite these in JavaScript to let them run faster.

> (FYI, I have a C program from my artificial intelligence
> class that beats gomoku even if the gomoku goes first. And my program
> only uses a 10x10 board. It beats it before it goes outside of those
> constraints.)

And completes an infinite loop in less than 1K cycles.  Super secret
project, you will one day stop Sky.net and replace its core in an
afternoon.  This means you're about to become one very skilled computer
engineer, our best hopes go you take more interest in documentation.

> Anyway, my point is that OpenBSD doesn't need to be a
> research OS as Theo has stated. It could have some minor tweaks to the
> install that undoubtedly could persuade users to continue.

Users installing OpenBSD need little to no persuasion, it has manuals
that are correctly precise and open the knowledge path in to a
continuation of the UNIX system experience.

> But maybe
> that is the mindset of the OpenBSD hacker.

You'll know with some active use of the OpenBSD system.

> Make it hard and difficult
> for everybody that doesn't want to spend their life away searching for
> commands they don't know about.

This is simply false, are you by any chance referring to another system?

OpenBSD makes it easy and simply works.

> If my Asus laptop, which I figured out
> at the time needed to disable a configuration option, would have
> accepted feeebsd,

Complaint goes that direction, right?  Towards Asus and FreeBSD.  Rock
solid, heart touching.  Wallet melting.  The power to serve.  Fast food.

> I suspect I would have gone with them. Not because
> they had more up to date software systems like kde, but because their
> system doesn't put up a fight against the user and doesn't
> self-destruct any time it needs to fsck: By Default.

Whoa there, time for a commercial break, go back to the publicity site
you came from and report successful mailing list post and a campaign won
for the good new JS enabled www installer for OpenBSD.  Not.

On a serious note, let's discuss this friendly off list and see if you
can benefit from some cool tips to improve your OpenBSD virtual machine
with more bells and whistles.

> On 12/21/15, li...@wrant.com  wrote:
> >> Luke Small   
> >> >[...] It would be very easy to write a C
> >> >program to parse and edit fstab to make all the partitions softdep.
> >> > I
> >> >wouldn't know how to automate a disklabel call in the way that
> >> >
> >> > https://www.voltaire.com/docs/setup-openbsd-5-6-with-full-disk-encryption
> >> >performs it. [...]  
> >
> > See how when you start getting funny ideas on top of an online tutorial
> > elsewhere made you look completely out of touch with reality?  This is
> > happening over and over.  While simply reading man pages and the
> > OpenBSD frequently asked question suffices.
> >
> > On Mon, 21 Dec 2015 12:07:02 +0100 

Re: build an openbsd router/modem

[mark hellewell]

On 23 December 2015 at 06:32, Frank White  wrote:

> Hi,
> Yes I am sorry, I want build a small embedded system with openbsd to
> connect a lan to an adsl line. I want all the devices with openbsd,
> included the adsl modem. So the embedded system must have one or more
> ethernet nic and a modem.
>

I don't think such a thing exists any more.  You will be fine with an
external ADSL
modem in bridge mode and pppoe(4).  I'm still getting plenty of use out of
old
Cisco 800 series modems bought off eBay.

Re: text-mode gui

[lists]

Mon, 21 Dec 2015 18:40:48 -0600 Luke Small 
> You are a normal user and have full disk encryption. You must have read the
> man page on how to do that? Found the installer option did you.

We're obviously missing your quick program you promised us for the
installer.  Why this polemic, instead of rolling up your sleeves and
looking into the source tree.  Hay, it's on the web, for "normal" www
users.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/miniroot/install.sh
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/miniroot/install.sub
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/miniroot/upgrade.sh
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/miniroot/dot.profile
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/amd64/common/install.md
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/i386/common/install.md

> I have read
> several books on openbsd and all the man pages I could find and didn't find
> out how to do it anywhere else other that how to webpages.

It does not look like you read relevant documentation, it looks like
you did not use the installer in about 10 releases.  You advise some
suggestions you think will compensate for your own deficiencies.  To
"top" your postings, you're only blathering about features, which is
noise.  You could show some code which helps achieve your ideas or ask
how to do it and get involved...

