Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Drops Support For Loadable Kernel Modules

Posted by Soulskill on from the loadable-kernel-modules-have-had-it-too-good-for-too-long dept.

jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.

29 of 162 comments (clear)

  1. If they're doing it, it's correct. by Anonymous Coward · · Score: 5, Funny

    As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

    If they've decided to do this, then it's just the correct thing to be doing.

    1. Re:If they're doing it, it's correct. by ZorkZero · · Score: 5, Funny

      That sound you just heard in the distance? The puckering of a million Linux fanboys' butts.

    2. Re:If they're doing it, it's correct. by ThePhilips · · Score: 3, Insightful

      As far as I'm concerned, the OpenBSD developers are as close to infallable as software developers could ever hope to get.

      If they've decided to do this, then it's just the correct thing to be doing.

      HP rep - a HP-UX sales guy - once told me that their kernel doesn't support loadable modules to prevent even the remote possibility of a malicious driver.

      But why OpenBSD choose to do it, I have no idea. Frankly, I was under impression that OpenBSD didn't support loadable kernel modules at all.

      To some the kernel drivers might seem a norm, but even 15 years ago they were still considered a novelty. And everybody was still making jokes about Microsoft's Plug-n-Play.

      --
      All hope abandon ye who enter here.
    3. Re:If they're doing it, it's correct. by afairch · · Score: 2

      Actually that was more than 15 years ago. Dynamically Loadable Kernel Modules (DLKM) have been available in HP-UX since version 11.0, released in 1997.

    4. Re:If they're doing it, it's correct. by Anonymous Coward · · Score: 2, Interesting

      They were vulnerable because openssl took specific measures to counteract the defense mechanisms present in openbsd. See this writeup.

      Even Coverity could not detect the problem.

    5. Re:If they're doing it, it's correct. by metrix007 · · Score: 2

      OpenSSL did not take specific measures to counteract "defense" mechanisms in OBSD. That implies intent, and is downright disingenuous.

      OpenBSD was famous for auditing all code in the base system. The famously deny they need any advanced security measure such as MAC, file signing, or even an ACL.

      NetBSD tends to be a much more secure system, without any of the hype. Less reported vulnerabilities, veriexec, PaX (similar to W^X) and TrustedBSD extensions.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    6. Re:If they're doing it, it's correct. by david_thornley · · Score: 2

      I don't see that this is the base problem. Heartbleed worked because the custom malloc() allocated memory that was not initialized, allowing the bad guys to read whatever happened to be in that buffer. Ideally, SSL would have wiped memory when freeing it, but if the attacked buffer had simply wiped its memory when allocated there would have been no way to exploit this. In other words, calloc() rather than malloc() would have prevented Heartbleed.

      I saw some arguments that it showed that security software shouldn't be implemented in C, but it seems to me that a defect that could have been removed by using one standard and widely used call rather than another doesn't suggest that C is at fault.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. Not Your Typical Loadable Kernel Modules by Anonymous Coward · · Score: 5, Informative

    It's probably because OpenBSD's "LKMs" are so ancient, limited, and inflexible that nobody bothers to use them. I imagine if there were demand they would have adopted a more modern loadable module system, more akin to what's found in FreeBSD, NetBSD, Linux, etc.

    This isn't news. It's more Phoronix spam.

  3. Phoronix, why? by Anonymous Coward · · Score: 5, Insightful

    "...Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals."

    I know Phoronix is infamous, but, wow...

    The OpenBSD mailing lists are right there. You're already reading them! Many developers frequent them daily. All you need to do is post a question! Hell, send an email to Ted himself if you're that shy. Why bother writing this article without doing the most basic of research?

    1. Re:Phoronix, why? by Anonymous Coward · · Score: 3, Interesting

      Presumably, AC meant Ted Unangst, the OpenBSD developer who authored the lkm removal commits.

    2. Re:Phoronix, why? by NoImNotNineVolt · · Score: 4, Funny

      Well that's no fair, you must've RTFA!

      --
      Chuuch. Preach. Tabernacle.
  4. Re:SYSTEM-D SUCKS! by Anonymous Coward · · Score: 2, Interesting

    "amazingly customizable kernel with"

    Clearly you've never used OpenBSD before. Kernel hacking is one thing they explicitly frown upon. Too easy to break important things and compromise security.

  5. Re:When was the last time you compiled a kernel? by preaction · · Score: 4, Informative

    I use ports all the time, and I've never compiled my own kernel. From what I recall, everything available in the OpenBSD kernel is always enabled by default. The only reason to compile a new kernel is to remove something from the default kernel.

    Removing the LKM means someone can't maliciously load a module that screws everything up. The malicious entity would have to replace your kernel and then force a reboot.

  6. Keep up the good work.. by 0dugo0 · · Score: 2

    Now if they could also drop support for shared libraries I might consider upgrading my warezed copy of NetBSD 0.8.

