A new BSDCan video has been posted:
Confidential Computing with OpenBSD -- The Next Step by Hans-Jörg Höxer

https://youtu.be/KpPY0wKSURM

Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.

AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from an non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.

With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both

a confidential guest VM and

as a hypervisor providing a confidential execution environment.

Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.

Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.

In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.

Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who is using OpenBSD as a secure and stable base for its products.

For more information, please visit:
https://www.bsdcan.org/2025/
- and -
https://www.bsdcan.org/2025/timetable/timetable-Confidential-Computing-with.html

@bsdcan #runbsd #bsdcan

A new BSDCan video has been posted:
Confidential Computing with OpenBSD -- The Next Step by Hans-Jörg Höxer

https://youtu.be/KpPY0wKSURM

Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.

AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from an non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.

With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both

a confidential guest VM and

as a hypervisor providing a confidential execution environment.

Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.

Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.

In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.

Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who is using OpenBSD as a secure and stable base for its products.

For more information, please visit:
https://www.bsdcan.org/2025/
- and -
https://www.bsdcan.org/2025/timetable/timetable-Confidential-Computing-with.html

@bsdcan #runbsd #bsdcan

Michael Dexter
Stefano Marinelli
Michael Dexter and 1 other boosted

🎉 We did it again! 🎉

Reaching silver sponsorship for the OpenBSD Foundation earlier and earlier. When you love your OS more than your sleep, you need the support! 🐡💰☕️

Thanks for keeping the code clean, the bugs dead, while we keep the memes alive. Here’s to another year of making the internet a less chaotic place… one pledge() at a time.

Impossible to do this without you, our users, and OpenBSD developers. 🫶🏻

#OpenBSD#RUNBSD#Silver#Sponsor

🎉 We did it again! 🎉

Reaching silver sponsorship for the OpenBSD Foundation earlier and earlier. When you love your OS more than your sleep, you need the support! 🐡💰☕️

Thanks for keeping the code clean, the bugs dead, while we keep the memes alive. Here’s to another year of making the internet a less chaotic place… one pledge() at a time.

Impossible to do this without you, our users, and OpenBSD developers. 🫶🏻

#OpenBSD#RUNBSD#Silver#Sponsor

⚠️ News/Changes:

BoxyBSD will bring in a feature for more advanced users for our free boxes. Instead of only selecting a set of pre-defined BSD based images, you'll soon also be able to create your install simply from scratch with full remote access to your box. This lets you perform custom installations of #FreeBSD, #NetBSD, #OpenBSD, #DragonflyBSD, #MidnightBSD but also of some other niche systems like #illumos

Unfortunately, this might still take some time and fully relies on the spare time of @gyptazy.

#freeVPS#VPS#BSD#Box#BoxyBSD #gyptazy #opensource #education #community #foss #runbsd #hosting #freehosting #learning #ipv6

⚠️ News/Changes:

BoxyBSD will bring in a feature for more advanced users for our free boxes. Instead of only selecting a set of pre-defined BSD based images, you'll soon also be able to create your install simply from scratch with full remote access to your box. This lets you perform custom installations of #FreeBSD, #NetBSD, #OpenBSD, #DragonflyBSD, #MidnightBSD but also of some other niche systems like #illumos

Unfortunately, this might still take some time and fully relies on the spare time of @gyptazy.

#freeVPS#VPS#BSD#Box#BoxyBSD #gyptazy #opensource #education #community #foss #runbsd #hosting #freehosting #learning #ipv6

My home server is running on FreeBSD again, but this time on one of the old APUs I have lying around my desk. I wanted to test its performance after years of being decommissioned. Some things are a bit slow (Nextcloud, etc) and the USB ports, even though they're 3.0, generate a high wait time, but all in all, it's handling its workload well. Will it stay here? I don't think so (or at least not for long). I just need to decide whether to leave SmartOS on the Qotom (and the services in the FreeBSD VM) or to bring it back to native FreeBSD. It's a shame it doesn't support more than 16GB of RAM.

#FreeBSD#RunBSD

Tonight I made a simple, yet destructive (or at least partly) mistake: when I told FreeBSD which disk to destroy, I accidentally gave it the system disk of my little home server. This happened because it had the same size as the external SSD I had just plugged in, and I got confused.

I lost some reproducible configurations (the server’s name was in fact tempfbsd01), but I took the chance to run an experiment. My home server runs FreeBSD in read-only mode (that's the part I destroyed). From there, I manually enable the external drives (encrypted with GELI) and, in turn, the ZFS pools. Then I start the various jails and the (single, Proxmox Backup Server) VM.

Since I also have another test box running SmartOS, I decided to experiment: I connected the disks to it, created a FreeBSD bhyve VM on SmartOS, and passed the entire disks through to the VM. I reconfigured the FreeBSD VM with the bare minimum and booted it all up. The jails with BastilleBSD started without any issues - obviously the Proxmox Backup Server VM itself is still missing, but I’ll deal with that later.

I’m tempted to leave everything like this for a while.

And yes, for anyone wondering: I had fun 🙂

#FreeBSD#RunBSD #illumos#SmartOS#DisasterRecovery#IT#SysAdmin#Homelab

I have a client who uses Proxmox and its backup server. Last week, I upgraded the backup server from Debian 12 to 13. The backup server "sleeps" most of the day, so it also runs Docker for a Gitea runner. Everything seemed fine initially.

Then, my client messaged me yesterday because the runner had stopped working. When I logged in, I found that for some reason, the runner could no longer connect to the Docker socket, even though I was passing it the official way. I tried the same thing on a different Debian 13 server and got the same result. But, on a Debian 12 VM using the (old) Docker from the Debian repos, everything worked perfectly.

This incident just reinforces my point that for production servers, it’s crucial to use solutions that don't introduce breaking changes between releases. It seems to be an Apparmor issue (thanks @gyptazy for the head up!).

Because this component was non-critical and easily replaceable, I didn't pay much attention to testing it right after the server upgrade.

@stefano

I have successfully avoided dealing with Docker for the past 12 years. I made this decision for myself bcs I always wanted to be able to solve problems.

#runbsd or #illumos based things

@gyptazy

I have a client who uses Proxmox and its backup server. Last week, I upgraded the backup server from Debian 12 to 13. The backup server "sleeps" most of the day, so it also runs Docker for a Gitea runner. Everything seemed fine initially.

Then, my client messaged me yesterday because the runner had stopped working. When I logged in, I found that for some reason, the runner could no longer connect to the Docker socket, even though I was passing it the official way. I tried the same thing on a different Debian 13 server and got the same result. But, on a Debian 12 VM using the (old) Docker from the Debian repos, everything worked perfectly.

This incident just reinforces my point that for production servers, it’s crucial to use solutions that don't introduce breaking changes between releases. It seems to be an Apparmor issue (thanks @gyptazy for the head up!).

Because this component was non-critical and easily replaceable, I didn't pay much attention to testing it right after the server upgrade.

The European *BSD 😈⛳🐡 event of 2025 will start in a bit!

Only 36 days to go!
There are still tickets left, even for the social event.

Grab your 🎟️ at https://tickets.eurobsdcon.org

If you want to know what we have planned have a look at the schedlue https://events.eurobsdcon.org/2025/schedule/

For everything else, peek at https://2025.eurobsdcon.org/
More information is added all the time.

EuroBSDCon 2025 in Zagreb, Croatia 🇭🇷
September 25-28, 2025

#RUNBSD#FreeBSD#NetBSD#OpenBSD#EuroBSDCon #EuroBSDCon2025#BSD#Conference#Register