Re: text-mode gui

[lists]

Tue, 22 Dec 2015 20:35:39 + Tati Chevron 
> On Tue, Dec 22, 2015 at 10:20:16PM +0200, li...@wrant.com wrote:
> >Tue, 22 Dec 2015 13:36:38 -0500 "Ted Unangst"   
> >> Tati Chevron wrote:  
> >> > I have never understood exactly why people have so much difficulty 
> >> > installing
> >> > a recent OpenBSD system on an encrypted partition.
> >> >
> >> > Basically, you boot bsd.rd as normal, and drop to a shell.  
> >>
> >> Which nobody does for an otherwise normal install.  
> >
> >If you mess the options, you can break out with Ctrl-C and exit with
> >Ctrl-D to restart the process.  It is still considered a drop to a
> >shell, albeit a short and not very productive one.
> >
> >For an otherwise "normal" install, the entire discussion is not really
> >needed.  
> 
> Installing on a softraid crypto volume is NEVER going to be a, 'normal'
> install.
>
> Think about it: on a system with one physical disk, (many desktops, and
> most laptops), a lot of people lazily make one huge softraid crypto

If a lot of people need and use, as in require, full disk encryption
that would be the default, no?

> If, on the other hand, you think that having the system files encrypted
> prevents modification of them difficult, think again - the bootloader
> is unencrypted and could be trojaned easily by anyone with physical
> access or who has gained root access over the LAN.

You're missing the case when the key is on a (local) removable device,
or manually entered sequence, or over a network, including
combinations of these.  Resemblance to SSH authentication methods?

> So the average person installing OpenBSD with, 'full disk encryption',
> is gaining virtually nothing by doing that,

This is more true than you accent on it, but not by your provided
explanation, simply because it's incomplete to be in the installer yet.

Ted has a point?

> that they couldn't do by
> installing the system on an unencrypted partition and using a softraid
> volume for their own data storage, and maybe configuration and log files.

That's one efficient approach to pick, because you're in control and
don't need the wasted cycles on slow systems.  In reality you only
encrypt a couple of files.

There is a certain parallel between encrypting hard disks and hardware
raid controllers, and full disk encryption and software raid
implementation, no?

Remember, some of us are running some 20+ years old machines, embedded
systems, and other not that recent processors but still very usable
systems, and will do so until they fall apart beyond repair, or they
can no longer go through the installer in less than a day.

Re: (pretty trivial) FAQ 4 diff suggestions

[Michael McConville]

ropers wrote:
> Feel free to reject the below without comment if these changes are not
> deemed improvements:

Thanks! I just incorporated a couple of these. I'll look through the
rest soon.

> --- faq4.html.orig2015-12-20 21:56:34.565914000 +0100
> +++ faq4.html2015-12-21 23:33:22.311786584 +0100
> @@ -90,7 +90,7 @@
>  4.1 - Overview of the OpenBSD installation procedure
> 
>  
> -OpenBSD has long been respected for its simple and straight forward
> +OpenBSD has long been respected for its simple and straightforward
>  installation process, which is very consistent across all platforms.
> 
>  
> @@ -131,8 +131,8 @@
>  boot).
> 
>  Writing a file system image to disk (miniroot):
> -Typically, these are written to a USB device to boot up the install
> -kernel.
> +Here, either installXX.fs or minirootXX.fs is written
> +totypicallya USB device to boot up the install kernel.
> 
>  
> 
> @@ -666,9 +666,10 @@
>  common passwords people think are really clever.
> 
>  
> -You will later be given a chance to create an administrative account and
> -disable remote (SSH) access to the root account, but you still want a
> -good password on your root account.
> +You will later be given a chance to create an administrative account.
> +If you create one, you will be askedand the default will
> beto
> +disable remote (SSH) access to the root account, but regardless of your
> +choices, you still want a good password on your root account.
> 
>  
>  
> @@ -1626,7 +1627,7 @@
> 
>  
>  All partitions which have native FFS partitions on them should be within
> -the OpenBSD fdisk(8) partition, however
> +their drive's OpenBSD fdisk(8) partition, however
>  non-OpenBSD partitions can (and
>  usually should) be outside the OpenBSD fdisk partition.
> 
> @@ -1635,8 +1636,8 @@
>  here.
> 
>  
> -More information on why partitioning is beneficial and strategy for
> -creating a good partitioning plan are below.
> +More information on why partitioning is beneficial and a strategy for
> +creating a good partitioning plan is found  href="#Partitioning">below.
> 
>  
>  The OpenBSD installer will attempt to auto-partition your

