OpenBSD Drops Support For Loadable Kernel Modules

jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.

If they're doing it, it's correct.

[Anonymous Coward]

As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

If they've decided to do this, then it's just the correct thing to be doing.

Re:If they're doing it, it's correct.

[ZorkZero]

That sound you just heard in the distance? The puckering of a million Linux fanboys' butts.

Re:If they're doing it, it's correct.

[ThePhilips]

As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

If they've decided to do this, then it's just the correct thing to be doing.

HP rep - a HP-UX sales guy - once told me that their kernel doesn't support loadable modules to prevent even the remote possibility of a malicious driver.

But why OpenBSD choose to do it, I have no idea. Frankly, I was under impression that OpenBSD didn't support loadable kernel modules at all.

To some the kernel drivers might seem a norm, but even 15 years ago they were still considered a novelty. And everybody was still making jokes about Microsoft's Plug-n-Play.

Re:

[__aaclcg7560]

Frankly, I was under impression that OpenBSD didn't support loadable kernel modules at all.

That bug will get fixed soon. One less thing to worry about.

Re:

[afairch]

Actually that was more than 15 years ago. Dynamically Loadable Kernel Modules (DLKM) have been available in HP-UX since version 11.0, released in 1997.

Re:

[gweihir]

For different values of "the norm". I usually run Linux kernels without loadable modules as well. It increases stability and security.

Re:

[the_B0fh]

They had in the past, but they really really didn't like it. So I guess they finally fixe it.

Re:

[imac.usr]

I call shenanigans, nobody in their right mind would claim to be interested in selling HP-UX. /shudder.

Re:

[ThePhilips]

Hey! My past employer willingly bought it!

...Oh. That's probably why they are "past".

Re:

[metrix007]

No, what they are is excellent OpenSSH maintainers.

The security of OpenBSD is often overrated by people who don't actually understand security.

For all their hyperbole, they were still vulnerable to Heartbleed.

Re:

[Anonymous Coward]

They were vulnerable because openssl took specific measures to counteract the defense mechanisms present in openbsd. See this writeup [tedunangst.com].

Even Coverity could not detect the problem [coverity.com].

Re:

[mysidia]

No... that was just Theo's excuse. He called OpenSSL's memory allocation strategy an "exploit mitigation countermeasure."

Actually, that was just a side effect, and what OpenSSL does that "counteracted" the defense is extremely common in software and software libraries.

It's also generally a good idea as far as performance is concerned ---- and with a library such as SSL which needs to process network traffic (HTTPS, for example); adequate performance is pretty darned important.

Re:

[metrix007]

OpenSSL did not take specific measures to counteract "defense" mechanisms in OBSD. That implies intent, and is downright disingenuous.

OpenBSD was famous for auditing all code in the base system. The famously deny they need any advanced security measure such as MAC, file signing, or even an ACL.

NetBSD tends to be a much more secure system, without any of the hype. Less reported vulnerabilities, veriexec, PaX (similar to W^X) and TrustedBSD extensions.

Re:

[metrix007]

What basis is there to assume there was?

Re:

[david_thornley]

I don't see that this is the base problem. Heartbleed worked because the custom malloc() allocated memory that was not initialized, allowing the bad guys to read whatever happened to be in that buffer. Ideally, SSL would have wiped memory when freeing it, but if the attacked buffer had simply wiped its memory when allocated there would have been no way to exploit this. In other words, calloc() rather than malloc() would have prevented Heartbleed.

I saw some arguments that it showed that security softwa

Re:

[the_B0fh]

Why is it that the individual words seem to make sense, but when reading them together, it's all nonsense?

Do you normally just ramble on all over the place in real life as well?

Re:

[chriscappuccio]

Instead of making vague fucktard analogies, why not actually explain what is wrong with LibreSSL ?

Re:

[jmcvetta]

OpenBSD tends to take some very conservative security choices (see OpenSSH) but then turns around and does stuff like LibreSSL forks of OpenSSL, instead of fixing the problem, they make their own version of the problem.

