Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source Operating Systems BSD

OpenBSD Drops Support For Loadable Kernel Modules 162

jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.
This discussion has been archived. No new comments can be posted.

OpenBSD Drops Support For Loadable Kernel Modules

Comments Filter:
  • by Anonymous Coward on Tuesday October 28, 2014 @02:48PM (#48254439)

    As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

    If they've decided to do this, then it's just the correct thing to be doing.

    • by ZorkZero ( 6507 ) on Tuesday October 28, 2014 @02:50PM (#48254461)

      That sound you just heard in the distance? The puckering of a million Linux fanboys' butts.

    • by ThePhilips ( 752041 ) on Tuesday October 28, 2014 @03:11PM (#48254649) Homepage Journal

      As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

      If they've decided to do this, then it's just the correct thing to be doing.

      HP rep - a HP-UX sales guy - once told me that their kernel doesn't support loadable modules to prevent even the remote possibility of a malicious driver.

      But why OpenBSD choose to do it, I have no idea. Frankly, I was under impression that OpenBSD didn't support loadable kernel modules at all.

      To some the kernel drivers might seem a norm, but even 15 years ago they were still considered a novelty. And everybody was still making jokes about Microsoft's Plug-n-Play.

      • Frankly, I was under impression that OpenBSD didn't support loadable kernel modules at all.

        That bug will get fixed soon. One less thing to worry about.

      • by afairch ( 56711 )

        Actually that was more than 15 years ago. Dynamically Loadable Kernel Modules (DLKM) have been available in HP-UX since version 11.0, released in 1997.

      • by gweihir ( 88907 )

        For different values of "the norm". I usually run Linux kernels without loadable modules as well. It increases stability and security.

      • They had in the past, but they really really didn't like it. So I guess they finally fixe it.

      • by imac.usr ( 58845 )

        I call shenanigans, nobody in their right mind would claim to be interested in selling HP-UX. /shudder.

    • No, what they are is excellent OpenSSH maintainers.

      The security of OpenBSD is often overrated by people who don't actually understand security.

      For all their hyperbole, they were still vulnerable to Heartbleed.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        They were vulnerable because openssl took specific measures to counteract the defense mechanisms present in openbsd. See this writeup [tedunangst.com].

        Even Coverity could not detect the problem [coverity.com].

        • by mysidia ( 191772 )

          No... that was just Theo's excuse. He called OpenSSL's memory allocation strategy an "exploit mitigation countermeasure."

          Actually, that was just a side effect, and what OpenSSL does that "counteracted" the defense is extremely common in software and software libraries.

          It's also generally a good idea as far as performance is concerned ---- and with a library such as SSL which needs to process network traffic (HTTPS, for example); adequate performance is pretty darned important.

        • OpenSSL did not take specific measures to counteract "defense" mechanisms in OBSD. That implies intent, and is downright disingenuous.

          OpenBSD was famous for auditing all code in the base system. The famously deny they need any advanced security measure such as MAC, file signing, or even an ACL.

          NetBSD tends to be a much more secure system, without any of the hype. Less reported vulnerabilities, veriexec, PaX (similar to W^X) and TrustedBSD extensions.

        • I don't see that this is the base problem. Heartbleed worked because the custom malloc() allocated memory that was not initialized, allowing the bad guys to read whatever happened to be in that buffer. Ideally, SSL would have wiped memory when freeing it, but if the attacked buffer had simply wiped its memory when allocated there would have been no way to exploit this. In other words, calloc() rather than malloc() would have prevented Heartbleed.

          I saw some arguments that it showed that security softwa

  • by Anonymous Coward on Tuesday October 28, 2014 @02:53PM (#48254489)

    It's probably because OpenBSD's "LKMs" are so ancient, limited, and inflexible that nobody bothers to use them. I imagine if there were demand they would have adopted a more modern loadable module system, more akin to what's found in FreeBSD, NetBSD, Linux, etc.

    This isn't news. It's more Phoronix spam.

  • Phoronix, why? (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 28, 2014 @02:57PM (#48254517)

    "...Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals."