Re: text-mode gui

[lists]

Whatever the encryption or other stake raising argument is found today
or in the future, the point is, deviation from line oriented interfaces
for the installer is not the way it can be handled by other systems,
meaning it's not the least common denominator that lends itself to
machine processing and there is point in improving this but going in
the reverse direction counter complexity and contrary to the topic
statement, and towards simplification of the interface like controlled
keyword subsets (don't confuse this with a domain specific language,
think partitioning templates), though it does not mean it can not have
more than one front end, yet modifying the installation process to
accommodate use of multiple different types of installers is not
efficient so far in terms of lack of resources.

Re: text-mode gui

[Luke Small]

Ha Ha. I got Theo to call me a whiny prick! I'm getting the t-shirt.

>You play absolutely no part in the decisions that got OpenBSD to where it
is.
At least somebody is listening, even if they are ignoring everything.

What point is there to having an automated machine, when you have to do
everything manually. I somewhat get why GUIs are maybe insecure, sloppy,
not as robust and maybe a little tacky. Using them is not really my point
anymore. But to not offer an obvious way to access built-in features that
make too much sense to ignore (at least to me) and would make for a good
computing experience, seems odd. I mean you have a way to choose a system
mirror for the install/upgrade, why not to choose a pkg_add mirror after
you install.

I guess I see the attraction toward not having folks able to use your
system and complaining about not having synaptic package manager; starting
upgrades and never running sysmerge and being inundated with bug reports
about how the system crashes from not running pkg_add -u after upgrading.

In my worthless opinion though, I guess having folks getting an initial
foothold and not having to read the man-pages and openbsd.org pages on a
second computer, rather than say even lynx in the freshly installed system
before figuring it out is asking too much. I have a CS degree and from what
I recall, I started out with an old gateway 98 and bought a kvm switch so
that I could be on windows and read openbsd.org while I figured out
OpenBSD, (before a free GUI virtual system like virtualbox). Not everybody
has the spare machinery for that luxury. The puffer fish for a mascot seems
apt for more than just security, but difficult learning curve.

-Luke

On Tue, Dec 22, 2015 at 4:07 PM, Mike Larkin  wrote:

> On Tue, Dec 22, 2015 at 09:57:46PM +, Tati Chevron wrote:
> > On Tue, Dec 22, 2015 at 02:00:26PM -0700, Theo de Raadt wrote:
> > >>But I still maintain that putting an option in the installer to create
> > >>softraid crypto volumes automatically just dumbs down OpenBSD
> > >>unnecessarily, and encourages people to be lazy instead of learning how
> > >>to use the system to it's full potential.
> > >
> > >It's great that you have an opinion.
> > >
> > >Unfortunately it is the wrong opinion.
> >
> > That's just your opinion.
> >
> > The OpenBSD defaults are VERY wrong for my needs.  But I've fixed that
> for
> > myself.  I don't come whining on -misc asking for my hand to be held
> every
> > time something breaks.
> >
> > --
> > Tati Chevron
> > Perl and FORTRAN specialist.
> > SWABSIT development and migration department.
> > http://www.swabsit.com
> >
>
> And yet you whine when people offer suggestions to make improvements (eg,
> the recent multitouch discussion).

Re: Progress on adding support for Perle Speed8 LE

[Jordon]

> On Dec 22, 2015, at 8:03 PM, Theo de Raadt  wrote:
>
> Can you send me a pcidump -v?
>
> Look for
>
>0x002c: Subsystem Vendor ID:  Product ID: 
>
> in those listings, and try adding those to your table in the
> right place, rather than 0x with a 0x mask.
>
> That makes the driver match more accurately, in case future
> product from this company arrives in the field.
>

Well, that was interesting.  I replaced the zeroes with the Subsystem Vendor
ID and Product ID, set all the flags to 0x, and that made puc1 disappear.
A closer look revealed that there are actually 2 different Product IDs on this
card.