Maybe (pure speculation) the OpenBSD team considered the human processes around the OpenSSL code to be the real security problem. Heartbleed did seem a tad bit too convenient to be an accidental bug...

once every three years we get a story

[Thud457]

WTF /. !!! The url says bsd.slashdot.org, but the theme isn't red anymore. Just another casualty to OMG beta! I presume.

Re:

[Anonymous Coward]

Linux or OpenBSD?

BSD seems to be strengthening (all BSDs). More and more serious businesses I know are considering FreeBSD. I used to run 6 BSD/OS servers and short of HW issues, never had an issue. In fact, we got to work about 9, went to lunch at 1130, hung out wherever until about 1330, came back smoked on the loading dock and left for home by 4. Rarely had issues. The Windows and Linux guys? Always something wrong.

Not Your Typical Loadable Kernel Modules

[Anonymous Coward]

It's probably because OpenBSD's "LKMs" are so ancient, limited, and inflexible that nobody bothers to use them. I imagine if there were demand they would have adopted a more modern loadable module system, more akin to what's found in FreeBSD, NetBSD, Linux, etc.

This isn't news. It's more Phoronix spam.

Not Your Typical Loadable Kernel Modules

[chriscappuccio]

This is it. Old implementation, low quality, and NOTHING USES IT. Bye bye!

Phoronix, why?

[Anonymous Coward]

"...Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals."

I know Phoronix is infamous, but, wow...

The OpenBSD mailing lists are right there. You're already reading them! Many developers frequent them daily. All you need to do is post a question! Hell, send an email to Ted himself if you're that shy. Why bother writing this article without doing the most basic of research?

Re:

[Mister Liberty]

Sez Larabel: "security or code quality/openness ideals". As if, aside from these three, any other signifcant ideals remain in programming.

Re:

[NoImNotNineVolt]

Ted? The text editor? Or did you mean Theo?

Re:

[Anonymous Coward]

Presumably, AC meant Ted Unangst, the OpenBSD developer who authored the lkm removal commits.

Re:Phoronix, why?

[NoImNotNineVolt]

Well that's no fair, you must've RTFA!

OpenBSD!

[Anonymous Coward]

I hope OpenBSD becomes much more popular. I remember nearly 15 years ago when BSD was being touted for its performance and media capabilities. Now I want more alternative, free, and open-source OSes that tout security and privacy. Privacy while using technology has become practically extinct, well, at least so it seems to me.

Re:

[eneville]

Lightweight Portable Security, http://www.spi.dod.mil/lipose.... [dod.mil] perhaps? Might be a good place to start, but I don't know if you're aware of this one already.

Djeezus

[MrCoke]

The name braindamaged, the link to goatse on the front page, 1 branch, 1 fork and 9 followers. How does this even compute as real?

New low?

Re:

[BenLutgens]

wat

Re:

[tibit]

What wat? Just look at the link in the fine article. It's not to any official openbsd repo, because it's not even CVS, and OpenBSD uses CVS (yes, they do). That's wat. Again, how stupid can one be?

Re:

[Noryungi]

Well, I was surprised by the bitbucket link as well, but a lot of developpers (OpenBSD or not) use git these days. The repo linked to seems to be a copy of the official OpenBSD CVS.

A better link could be, for instance:

http://cvsweb.openbsd.org/cgi-... [openbsd.org]

Or:

http://cvsweb.openbsd.org/cgi-... [openbsd.org]

The interesting thing is that the diff just before Ted Unangst is more than 11 years old -- which means LKMs really haven't been used for a long time in OpenBSD...

Re:

[ndato]

The official changelog also says they removed LKM http://www.openbsd.org/faq/cur... [openbsd.org]

Re:

[X0563511]

I'm more alarmed that procfs is going away.

Re:

[brynet]

Why? It mostly used for compat_linux(8) anyway, which is i386 only. Nobody was using mount_procfs(8) without the ancient -o linux option. It was broken for months before anyone noticed.

Re:

[tibit]

Exactly. The editors should be ashamed. The post was carefully engineered to promote someone's private fork. OpenBSD uses WebCVS for crying out loud! How stupid can people be?!

Re:

[Noryungi]

See my answer above: OpenBSD dev also use git. LibreSSL - portable is maintained on Github, for instance.