    I know Phoronix is infamous, but, wow...

    The OpenBSD mailing lists are right there. You're already reading them! Many developers frequent them daily. All you need to do is post a question! Hell, send an email to Ted himself if you're that shy. Why bother writing this article without doing the most basic of research?

  • by Anonymous Coward

    I hope OpenBSD becomes much more popular. I remember nearly 15 years ago when BSD was being touted for its performance and media capabilities. Now I want more alternative, free, and open-source OSes that tout security and privacy. Privacy while using technology has become practically extinct, well, at least so it seems to me.

  • The name braindamaged, the link to goatse on the front page, 1 branch, 1 fork and 9 followers. How does this even compute as real?

    New low?

    • wat

      • by tibit ( 1762298 )

        What wat? Just look at the link in the fine article. It's not to any official openbsd repo, because it's not even CVS, and OpenBSD uses CVS (yes, they do). That's wat. Again, how stupid can one be?

        • by Noryungi ( 70322 )

          Well, I was surprised by the bitbucket link as well, but a lot of developpers (OpenBSD or not) use git these days. The repo linked to seems to be a copy of the official OpenBSD CVS.

          A better link could be, for instance:

          http://cvsweb.openbsd.org/cgi-... [openbsd.org]

          Or:

          http://cvsweb.openbsd.org/cgi-... [openbsd.org]

          The interesting thing is that the diff just before Ted Unangst is more than 11 years old -- which means LKMs really haven't been used for a long time in OpenBSD...

    • Re: (Score:3, Insightful)

      by ndato ( 3482697 )
      The official changelog also says they removed LKM http://www.openbsd.org/faq/cur... [openbsd.org]
      • Re: (Score:2, Insightful)

        by X0563511 ( 793323 )

        I'm more alarmed that procfs is going away.

        • by brynet ( 3462983 )
          Why? It mostly used for compat_linux(8) anyway, which is i386 only. Nobody was using mount_procfs(8) without the ancient -o linux option. It was broken for months before anyone noticed.
    • by tibit ( 1762298 )

      Exactly. The editors should be ashamed. The post was carefully engineered to promote someone's private fork. OpenBSD uses WebCVS for crying out loud! How stupid can people be?!

      • by Noryungi ( 70322 )

        See my answer above: OpenBSD dev also use git. LibreSSL - portable is maintained on Github, for instance.

        Then again, you probably don't know a lot about OpenBSD... Do you? A simple Google search could have given you the links I included in my previous answer.

  • Now if they could also drop support for shared libraries I might consider upgrading my warezed copy of NetBSD 0.8.

  • by Theovon ( 109752 ) on Tuesday October 28, 2014 @03:15PM (#48254717)

    The OpenBSD developers are so awesome that they've found a magical way to make modules unnecessary: Magical code compression with zero runtime overhead. As a result of this new approach, every possible kernel module (including ones that haven't been written yet) is stored in less space than an otherwise completely stripped kernel from the prior revision.

  • Once you know why loadable kernel modules have been introduced.
    But this requires you to turn your brain on first.
  • by Minwee ( 522556 ) <dcr@neverwhen.org> on Tuesday October 28, 2014 @03:18PM (#48254761) Homepage
    They also removed Sendmail and BIND. Where's the outcry there?
  • Holy crap... (Score:4, Interesting)

    by Andy Dodd ( 701 ) <atd7&cornell,edu> on Tuesday October 28, 2014 @03:20PM (#48254805) Homepage

    https://bitbucket.org/braindam... [bitbucket.org]

    These are some of the worst and most uninformative commit messages I've ever seen...

    1) Why are there so many commits to achieve the same thing?
    2) Any commit message that is only a single line other than "fix typo" is a bad commit message

    Seriously, even some of the worst/most incompetent Android kangers have written better commit messages than the shitpile of LKM removals I'm seeing there.

    • by tibit ( 1762298 )

      That's just someone's private repo. You've fallen for clickbait. Nothing to see here.