The Dump:

 0:9:0: unknown unknown
0x: Vendor ID: 155f Product ID: b008
0x0004: Command: 0003 Status: 0290
0x0008: Class: 07 Subclass: 00 Interface: 06 Revision: 00
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size:
00
0x0010: BAR io addr: 0xac00/0x0020
0x0014: BAR mem 32bit addr: 0xfb001000/0x1000
0x0018: BAR io addr: 0xb000/0x0020
0x001c: BAR mem 32bit addr: 0xfb002000/0x1000
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 1415 Product ID: 9501
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management
 0:9:1: unknown unknown
0x: Vendor ID: 155f Product ID: b008
0x0004: Command: 0003 Status: 0290
0x0008: Class: 06 Subclass: 80 Interface: 00 Revision: 00
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size:
00
0x0010: BAR io addr: 0xb400/0x0020
0x0014: BAR mem 32bit addr: 0xfb003000/0x1000
0x0018: BAR io addr: 0xb800/0x0020
0x001c: BAR mem 32bit addr: 0xfb004000/0x1000
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 1415 Product ID: 9511
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management


my additions to pucdata.c:

{
{   PCI_VENDOR_PERLE, PCI_PRODUCT_PERLE_R35583, 0x1415,
0x9501 },
{   0x, 0x, 0x, 0x },
{
{ PUC_COM_POW2(0), 0x10, 0x },
{ PUC_COM_POW2(0), 0x10, 0x0008 },
{ PUC_COM_POW2(1), 0x10, 0x0010 },
{ PUC_COM_POW2(1), 0x10, 0x0018 },
},
},

{
{   PCI_VENDOR_PERLE, PCI_PRODUCT_PERLE_R35583, 0x1415,
0x9511 },
{   0x, 0x, 0x, 0x },
{
{ PUC_COM_POW2(0), 0x10, 0x },
{ PUC_COM_POW2(0), 0x10, 0x0008 },
{ PUC_COM_POW2(1), 0x10, 0x0010 },
{ PUC_COM_POW2(1), 0x10, 0x0018 },
},
},


the dmesg:

puc0 at pci0 dev 9 function 0 "Perle Speed8 LE" rev 0x00: ports: 4 com
com4 at puc0 port 0 apic 2 int 18: st16650, 32 byte fifo
com4: probed fifo depth: 16 bytes
com5 at puc0 port 1 apic 2 int 18: st16650, 32 byte fifo
com5: probed fifo depth: 16 bytes
com6 at puc0 port 2 apic 2 int 18: st16650, 32 byte fifo
com6: probed fifo depth: 16 bytes
com7 at puc0 port 3 apic 2 int 18: st16650, 32 byte fifo
com7: probed fifo depth: 16 bytes
puc1 at pci0 dev 9 function 1 "Perle Speed8 LE" rev 0x00: ports: 4 com
com8 at puc1 port 0 apic 2 int 18: st16650, 32 byte fifo
com9 at puc1 port 1 apic 2 int 18: st16650, 32 byte fifo
com10 at puc1 port 2 apic 2 int 18: st16650, 32 byte fifo
com11 at puc1 port 3 apic 2 int 18: st16650, 32 byte fifo


I will explore this more over Christmas break.

Thanks,
Jordon

Re: WTMP Question

[Stuart Henderson]

On 2015-12-21, Duncan Patton a Campbell  wrote:
> On Sun, 20 Dec 2015 12:37:30 -0800
> Philip Guenther  wrote:
>> Well, you apparently know that the data comes from /var/log/wtmp, so
>> what's the status of that file?  It should be a normal file of
>> non-zero length.  If it's a symlink to /dev/null or something bogus
>> then you need to figure out why and maybe reinstall from scratch.
>> 
>
> # ls -l /var/log/wtmp 
> - -rw-r--r--  1 root  wheel  0 Dec 19 04:00 /var/log/wtmp

Are any flags set on it?  ls -lo

>> Also, you failed to include the dmesg or even mention what version
>> you're running, so maybe we should just go with "you're clearly
>> running an out of date version and probably screwed up an upgrade
>> across the time_t size change"...

