Future Tech

Version 7.6 – the 'OpenBSD of Theseus' – released

Tan KW
Publish date: Thu, 10 Oct 2024, 07:25 PM
Tan KW
0 502,878
Future Tech

OpenBSD is arguably the most secure general-purpose OS for general-purpose computers. This version has better laptop support, includes more Arm64 kit, and brings hardware-accelerated video playback.

OpenBSD version 7.6 is the latest release of what is very probably the most secure member of the great Unix family. (Although the NetBSD folks dispute that, but it wouldn't be a Unix-like system without internecine disagreement.)

Project lead Theo de Raadt termed this release the OpenBSD of Theseus. With version 7.6, there are no unmodified files left from the original code forked from NetBSD 1.0 in 1995. The reference is to the Ship of Theseus; a less classical alternative is "my grandfather's axe", but since the last remaining bit that was removed was an ancient Greek quiz, as described on Hacker News, it's an undeniably appropriate allusion.

There is a full list of changes for those keen to know what's new. Suffice to say that it tightens up security in lots of areas. There's improved support for technologies such as AMD Secure Encrypted Virtualization, including supporting it in vmm, OpenBSD's integral hypervisor. OpenBSD supports a remarkable 14 different architectures, and each release tends to improve hardware support. In parallel with FreeBSD's efforts to improve laptop support, OpenBSD too is working on it too. This version has better support for deeper sleep states, which use less power. This version also has wider Arm64 support; the release notes call out that it has "Added Qualcomm Snapdragon X Elite (X1E80100) support".

Saying that, this does not mean that you can just pop it onto a laptop and get a lightweight graphical desktop. It does include several of common desktops – and unlike FreeBSD, the default installation will, if you want, install the Xenocara X11 server and leave you with a graphical login screen and a working FVWM session. A GUI desktop is not really the sort of usage model it's aimed at, but it can do it.

The Register regularly takes a look at what's happening in the OpenBSD world, and we looked at version 7.1, version 7.2 and most recently version 7.5. Emboldened by our experiences with previous releases, we installed OpenBSD 7.5 on bare metal on a geriatric Thinkpad W500 – and in case that sounds too easy, it's dual-booting with Windows, NetBSD and two Linux distros.

OpenBSD is in some ways all about managing your expectations: yes, it's a Unix-like OS, and yes, it runs on commodity PC-class hardware, even including Apple Silicon Macs and some other more PC-like Arm64 hardware. But it's extremely restrictive by design, little third party software supports it, and part of the secret of its surprisingly wide hardware support is that there are entire classes of hardware it simply doesn't support, including Bluetooth.

So, yes, if you have, say, an old M1 Mac mini lying around, you can install OpenBSD on it – but you won't be able to use the Apple-supplied pointing device, keyboard, or headphones with it. You will need old-style wired ones. Simply not supporting the entire industry standard protocol for connecting to wireless peripherals would, we suspect, come as a surprise to most ordinary computer owners. Bluetooth is so ubiquitous, most smartphones no longer even offer headphone sockets. Conversely, when the Reg FOSS desk asked a couple of OpenBSD maintainers about its missing Bluetooth support, they reacted with surprise that this should be considered noteworthy.

To try out the new release, we fired up our OpenBSD 7.5 Thinkpad and tried an in-place upgrade. There is a built-in command to do this, called sysupgrade. We checked the space requirements, which were just enough, and experimentally tried to invoke it without parameters. To our slight surprise, it just went ahead and did it, without any further prompts. Including not asking for confirmation. Including a system reboot. This is not an OS for the incautious. It worked perfectly smoothly; on reboot, the bootloader noticed that an upgrade was in progress and completed it without any intervention. When it's done, you just have to issue the command pkg_add -Uu to update your packages and the job's a good one.

The test machine is an old one, with a Core 2 Duo, so extensive benchmarking would be a waste of everyone's time. To test hardware-accelerated video playback, though, we tried playing a Youtube video. It worked fine, and incidentally we discovered that we had working sound support and that our dedicated volume-control keys worked. Before the upgrade, playback used an average of 89 per cent of one CPU core; afterwards, it still worked just the same, but in the included Firefox 130, it only used some 45 per cent CPU. Playback was smooth but the Youtube stats said it was consistently dropping a few frames, both before and after.

We've left our bare-metal setup fairly unornamented, in part because OpenBSD defaults to a quite complex partitioning arrangement. We gave it a 32GB primary partition, and it split this up as follows:

thinkpad-w500$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 986M 248M 688M 27% /
/dev/wd0n 7.4G 227M 6.8G 4% /home
/dev/wd0d 1.8G 5.8M 1.7G 1% /tmp
/dev/wd0f 3.5G 1.5G 1.8G 45% /usr
/dev/wd0g 986M 329M 608M 36% /usr/X11R6
/dev/wd0h 4.1G 924M 2.9G 24% /usr/local
/dev/wd0m 5.7G 2.0K 5.4G 1% /usr/obj
/dev/wd0l 1.8G 2.0K 1.7G 1% /usr/src
/dev/wd0e 2.8G 10.4M 2.6G 1% /var

There are valid reasons for this complexity – for instance, the different volumes have different permissions, which prevents an attacker from executing files in much of the filesystem. The downside is that here, with only 3.2GB of operating system in 32GB of space, we have just 608MB of space for graphical apps, so there isn't room to install even a lightweight desktop such as Xfce. The installation program is a moderately terrifying affair of cryptic prompts with extremely terse responses, and one misplaced character will destroy everything on your drive, so adjusting this allocation remains beyond us at our meager level of skills.

OpenBSD is a strange beast. It's hard work and very little third party software supports it. We recently wrote about how BSD is boring in the good way, and while our article didn't specifically name-check OpenBSD, Stefano Marinelli's talk did. He mentioned one of its strong points: "OpenBSD as network/firewall entry points". He elaborated:

This is both the strength and the weakness of OpenBSD. If you want a clean, minimalist system, then almost everything you need is right there in the OS; but conversely, if you want anything else that isn't in its repositories, then at best you'll likely have to find source code and compile it yourself. Few third party programs support it, but that means that upgrades are simple and straightforward and reliable, because there are few to no external components to complicate matters. (Trying to simplify installing external software in ways that they won't break upgrades is one of the reasons tools like Snap and Flatpak exist.)

It is clean and simple to the point of being austere. For instance, we couldn't email a screenshot to ourselves from our FreeBSD machine. As far as we can tell, this is because Firefox isn't allowed to browse the local filesystem, which breaks adding an attachment.

If extreme cleanliness and austerity sound like your sort of thing, then maybe we're wrong: maybe you will like OpenBSD. Most people probably won't, but we're glad it exists and we wish that a bit more of the internet's infrastructure ran on it. With stronger safer servers running OpenBSD, there would be fewer hucksters shilling blockchain projects at industry conferences. ®

Bootnote

Although our OpenBSD skills are extremely minimal, in the interests of representation, we should note that, yes, this particular vulture is exclusively black-clad, and does eschew both wireless peripherals and Bluetooth audio devices. We are effete and decadent enough to enjoy graphical file managers in preference to a bare Korn shell, though.

 

https://www.theregister.com//2024/10/10/version_76_openbsd_of_theseus/

Discussions
Be the first to like this. Showing 0 of 0 comments

Post a Comment