Then again, you probably don't know a lot about OpenBSD... Do you? A simple Google search could have given you the links I included in my previous answer.

Keep up the good work..

[0dugo0]

Now if they could also drop support for shared libraries I might consider upgrading my warezed copy of NetBSD 0.8.

Code compression

[Theovon]

The OpenBSD developers are so awesome that they've found a magical way to make modules unnecessary: Magical code compression with zero runtime overhead. As a result of this new approach, every possible kernel module (including ones that haven't been written yet) is stored in less space than an otherwise completely stripped kernel from the prior revision.

Re:

[Theovon]

Holy crap, dude. It was a joke. Things like "magical" and "zero runtime overhead" and "including ones that haven't been written yet" didn't clue you in?

OpenBSD - Android

[emil]

http://undeadly.org/cgi?action... [undeadly.org]

Maybe there is a simple answer

[aglider]

Once you know why loadable kernel modules have been introduced.
But this requires you to turn your brain on first.

But that's not all

[Minwee]

They also removed Sendmail and BIND. Where's the outcry there?

Re:

[unixisc]

What's the replacement?

Holy crap...

[Andy Dodd]

https://bitbucket.org/braindam... [bitbucket.org]

These are some of the worst and most uninformative commit messages I've ever seen...

1) Why are there so many commits to achieve the same thing?
2) Any commit message that is only a single line other than "fix typo" is a bad commit message

Seriously, even some of the worst/most incompetent Android kangers have written better commit messages than the shitpile of LKM removals I'm seeing there.

Re:

[tibit]

That's just someone's private repo. You've fallen for clickbait. Nothing to see here.

Re:

[x0ra]

The OpenBSD repo is just one big repo, but unlike Linux, OpenBSD devs don't care about the integrity (and bissectability) of the tree between commits.

Re:

[tlhIngan]

Any commit message that is only a single line other than "fix typo" is a bad commit message

"Fix typo" is a bad commit message. After all it doesn't explain what it was. Did it not build (in which case it would be "fix broken build"? Was a variable renamed because its name had a typo (in which case it should be mentioned in case it broke something)? Was it merely a typo in a comment?

Was it a bad #define that suddenly works and exposes new code?

Re:

[Bert64]

It's a perfectly good commit message, look at the actual diff to see what the typo was...

Re:

[TheBilgeRat]

This.

Re:

[idontgno]

You clearly have no use for or expectations of commit messages at all, if your blanket answer is "look at the diffs".

That tells exactly as much as no commit message at all.

You probably don't comment code, either; I mean, the code's right there, amiright? Or else, your comment is a mindless regurgitation of the code, like "add 1 to pointer".

Complete waste of time, attention, and bytes. Don't insult the intelligence of the community with such brainless drivel. Add some value or don't use the thing at all.

Re:

[Noryungi]

Yes, yes, little troll, you just demonstrated your total lack of knowledge when it comes to OpenBSD.

Straight from the horse's mouth: http://www.openbsd.org/faq/faq... [openbsd.org]

And I quote the aforementioned:

Why do I need a custom kernel?

Actually, you probably don't.

The only time you need to recompile OpenBSD kernel is when a major security issue has been found and your system is vulnerable.

Puzzling

[DaMattster]

As an avid OpenBSD user and fan, this puzzle me because it would seem like a giant step backwards. Yes, loadable kernel modules do weaken the security some but it makes adding hardware drivers difficult. I really like OpenBSD as the OS does so many things very well but the team members are far from fallible. The community isn't as supportive and tends to be very exclusive, responding with RTFM sometimes a little too often. I can understand RTFM, but I cannot understand being told to read when I've read it already and I'm still unclear.

Re:

[Narcocide]

For whatever its worth, I've been using OpenBSD primarily for firewalls for the past 15 years and in that time I have never once needed to either add a module not already installed on the system to a running system or load a module at any time other than at boot time. For me and the entirety of my use cases (and, I suspect most other people as well) the only effects this change will have will be to increase theoretical security significantly and increase performance slightly.