There isn't a '> /var/log/wtmp' or something in rc.local from a past
upgrade across the time_t bump is there?

Re: text-mode gui

[Tati Chevron]

On Mon, Dec 21, 2015 at 06:40:48PM -0600, Luke Small wrote:

You are a normal user and have full disk encryption. You must have read the
man page on how to do that? Found the installer option did you. I have read
several books on openbsd and all the man pages I could find and didn't find
out how to do it anywhere else other that how to webpages.


The manual page for bioctl explains all of the options you need.

I have never understood exactly why people have so much difficulty installing
a recent OpenBSD system on an encrypted partition.

Assuming amd64 or i386:

Basically, you boot bsd.rd as normal, and drop to a shell.

If the disk you want to use previously had unencrypted data on it that you
want to erase, you can blank the disk with dd if=/dev/zero of=/dev/your_device.
(I'm not interested in any discussion about how technially some data could
still be recovered from such a disk, because in 99% of cases, it can't.
Simply zeroing out a disk is good enough for virtually everybody wanting to
delete private data.)

Then invoke fdisk -e /dev/your_device to make the MBR partition.  If you just
want OpenBSD on the disk, simply do a reinit, and update the MBR code.

Then invoke disklabel -E /dev/your_device and make a RAID partition that
spans the entire disk.

Then invoke bioctl -c C -l /dev/your_device softraid0

Enter a passphrase

The softraid volume will now be mounted

Make a device node for the new device using the MAKEDEV script,
E.G. sh ./MAKEDEV sd4

Blank the first part of the new encrypted volume using
dd if=/dev/zero of=/dev/new_device bs=256k count=4

Repeat the fdisk step above except using the new softraid volume instead of
the physical disk.

NOTE: Some people might suggest that this is unnecessary, as the installer
will do it for you, but I found on at least one occasion that the MBR bootcode
wasn't correctly written unless I did it manually.

Return to the installer.  Install OpenBSD as normal, using the softraid device
as your root filesystem.

If you are not already familiar with fdisk, disklabel, dd, and the i386 boot
process, it's probably worth learning more about OpenBSD and UNIX in general
before trying to setup an encrypted volume.

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: text-mode gui

[Christoph R. Murauer]

> You are a normal user and have full disk encryption. You must have
> read the man page on how to do that?

I was curious and asked my favourite search engine for *openbsd full
disc encryption* and got results like
http://www.bsdnow.tv/tutorials/fde, readed them and found the needed
commands. Yes, after that I looked in the man page what the people
there had done.

> Found the installer option did you.

Don't know, what you exactly mean.

> I have read several books on openbsd and all the man pages I could
> find and didn't find out how to do it anywhere else other that how to
> webpages.

Really, *Absolute OpenBSD - Unix for the practical paranoid, second
edition* page 166 *Encrypted Disk Partitions*, page 167 the bioctl
command including required switches.

IMHO you wrote on 2015-12-21 (taken from marc.info) *I can do that. [
... ] Easy Peasy!* - the community and the developers will judge you
based on your words. If you don't hold your promise, you have earned
the virtual kick in the ass.

Re: BIOS call fallback

[Gareth Nelson]

Oh, don't get me wrong - that was just an idle thinking out loud "what if?"
Rather than a serious proposal.

On 22 Dec 2015 2:05 am, "Theo de Raadt"  wrote:
>
> > To be fair, i'd love to see the OpenBSD approach to software development
> > applied to BIOS/EFI firmware.
> >
> > For a start, it wouldn't have the nightmare that is Intel AMT sitting
below
> > the OS and offering a massive security hole.
>
> Gareth,
>
> The OpenBSD process is quite well understood.  Use the best methods,
> doubt what you do, refractor.  Simple in concept, but it takes a lot
> of time.
>
> Therefore I am looking forward to seeing what you and James can do.
>
> How long do you think it will take you?  Can we expect to see working
> code in a year... maybe two?

