OpenBSD

A quick interview with an OpenBSD community member: discussing the OS, the community's contributions to its development, and some future plans.

A new BSDCan video has been posted: Confidential Computing with OpenBSD -- The Next Step by Hans-Jörg Höxer

Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.

AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from a non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.

With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both

    a confidential guest VM and     as a hypervisor providing a confidential execution environment.

Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.

Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.

In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.

Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who is using OpenBSD as a secure and stable base for its products.

For more information, please visit:  https://www.bsdcan.org/2025/

• and - https://www.bsdcan.org/2025/timetable/timetable-Confidential-Computing-with.html

New BSDCan Video Posted:

The state of 3d-printing from OpenBSD by Andrew Hewus Fresh

It's possible to do some 3d printing related things on an OpenBSD machine, but there are a bunch of popular tools that aren't available in the ports tree. We will talk about some of the different classes of software and what things are popular and whether they are currently available on OpenBSD and what the blockers are from getting those into the ports tree.\

#3dprinting #openbsd #runbsd

This talk goes over the development of a distributed filesystem tailored for OpenBSD. While OpenBSD excels in many areas, its native filesystem support has room for improvement. This talk goes into using the Filesystem in Userspace (FUSE) on OpenBSD to provide for a distributed and highly available filesystem.

This talk also includes an introduction to the Raft Consensus Algorithm, which plays a critical role in ensuring data consistency and reliability across distributed systems. The Elixir programming language is used, providing the necessary foundation for the implementation of the distributed FUSE filesystem on OpenBSD.

Talk link

For more information, please visit: https://www.bsdcan.org/

When moving the drive that has OpenBSD installed on it to a new machine, the new hardware is not automatically configured.
For example, the new network interface does not appear in ifconfig, and the new DVD drive does not magically appear in fstab.

Surely there are other adjustments that would need to be made as well.

Therefore,
What changes need to be made after moving the system drive to a new computer?

OpenBSD Folks, @bsdcan 2025 has talks for you !

A distributed filesystem for OpenBSD · BSDCan Indico

https://indico.bsdcan.org/event/5/contributions/115/

#runbsd #bsdcan

The OpenBSD project has announced OpenBSD 7.6, its 57th release.

As the next release is slowly cooking, I'd like to mention an artist that I love: @pmjv, or prahou. He's been dedicated to submitting awesome artwork about his universe, here at /c/unix_surrealism, which features many openbsd related comics (puffy being an important protagonist).

I was thus wondering how an artist could pretend at submitting an artwork for the next release ? Is it a shortlist ? Do you simply upload some on the mail list ?

Upcoming EuroBSDCon OpenBSD talk Confidential Computing with OpenBSD by Hans-Jörg Höxer

Confidential computing is a family of techniques to enhance security
and confidentiality for data in use. One technical approach is strong
isolation for virtual machines.

AMDs Secure Encrypted Virtualization (SEV) offers several feature sets
for isolation of guest virtual machines from an non-trusted host hypervisor
and operating system. These feature sets include memory encryption,
encryption of guest state including CPU registers and an attestation
framework.

In this talk we will explore some of the AMD SEV feature sets. We will
describe how to use them to run OpenBSD as both

• a confidential guest VM and
• a host hypervisor providing a confidential execution environment.

Topics covered are CPU feature detection, low level kernel initialization,
memory management, virtio(4) device drivers and the virtual machine
daemon vmd(8).

I](https://events.eurobsdcon.org/2024/speaker/ZZNGCU/)

Tickets are still available and this talk will be streamed and recorded for later release.

Upcoming EuroBSDCon OpenBSD talk Building a SD-WAN appliance suitable for an Australian Health Sector NFP/NGO by Jason Tubnor

Latrobe Community Health Service (LCHS) - AS139466 - is a Not for Profit (NFP)/Non-Government Organisation (NGO) headquartered in Victoria, Australia. The organisation consists of 40 offices and 2 data centres across the States of Victoria and New South Wales with over 1,500 employees. All LCHS infrastructure is designed and managed in-house without the use of large-scale cloud infrastructure. Since 2015, BSD Unix has been used for various workloads within the organisation.