  7. Not Your Typical Loadable Kernel Modules by chriscappuccio · · Score: 4, Insightful

    This is it. Old implementation, low quality, and NOTHING USES IT. Bye bye!

  8. Re:SYSTEM-D SUCKS! by eneville · · Score: 2

    Since it's a script, you can do what you want with it. run-parts style, if you like. It's a script, bring your own fun. Quite the opposite of systemd, if you will.

    --
    Why UNIX?
  9. Re:Djeezus by ndato · · Score: 3, Insightful

    The official changelog also says they removed LKM http://www.openbsd.org/faq/cur...

  10. Code compression by Theovon · · Score: 3, Funny

    The OpenBSD developers are so awesome that they've found a magical way to make modules unnecessary: Magical code compression with zero runtime overhead. As a result of this new approach, every possible kernel module (including ones that haven't been written yet) is stored in less space than an otherwise completely stripped kernel from the prior revision.

  11. But that's not all by Minwee · · Score: 2

    They also removed Sendmail and BIND. Where's the outcry there?

  12. Holy crap... by Andy+Dodd · · Score: 3, Interesting

    https://bitbucket.org/braindam...

    These are some of the worst and most uninformative commit messages I've ever seen...

    1) Why are there so many commits to achieve the same thing?
    2) Any commit message that is only a single line other than "fix typo" is a bad commit message

    Seriously, even some of the worst/most incompetent Android kangers have written better commit messages than the shitpile of LKM removals I'm seeing there.

    --
    retrorocket.o not found, launch anyway?
    1. Re:Holy crap... by tibit · · Score: 2

      That's just someone's private repo. You've fallen for clickbait. Nothing to see here.

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:Holy crap... by tlhIngan · · Score: 2

      Any commit message that is only a single line other than "fix typo" is a bad commit message

      "Fix typo" is a bad commit message. After all it doesn't explain what it was. Did it not build (in which case it would be "fix broken build"? Was a variable renamed because its name had a typo (in which case it should be mentioned in case it broke something)? Was it merely a typo in a comment?

      Was it a bad #define that suddenly works and exposes new code?

  13. Re:Djeezus by tibit · · Score: 2

    Exactly. The editors should be ashamed. The post was carefully engineered to promote someone's private fork. OpenBSD uses WebCVS for crying out loud! How stupid can people be?!

    --
    A successful API design takes a mixture of software design and pedagogy.
  14. Puzzling by DaMattster · · Score: 2, Insightful

    As an avid OpenBSD user and fan, this puzzle me because it would seem like a giant step backwards. Yes, loadable kernel modules do weaken the security some but it makes adding hardware drivers difficult. I really like OpenBSD as the OS does so many things very well but the team members are far from fallible. The community isn't as supportive and tends to be very exclusive, responding with RTFM sometimes a little too often. I can understand RTFM, but I cannot understand being told to read when I've read it already and I'm still unclear.

    1. Re:Puzzling by the_B0fh · · Score: 2

      What nonsense. Name me one kernel module you have loaded. OpenBSD discourages rolling your own kernels and I'm unaware of 3rd party modules. If you are a true fan, you should know that. Why would you claim to be a fan, when you obviously don't use it?

  15. Re:Yet another bombshell. by Anonymous Coward · · Score: 2, Interesting

    Linux or OpenBSD?

    BSD seems to be strengthening (all BSDs). More and more serious businesses I know are considering FreeBSD. I used to run 6 BSD/OS servers and short of HW issues, never had an issue. In fact, we got to work about 9, went to lunch at 1130, hung out wherever until about 1330, came back smoked on the loading dock and left for home by 4. Rarely had issues. The Windows and Linux guys? Always something wrong.

  16. Re:In other news. by brynet · · Score: 2

    If any vendor has proprietary drivers for OpenBSD, they would undoubtedly be using better kernel interfaces directly. Especially for something like a driver for a hardware RAID controller. LKM(4) support has mostly been only "compile tested" for years. Nothing uses it seriously, at the time of it's removal.. the ports tree contained a single port making use of it.. a firmware flasher for some Dell systems.

  17. Re:SYSTEM-D SUCKS! by basketcase · · Score: 2

    I didn't say it wasn't good I said it wasn't modular.

  18. Re:In other news. by drinkypoo · · Score: 2

    I regularly have uptimes of over a year, and bug reports generally produce a next day response. Try getting that elsewhere.

    Back when I ran obsd I had panics and problems with network card drivers that almost cost me a job. The machine was rock solid under Linux and the NICs were bog-standard eepro100s. Now I have a netbook and a laptop I can't use because of a lack of NIC support. Linux supports both NICs without ndiswrapper. I want to use these machines for low-end servers, but I can't without adding a NIC (dongle hell) or in one case, swapping out minipci. And I could do that, but it was cheaper to install Linux.

    obsd lacks support for common hardware which everyone else supports. That's simply not arguable.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"