Re: WTMP Question

[Otto Moerbeek]

hOn Tue, Dec 22, 2015 at 10:26:33AM +, Stuart Henderson wrote:

> On 2015-12-21, Duncan Patton a Campbell  wrote:
> > On Sun, 20 Dec 2015 12:37:30 -0800
> > Philip Guenther  wrote:
> >> Well, you apparently know that the data comes from /var/log/wtmp, so
> >> what's the status of that file?  It should be a normal file of
> >> non-zero length.  If it's a symlink to /dev/null or something bogus
> >> then you need to figure out why and maybe reinstall from scratch.
> >> 
> >
> > # ls -l /var/log/wtmp 
> > - -rw-r--r--  1 root  wheel  0 Dec 19 04:00 /var/log/wtmp
> 
> Are any flags set on it?  ls -lo
> 
> >> Also, you failed to include the dmesg or even mention what version
> >> you're running, so maybe we should just go with "you're clearly
> >> running an out of date version and probably screwed up an upgrade
> >> across the time_t size change"...
> 
> There isn't a '> /var/log/wtmp' or something in rc.local from a past
> upgrade across the time_t bump is there?

Or in /etc/rc.firsttime and a r/o /etc so it cannot be renamed?

-Otto

Re: Doing NAT after divert-packet rule

[C.L. Martinez]

On 12/18/2015 10:17 AM, C.L. Martinez wrote:

Hi all,

  This post is related to this one:
http://marc.info/?l=openbsd-misc=145017155902016=2. After doing a
lot of tests, I have arrived to a satisfactory situation.

  At this moment, my divert-packet rules works (for all protocols
without modifying state options) to redirect traffic to an IDS (I am
doing these tests using Snort and Suricata).

  BUt, I have a problem with NAT rules. If I am not wrong, a NAT rule
acts before a packet is diverted to specified socket.

  I have done some tests using example program from divert(4) man page.
Here is the result:

root@dundee:/nsm/2015-12-18# test_divert



10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
216.58.208.228:80 -> 172.22.55.4:58816
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816

  As you can see here, there are two private IP's: 10.5.10.177 and
172.22.55.4.

  IP 10.5.10.177 is the external IP address for openbsd fw. 172.22.55.4
is an internal vm doing telnet to www.google.com port 80 (IP
216.58.208.228).

  My relevant pf rules are:

set block-policy drop
set state-policy if-bound

# Scrubbing rules
match inall scrub (no-df)
match out on egress all scrub (random-id)
match on egress all scrub (reassemble tcp)

block all
pass in inet proto tcp from 172.22.55.4 to ! tag
intlans-to-inet
pass out quick on egress inet proto { tcp icmp udp } from 172.22.55.4
divert-packet port 8000 nat-to (vio1:0)

  Stopping divert program example, and starting up a Suricata instance
(or Snort, results are the same), they only sees the natted address:
10.5.10.177. An example triggered alert:

12/18/2015-09:23:51.436216  [Drop] [**] [1:2:1] Reject web access to
Google [**] [Classification: Misc Attack] [Priority: 2] {TCP}
10.5.10.177:56172 -> 216.58.208.228:80

  My question is: is it possible to NAT an ip after divert-packet rule
acts??

  Thanks.




Please, any tip or idea??

Thanks.

Re: BIOS call fallback

[Read, James C]

>I guess in the absence of a seriously thought out wish list such a project
could be open ended. >The more care spent in hardware design choices I guess
the more likely we could avoid the mess >that various legacies have caused.

Here's a suggestion for a community that is base around the claim of a
'secure' OS.

Isn't an OS resident in RAM unsecure by default? The very fact that it is
physically possible for an OS to be modified merely by software it runs or
interacts with makes any claims of being 'secure' more than a little shaky.

I guess we could start with a design choice that our 'secure' OS is resident
in ROM only and cannot easily be modified by a user with a few software
commands.