Re:

[Noryungi]

As an avid OpenBSD user and fan, this puzzle me because it would seem like a giant step backwards. Yes, loadable kernel modules do weaken the security some but it makes adding hardware drivers difficult.

Again: compiling the OpenBSD kernel is an emergency measure only. Most of the time, patches distributed by the project require you to compile the userland only.

As for adding device drivers, you usually do not need to: the standard kernel works very well with most hardware configurations.

I have motherboards burn on me, restarting the OpenBSD server usually was a question of taking the drive out of the machine, connecting it into a new machine and powering the system. The kernel just picked up and accepted wh

Re:

[TheNinjaroach]

The kernel just picked up and accepted whatever new hardware was in the replacement machine. Much, much easier than Linux.

Wow. That seriously sounds too good to be true.

Re:

[the_B0fh]

What nonsense. Name me one kernel module you have loaded. OpenBSD discourages rolling your own kernels and I'm unaware of 3rd party modules. If you are a true fan, you should know that. Why would you claim to be a fan, when you obviously don't use it?

Re:

[Nikademus]

kqemu. But that's about the only one I can think of. And it's old and deprecated nowadays.

Puzzling

[funky womble]

Since there were *no* examples of writing a hardware driver using an LKM on OpenBSD, and there are plenty of examples of new ones being added to the static kernel, I don't think this in any way makes adding hardware drivers more difficult. To my knowledge over the last 16 years or so, the only real uses for LKMs have been kqemu (discontinued upstream) and dellflash (perhaps it works on laptops but it never worked on any poweredge which I tried it on). Note that neither of these are hardware drivers.

Some o

Poor moderation.

[Anonymous Coward]

Do slashdot moderators click on any of the links for stories before sticking them on the slashdot front page? I'm thinking not in this case.

Devel/Debug

[bradgoodman]

I shutter to think of how this would impact the development/debug cycle of an otherwise simple device driver.

Re:

[Narcocide]

I think you meant shudder, and if you've only ever compiled Linux kernels I think will find that the recompile time of the OpenBSD kernel when applying patches is shockingly quick; quick enough to make you wonder why they'd have ever bothered with loadable modules in the first place.

Re: Devel/Debug

[bradgoodman]

But then you'd need to reboot to load it, I'd assume.

Re:

[the_B0fh]

Since it's typically the kernel developers who write these device drivers, I'm not sure why you would be so worried for them. I mean, it's the kernel developers who are ripping this out.

Am I missing something here?

Re:

[iggymanz]

it doesn't, running "make" to compile a changed .c file or two then link a 10MB kernel is freaky fast. Modules typically are how device drivers were written

Re:

[brynet]

If any vendor has proprietary drivers for OpenBSD, they would undoubtedly be using better kernel interfaces directly. Especially for something like a driver for a hardware RAID controller. LKM(4) support has mostly been only "compile tested" for years. Nothing uses it seriously, at the time of it's removal.. the ports tree contained a single port making use of it.. a firmware flasher for some Dell systems.

Re:

[drinkypoo]

OpenBSD market share drops as it no longer supports third party hardware.

That's basically already the case, their hardware support is pisspoor. Which is okay if you're building a machine around openbsd, who cares? But it's a bummer if you want to use what you have lying around.

Troll? Fuck you. Get some experience.

[drinkypoo]

I can't use several of my machines because of lack of drivers for horribly common hardware which is nearly identical to supported hardware and for which a fix has actually been submitted on the mailing list. In spite of it being only some changes in values and not in the basic functionality of the driver, they begged off adopting the changes because of concerns with Linux copyright, which has already been shown to not apply in this case. Just NIH. Well, fuck 'em. I'll use something with some support.

Re:

[Anne Thwacks]

I don't know where you get your hardware from, but I dont recall any serious problems with OBSD hardware support. The only kit I have personally owned that was not supported was an Sbus SCSI card used in Sun Enterprise servers, and I had an alternative card anyway.

I have had more hardware support problems with Windows and Linux.

I regularly have uptimes of over a year, and bug reports generally produce a next day response. Try getting that elsewhere.

Re:

[drinkypoo]

I regularly have uptimes of over a year, and bug reports generally produce a next day response. Try getting that elsewhere.