    • by tlhIngan ( 30335 )

      Any commit message that is only a single line other than "fix typo" is a bad commit message

      "Fix typo" is a bad commit message. After all it doesn't explain what it was. Did it not build (in which case it would be "fix broken build"? Was a variable renamed because its name had a typo (in which case it should be mentioned in case it broke something)? Was it merely a typo in a comment?

      Was it a bad #define that suddenly works and exposes new code?

      • by Bert64 ( 520050 )

        It's a perfectly good commit message, look at the actual diff to see what the typo was...

        • This.
        • You clearly have no use for or expectations of commit messages at all, if your blanket answer is "look at the diffs".

          That tells exactly as much as no commit message at all.

          You probably don't comment code, either; I mean, the code's right there, amiright? Or else, your comment is a mindless regurgitation of the code, like "add 1 to pointer".

          Complete waste of time, attention, and bytes. Don't insult the intelligence of the community with such brainless drivel. Add some value or don't use the thing at all.

  • Puzzling (Score:3, Insightful)

    by DaMattster ( 977781 ) on Tuesday October 28, 2014 @03:33PM (#48254965)
    As an avid OpenBSD user and fan, this puzzle me because it would seem like a giant step backwards. Yes, loadable kernel modules do weaken the security some but it makes adding hardware drivers difficult. I really like OpenBSD as the OS does so many things very well but the team members are far from fallible. The community isn't as supportive and tends to be very exclusive, responding with RTFM sometimes a little too often. I can understand RTFM, but I cannot understand being told to read when I've read it already and I'm still unclear.
    • For whatever its worth, I've been using OpenBSD primarily for firewalls for the past 15 years and in that time I have never once needed to either add a module not already installed on the system to a running system or load a module at any time other than at boot time. For me and the entirety of my use cases (and, I suspect most other people as well) the only effects this change will have will be to increase theoretical security significantly and increase performance slightly.

    • Re: (Score:2, Interesting)

      by Noryungi ( 70322 )

      As an avid OpenBSD user and fan, this puzzle me because it would seem like a giant step backwards. Yes, loadable kernel modules do weaken the security some but it makes adding hardware drivers difficult.

      Again: compiling the OpenBSD kernel is an emergency measure only. Most of the time, patches distributed by the project require you to compile the userland only.

      As for adding device drivers, you usually do not need to: the standard kernel works very well with most hardware configurations.

      I have motherboards burn on me, restarting the OpenBSD server usually was a question of taking the drive out of the machine, connecting it into a new machine and powering the system. The kernel just picked up and accepted wh

      • The kernel just picked up and accepted whatever new hardware was in the replacement machine. Much, much easier than Linux.

        Wow. That seriously sounds too good to be true.

    • What nonsense. Name me one kernel module you have loaded. OpenBSD discourages rolling your own kernels and I'm unaware of 3rd party modules. If you are a true fan, you should know that. Why would you claim to be a fan, when you obviously don't use it?

    • Since there were *no* examples of writing a hardware driver using an LKM on OpenBSD, and there are plenty of examples of new ones being added to the static kernel, I don't think this in any way makes adding hardware drivers more difficult. To my knowledge over the last 16 years or so, the only real uses for LKMs have been kqemu (discontinued upstream) and dellflash (perhaps it works on laptops but it never worked on any poweredge which I tried it on). Note that neither of these are hardware drivers.

      Some o

  • by Anonymous Coward

    Do slashdot moderators click on any of the links for stories before sticking them on the slashdot front page? I'm thinking not in this case.

  • I shutter to think of how this would impact the development/debug cycle of an otherwise simple device driver.
    • I think you meant shudder, and if you've only ever compiled Linux kernels I think will find that the recompile time of the OpenBSD kernel when applying patches is shockingly quick; quick enough to make you wonder why they'd have ever bothered with loadable modules in the first place.

    • Since it's typically the kernel developers who write these device drivers, I'm not sure why you would be so worried for them. I mean, it's the kernel developers who are ripping this out.

      Am I missing something here?

    • it doesn't, running "make" to compile a changed .c file or two then link a 10MB kernel is freaky fast. Modules typically are how device drivers were written

If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley

Working...