0x00

Re: BIOS call fallback

[Tati Chevron]

On Tue, Dec 22, 2015 at 11:19:01AM +, Read, James C wrote:

I guess in the absence of a seriously thought out wish list such a project

could be open ended. >The more care spent in hardware design choices I guess
the more likely we could avoid the mess >that various legacies have caused.

Here's a suggestion for a community that is base around the claim of a
'secure' OS.


I don't think many people on this mailing list appreciate random 'suggestions',
because we already have enough ideas of our own to keep us busy.


Isn't an OS resident in RAM unsecure by default? The very fact that it is
physically possible for an OS to be modified merely by software it runs or
interacts with makes any claims of being 'secure' more than a little shaky.

I guess we could start with a design choice that our 'secure' OS is resident
in ROM only and cannot easily be modified by a user with a few software
commands.


I think you have a massive lack of knowledge of very basic computing principles.

Putting the OS in ROM would only defend against a specific class of
vulnerabilities, specifically the OS itself being overwritten.  Modern hardware
has MMUs and other ways to control read/write/execute permissions on sections
of RAM.  This is one reason why the Amiga was a vulnerable platform in it's
day, because the hardware lacked decent memory protection.

In any case, as long as there is any writable memory in the system, there exists
the possibility of somehow making the processor jump to it and execute code.
You can, for example, fill the memory of a smartcard with a nop slide, and place
executable code at the end.  Hold the reading device over a source of heat until
it flips enough bits and it begins executing somewhere in your RAM, and
eventually gets to your exploit code.

Besides, you don't even need writable memory to explot a system.  With a large
enough OS in ROM, somewhere there is bound to be a sequence of bytes that you
can use as an exploit.  That may well be a byte sequence which isn't even 
intended
to be executable code, or even jumping into the middle of a multi-byte
instruction, hoping that the rest that follow it would be interpreted as 
something
exploitable.

For example, on a Z80, the following sequence of bytes, starting at address 0:

11 CD 00 01 00 00

Would disassemble as:

LD DE, 
LD BC, &

I.E. you are storing one value in the DE register pair and then another value in
the BC register pair.

However, since LD DE is a multi-byte instruction, if you disassemble from
address 1, it becomes:

CALL &0001
NOP
NOP

Which would make the processor spin an endless loop, which depending on the
hardware would cause a denial of service, (lock-up, crash), and in the case of
marginal hardware, possibly cause the thing to draw more power, and overheat,
eventually jumping to another random address.

So it's quite possible to mess around and find exploits, even with software in
ROM.


0x00


Is this the first part of your new BIOS project, or something???

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: BIOS call fallback

[Tati Chevron]

On Tue, Dec 22, 2015 at 11:19:01AM +, Read, James C wrote:

I guess in the absence of a seriously thought out wish list such a project

could be open ended. >The more care spent in hardware design choices I guess
the more likely we could avoid the mess >that various legacies have caused.

Here's a suggestion for a community that is base around the claim of a
'secure' OS.


I don't think many people on this mailing list appreciate random 'suggestions',
because we already have enough ideas of our own to keep us busy.


Isn't an OS resident in RAM unsecure by default? The very fact that it is
physically possible for an OS to be modified merely by software it runs or
interacts with makes any claims of being 'secure' more than a little shaky.

I guess we could start with a design choice that our 'secure' OS is resident
in ROM only and cannot easily be modified by a user with a few software
commands.


I think you have a massive lack of knowledge of very basic computing principles.

Putting the OS in ROM would only defend against a specific class of
vulnerabilities, specifically the OS itself being overwritten.  Modern hardware
has MMUs and other ways to control read/write/execute permissions on sections
of RAM.  This is one reason why the Amiga was a vulnerable platform in it's
day, because the hardware lacked decent memory protection.

In any case, as long as there is any writable memory in the system, there exists
the possibility of somehow making the processor jump to it and execute code.
You can, for example, fill the memory of a smartcard with a nop slide, and place
executable code at the end.  Hold the reading device over a source of heat until
it flips enough bits and it begins executing somewhere in your RAM, and
eventually gets to your exploit code.

