Michael Dexter
boosted
A new BSDCan video has been posted:
Confidential Computing with OpenBSD -- The Next Step by Hans-Jörg Höxer
Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.
AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from an non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.
With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both
a confidential guest VM and
as a hypervisor providing a confidential execution environment.
Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.
Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.
In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.
Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who is using OpenBSD as a secure and stable base for its products.
For more information, please visit:
https://www.bsdcan.org/2025/
- and -
https://www.bsdcan.org/2025/timetable/timetable-Confidential-Computing-with.html
A new BSDCan video has been posted:
Confidential Computing with OpenBSD -- The Next Step by Hans-Jörg Höxer
Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.
AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from an non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.
With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both
a confidential guest VM and
as a hypervisor providing a confidential execution environment.
Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.
Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.
In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.
Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who is using OpenBSD as a secure and stable base for its products.
For more information, please visit:
https://www.bsdcan.org/2025/
- and -
https://www.bsdcan.org/2025/timetable/timetable-Confidential-Computing-with.html
Michael Dexter
and 1 other
boosted
🎉 We did it again! 🎉
Reaching silver sponsorship for the OpenBSD Foundation earlier and earlier. When you love your OS more than your sleep, you need the support! 🐡💰☕️
Thanks for keeping the code clean, the bugs dead, while we keep the memes alive. Here’s to another year of making the internet a less chaotic place… one pledge() at a time.
Impossible to do this without you, our users, and OpenBSD developers. 🫶🏻
🎉 We did it again! 🎉
Reaching silver sponsorship for the OpenBSD Foundation earlier and earlier. When you love your OS more than your sleep, you need the support! 🐡💰☕️
Thanks for keeping the code clean, the bugs dead, while we keep the memes alive. Here’s to another year of making the internet a less chaotic place… one pledge() at a time.
Impossible to do this without you, our users, and OpenBSD developers. 🫶🏻
Stefano Marinelli
boosted
⚠️ News/Changes:
BoxyBSD will bring in a feature for more advanced users for our free boxes. Instead of only selecting a set of pre-defined BSD based images, you'll soon also be able to create your install simply from scratch with full remote access to your box. This lets you perform custom installations of #FreeBSD, #NetBSD, #OpenBSD, #DragonflyBSD, #MidnightBSD but also of some other niche systems like #illumos
Unfortunately, this might still take some time and fully relies on the spare time of @gyptazy.
#freeVPS#VPS#BSD#Box#BoxyBSD #gyptazy #opensource #education #community #foss #runbsd #hosting #freehosting #learning #ipv6
⚠️ News/Changes:
BoxyBSD will bring in a feature for more advanced users for our free boxes. Instead of only selecting a set of pre-defined BSD based images, you'll soon also be able to create your install simply from scratch with full remote access to your box. This lets you perform custom installations of #FreeBSD, #NetBSD, #OpenBSD, #DragonflyBSD, #MidnightBSD but also of some other niche systems like #illumos
Unfortunately, this might still take some time and fully relies on the spare time of @gyptazy.
#freeVPS#VPS#BSD#Box#BoxyBSD #gyptazy #opensource #education #community #foss #runbsd #hosting #freehosting #learning #ipv6
My home server is running on FreeBSD again, but this time on one of the old APUs I have lying around my desk. I wanted to test its performance after years of being decommissioned. Some things are a bit slow (Nextcloud, etc) and the USB ports, even though they're 3.0, generate a high wait time, but all in all, it's handling its workload well. Will it stay here? I don't think so (or at least not for long). I just need to decide whether to leave SmartOS on the Qotom (and the services in the FreeBSD VM) or to bring it back to native FreeBSD. It's a shame it doesn't support more than 16GB of RAM.
Stefano Marinelli
boosted
Stefano Marinelli
boosted
Tonight I made a simple, yet destructive (or at least partly) mistake: when I told FreeBSD which disk to destroy, I accidentally gave it the system disk of my little home server. This happened because it had the same size as the external SSD I had just plugged in, and I got confused.
I lost some reproducible configurations (the server’s name was in fact tempfbsd01), but I took the chance to run an experiment. My home server runs FreeBSD in read-only mode (that's the part I destroyed). From there, I manually enable the external drives (encrypted with GELI) and, in turn, the ZFS pools. Then I start the various jails and the (single, Proxmox Backup Server) VM.
Since I also have another test box running SmartOS, I decided to experiment: I connected the disks to it, created a FreeBSD bhyve VM on SmartOS, and passed the entire disks through to the VM. I reconfigured the FreeBSD VM with the bare minimum and booted it all up. The jails with BastilleBSD started without any issues - obviously the Proxmox Backup Server VM itself is still missing, but I’ll deal with that later.
I’m tempted to leave everything like this for a while.
And yes, for anyone wondering: I had fun 🙂
#FreeBSD#RunBSD #illumos#SmartOS#DisasterRecovery#IT#SysAdmin#Homelab
I have a client who uses Proxmox and its backup server. Last week, I upgraded the backup server from Debian 12 to 13. The backup server "sleeps" most of the day, so it also runs Docker for a Gitea runner. Everything seemed fine initially.
Then, my client messaged me yesterday because the runner had stopped working. When I logged in, I found that for some reason, the runner could no longer connect to the Docker socket, even though I was passing it the official way. I tried the same thing on a different Debian 13 server and got the same result. But, on a Debian 12 VM using the (old) Docker from the Debian repos, everything worked perfectly.
This incident just reinforces my point that for production servers, it’s crucial to use solutions that don't introduce breaking changes between releases. It seems to be an Apparmor issue (thanks @gyptazy for the head up!).
Because this component was non-critical and easily replaceable, I didn't pay much attention to testing it right after the server upgrade.
I have a client who uses Proxmox and its backup server. Last week, I upgraded the backup server from Debian 12 to 13. The backup server "sleeps" most of the day, so it also runs Docker for a Gitea runner. Everything seemed fine initially.
Then, my client messaged me yesterday because the runner had stopped working. When I logged in, I found that for some reason, the runner could no longer connect to the Docker socket, even though I was passing it the official way. I tried the same thing on a different Debian 13 server and got the same result. But, on a Debian 12 VM using the (old) Docker from the Debian repos, everything worked perfectly.
This incident just reinforces my point that for production servers, it’s crucial to use solutions that don't introduce breaking changes between releases. It seems to be an Apparmor issue (thanks @gyptazy for the head up!).
Because this component was non-critical and easily replaceable, I didn't pay much attention to testing it right after the server upgrade.
There's a wonderful Italian poem that starts with the line, "Autumn. We already felt it coming in the August wind..."
Well, for the first time tonight, I'm smelling that "scent" of autumn. And that would make me sad, if autumn didn't mean... EuroBSDCon!
@justine One of us! One of us! :)
Michael Dexter
boosted
The European *BSD 😈⛳🐡 event of 2025 will start in a bit!
Only 36 days to go!
There are still tickets left, even for the social event.
Grab your 🎟️ at https://tickets.eurobsdcon.org
If you want to know what we have planned have a look at the schedlue https://events.eurobsdcon.org/2025/schedule/
For everything else, peek at https://2025.eurobsdcon.org/
More information is added all the time.
EuroBSDCon 2025 in Zagreb, Croatia 🇭🇷
September 25-28, 2025
#RUNBSD#FreeBSD#NetBSD#OpenBSD#EuroBSDCon #EuroBSDCon2025#BSD#Conference#Register
I've just received an email from one of my clients. The subject line is "À la Révolution!".
I immediately understood what he meant: a new jail, which he'll then manage with BastilleBSD.
Working with kind and smart people is a privilege to be grateful for.