This talk focuses on our next generation SD-WAN appliance built on OpenBSD technology using commodity hardware. Topics will include the network topology, design choices, various OpenBSD VPN and routing technologies and orchestrating build, deployment and management across the fleet using Ansible.

Jason Tubnor

Tickets are still available and this talk will be streamed and recorded for later release.

Upcoming EuroBSDCon OpenBSD talk A Packet's Journey Through the OpenBSD Network Stack by Alexander Bluhm

When debugging network issues, it is important to understand when
certain things happen. Tcpdump provides valuable insight, pf
transforms packets, pseudo devices add features, and netstat counters
show action. The call graph of the functions within the kernel is
the base to comprehend the relation between these sources of
information.

The layering of kernel code in hardware drivers, pseudo devices,
IP processing, forwarding and protocol layer is explained. The
kernel provides the socket interface to userland processes. Packet
forwarding happens within the kernel. Bridge code uses certain
shortcuts. pf is a swiss knife that can manipulate traffic in
multiple layers. IPsec has an independent interface that overrides
routing. Routing itself and neighbor discovery is a necessary step
that has its tentacles everywhere. Checksum calculation can be
performed by hardware offloading.

By using examples with a single packets, their way through the
kernel is shown. The possible branches, configuration options, and
measurement output are put in correlation.

Alexander Bluhm

Tickets are still available and this talk will be streamed and recorded for later release.

Upcoming EuroBSDCon OpenBSD talk OpenBSD vs. IPv6 by Florian Obser

** .ical](https://events.eurobsdcon.org/2024/talk/AV78U9.ics)09-21, 17:45–18:30 (Europe/Dublin), Foyer B **

We will give an overview of past, present and future work on IPv6 in OpenBSD.

We will show how we replaced KAME stack code in both the kernel as well as userland with modern, privilege separated daemons for stateless address auto configuration. slaacd(8) runs on the host to solicit router advertisements and configures addresses and routes. rad(8) runs on the router to send router advertisements. A newly written daemon for DHCPv6, dhcp6leased(8), requests prefixes from an upstream ISP which then can be used by rad(8) for router advertisements.

Next we will show the new IPv6 source address selection in the kernel, including support for the infamous Rule 5.5 of RFC 6724.

In ongoing and future work we will touch on client-side address translation using pf(4)'s af-to feature to support the 464XLAT transition mechanism for v6-mostly networks.

Florian Obser

Upcoming EuroBSDCon OpenBSD talk Global anycast using OpenBSD on a budget by Rob Keizer

This talk goes over using OpenBSD as the basis for a highly available globally distributed public anycast network. Distributed decision systems corosync, consul, and raft (using Elixir) are discussed, as are highly available distributed storage and routing systems, all on OpenBSD, all on a budget.

Rob Keizer

Upcoming EuroBSDCon OpenBSD talk Why rewrite fw_update(8)? By Andrew Hewus Fresh

OpenBSD provides the fw_update(8) utility to handle installing firmware for hardware from manufacturers whose licensing isn't compatible with our base system. We will take a trip into the history of fw_update(8), its structure and why it exists. A recent rewrite provides an illustration of the value OpenBSD places on simplicity and user experience.

Andrew Hewus Fresh

Tickets are still available and this talk will be streamed and recorded for later release.

Upcoming EuroBSDCon talk: vmd's multi-process device emulation: 2 releases later by Dave Voutila

** .ical09-21, 14:45–15:30 (Europe/Dublin), Foyer B **

In OpenBSD 7.4, the native hypervisor, vmd(8)became the only open source type-2 hypervisor to default to using a multi-process, privilege separated model for emulating block and network devices.

This talk provides a look at the inspiration from Oracle's contributions to QEMU as a means of multi-layered defense, a review of the challenges and changes required to OpenBSD across 7.4 and 7.5, and a look at the road ahead.