Besides, you don't even need writable memory to explot a system.  With a large
enough OS in ROM, somewhere there is bound to be a sequence of bytes that you
can use as an exploit.  That may well be a byte sequence which isn't even 
intended
to be executable code, or even jumping into the middle of a multi-byte
instruction, hoping that the rest that follow it would be interpreted as 
something
exploitable.

For example, on a Z80, the following sequence of bytes, starting at address 0:

11 CD 00 01 00 00

Would disassemble as:

LD DE, 
LD BC, &

I.E. you are storing one value in the DE register pair and then another value in
the BC register pair.

However, since LD DE is a multi-byte instruction, if you disassemble from
address 1, it becomes:

CALL &0001
NOP
NOP

Which would make the processor spin an endless loop, which depending on the
hardware would cause a denial of service, (lock-up, crash), and in the case of
marginal hardware, possibly cause the thing to draw more power, and overheat,
eventually jumping to another random address.

So it's quite possible to mess around and find exploits, even with software in
ROM.


0x00


Is this the first part of your new BIOS project, or something???

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com

Re: text-mode gui

[frcc]

On Tue, Dec 22, 2015 at 11:04:28AM +0100, Christoph R. Murauer wrote:
> > You are a normal user and have full disk encryption. You must have
> > read the man page on how to do that?
> 
> I was curious and asked my favourite search engine for *openbsd full
> disc encryption* and got results like
> http://www.bsdnow.tv/tutorials/fde, readed them and found the needed
> commands. Yes, after that I looked in the man page what the people
> there had done.
> 
> > Found the installer option did you.
> 
> Don't know, what you exactly mean.
> 
> > I have read several books on openbsd and all the man pages I could
> > find and didn't find out how to do it anywhere else other that how to
> > webpages.
> 
> Really, *Absolute OpenBSD - Unix for the practical paranoid, second
> edition* page 166 *Encrypted Disk Partitions*, page 167 the bioctl
> command including required switches.
> 
> IMHO you wrote on 2015-12-21 (taken from marc.info) *I can do that. [
> ... ] Easy Peasy!* - the community and the developers will judge you
> based on your words. If you don't hold your promise, you have earned
> the virtual kick in the ass.
> 
> 
  I can't understand why anyone especially those who profess to
  have accomplished this or that in (C) Class or working towards a
  degree, assisting a professor or software engineer would suggest such
  non-sense. OpenBSD is the simpliest installer I've seen.


  If I want to do more beyond the standard install, post install
  information is easy to understand. I can re-install (about 3 min)
  and make the adjustments that I didn't think of earlier.

  A product of "common core"
  Hear Hear Schz!
  Can someone put a fork in this subject!
  (dungeon quest) Ha!, I like it!

APU-2: Changing Installer Image

[Kapfhammer, Stefan]

Hello,

I want to install OpenBSD 5.8 on an APU-2 board with a mSATA SSD installed.

I have to redirect the output to serial console with a change in /etc/boot.conf 
(2 lines)

How do I write the change to a USB-Stick, so that the installer boots from the 
APU? Or is there a better way to install the APU?

Friendly regards,

Stefan

What happened with MySQL server on amd64 ?

[Dusan Sukovic]

Hvad happened with MySQL server ? Can't find  port or install package on
5.8 amd64
As far as I can see it, it was in 5.6 amd64.

# uname -a
OpenBSD lenovo.lan 5.8 GENERIC.MP#1236 amd64


pkg_add -i mysql-server
quirks-2.114 signed on 2015-08-09T11:57:52Z
Can't find mysql-server


Thanks,

Dusan

Re: Boot loader uses INT 13h [WAS BIOS call fallback]

[Theo de Raadt]

> a security consideration, as far as I can see the bootloader loads using INT
> 13h calls. How can the kernel be sure it is really operating in ring 0 and not
> in some VM given that this is the case?

Hey, it looks like you are just trying to be a dick.

Does your mother know?

Boot loader uses INT 13h [WAS BIOS call fallback]

[Read, James C]

Hi,


a security consideration, as far as I can see the bootloader loads using INT
13h calls. How can the kernel be sure it is really operating in ring 0 and not
in some VM given that this is the case?