Back when I ran obsd I had panics and problems with network card drivers that almost cost me a job. The machine was rock solid under Linux and the NICs were bog-standard eepro100s. Now I have a netbook and a laptop I can't use because of a lack of NIC support. Linux supports both NICs without ndiswrapper. I want to use these machines for low-end servers, but I can't without adding a NIC (dongle hell) or in one case, swapping out minipci. And I could do that, but it was cheaper to install Linux.

obsd lacks su

Re:

[the_B0fh]

Are you shitting me? You think the various hardware vendors actually write drivers for OpenBSD? *ARE YOU SHITTING ME?*

Seriously?

Now if only there was a Unity port for OpenBSD...

[jmcvetta]

No, seriously!

Re:

[Anonymous Coward]

"amazingly customizable kernel with"

Clearly you've never used OpenBSD before. Kernel hacking is one thing they explicitly frown upon. Too easy to break important things and compromise security.

Re:

[basketcase]

And OpenBSD's init system (rc) is about as non-modular as it gets.

Re:

[eneville]

Since it's a script, you can do what you want with it. run-parts style, if you like. It's a script, bring your own fun. Quite the opposite of systemd, if you will.

Re:

[basketcase]

I didn't say it wasn't good I said it wasn't modular.

Re:

[the_B0fh]

You don't know how to call a script from inside a script? Also - my openbsd box seems to have an interesting number of rc.d scripts.

$ uname -sr
OpenBSD 5.2
$ ls /etc/rc.d
amd apmd bgpd bootparamd cron ddclient dhcpd dhcrelay dnsmasq ....

76 scripts in total.

Re:

[0100010001010011]

To expand. If it's a script it has a script handler. If it has a script handler it can be rewritten.

There's no reason they couldn't add a few features from newer scripting languages to enable forking of functions or "own fun". If the kernel (the one running said script with said script handler) supports multiple cores/threads it could easily be the more modularized, etc.

All still from one script.

Re:

[Anne Thwacks]

from newer scripting languages

Why would anyone want a newer scripting language? That is like wanting to build a house from new bricks. If you know the old language, you can use it. If you don't, then perhaps you should not be messing with the system initialisation?

Its not like normal admins have to write these scripts - the people who manage ports supply them for you, and have a tool that puts them in the right place.Most people run OBSD because they want to have a system that runs their apps, not so the

Re:

[seepho]

I'm compiling one right now!

Wait, it just finished. Shit, someone give me something else to compile!

Re:When was the last time you compiled a kernel?

[preaction]

I use ports all the time, and I've never compiled my own kernel. From what I recall, everything available in the OpenBSD kernel is always enabled by default. The only reason to compile a new kernel is to remove something from the default kernel.

Removing the LKM means someone can't maliciously load a module that screws everything up. The malicious entity would have to replace your kernel and then force a reboot.

Re:

[the_B0fh]

bloody nonsense. I've been using OpenBSD for nearly 20 years and never had to recompile the kernel to use anything in ports.

Re:

[Anonymous Coward]

Are you trolling, or do you genuinely not know the difference between OpenBSD and FreeBSD?

Re:

[the_B0fh]

For someone who doesn't care about OpenBSD, you sure sound off a lot on it.

Re:

[Nikademus]

Not that there's anything wrong with that. OpenBSD will remain a niche product run by a handful of users that otherwise run Macs (oh, citation needed? http://assets.keltia.net/photo... [keltia.net] ) and other than being primary sources of OpenSSH and hopefully systemd shims, completely irrelevant.

It seems you took a picture of FreeBSD users, which indeed often run Macs. But FreeBSD runs on Macs too...
systemd shim is useful to simplify porting software that idiots thought it was useful to make systemd dependent. The most popular of this software is something I stopped using years ago because the devs were taking bad decisions, so that's not new.

Re:

[x0ra]

OS X is not "based" on FreeBSD. At best, some parts of OS X are at best close relatives of FreeBSD, but the similarity stops there.

Re:

[Eravnrekaree]

The OS X kernel code is taken from FreeBSD and Mach, It is a hybrid of both kernels. So part of OS X does come from FreeBSD.