oops, wrong channel, sorry for the noise here

Yaazkal: there is never noise here.. carry on though lol

it was a mistake, but at least it was beautiful :)

˜/4

jmnbtslsQE: Yeah, it's close to that. I'm not using dhcp, but it appears to be caused by my nic accepting rtadv, but I would expect that to honor the rc.conf variable too

BSD 4 ever

still waiting for the video of the raspberry pi 5 running freebsd

and if bhyve works

andrew@ did a talk about arm64 at EuroBSDCon yesterday

it's been a decade since it got started

anybody here doing cross-compile for riscv64?

using devel/riscv64-none-elf-gcc from ports I keep hitting this:

/usr/local/bin/riscv64-none-elf-ld: cannot find -lm: No such file or directory

shouldn't it complain while compiling, as it can't find the headers, instead of while linking, riscv64-none-elf-gcc seems to be just the compiler and no libc

Yaaay, firefox-esr got updated.

nimaje, it's not complaining while compiling. only that linker message

nimaje, so I need to find a libc somewhere

and is there a reason why you want to use gcc instead of clang/llvm?

I seem to recall that last time I checked llvm had no support for rv32ic

Huh. What was my quitmsg?

I can be entirely wrong tho

I think irssi crashed.

just "Remote host closed the connection"

Huh.

jbo: llc15 -march=riscv32 -mattr=help lists c as possible feature for me, so it should be supported

nimaje, why would devel/riscv64-none-elf-gcc ship without a libc tho?

for which system would it have a libc? some embeded device, some other embeded device, linux, freebsd 4.11?

nimaje, true that...

on linux everybody seems to be using the SiFive pre-built toolchain

youtube.com/@EuroBSDcon/streams events.eurobsdcon.org/2024/schedule

hm, I would think "Lunch @ 1400" means Lunch at 14:00 o'clock, but why is that at 17:00?

Think it's timezone dependent, just had lunch here

a while back, somoene was talking about a program to let you enter the geli boot up phrase over a serial console

If you see this, how's it going>

shouldn't that just work automatically if a serial console is configured?

its pre loaded kernel

so I "believe" they were shimming something into the uefi stub

I could be and probably am wrong

nut, I have a frozen snickers bar, so brain freeze is a valid excuse

Uhm... There have been various attempts at an automated remote unlock of a fully encrypted systems. Here are some references I have saved off.

i am not very familiar with geli but freebsd doesn't normally use a uefi stub... isn't the geli support built into loader.efi? so as long as loader is configured to use the serial console it should just work

I could be wrong, but what I remember is they were talking about a way to have geli over the serial console

I have been softly poking at things in that space. I am thinking I will do something of my own creation but it will be a variation on the outer-base design. That's the way I was thinking of doing it before looking at it and they have things pretty well moved along there.

so you could be headless

Right. Headless. Most servers are headless.

it should be called pumpkin

Look at the github.com/emtiu/freebsd-outerbase project and se what you think.

right now I have a usb keyboard

Hmm... Headless horseman. Sure!

my approach (the linked article) sets up an entire second freebsd install that's unencrypted but minimal. this by itself is vulnerable to be changed by anyone with hardware access. still haven't looked into secureboot which might help mitigate that.

my soul is a pumpkin

for the record there is nothing production about my workspace, I have a refurb lenovo sitting on the corner of my desk, and dont want a keyboardmonitor taking up space

also means that the loaded kernel always comes from an unencrypted filesystem, so take this into account when adopting this approach.

I have some nefarious tasks that work better in bsd that I do from time to time

phryk, That's also the practical result on the GNU/Linux side when using a LUKS encrypted system and say something like mandos there too. It's hard perhaps impossible not to have some bootstrap kernel at the start.

rwp: I even considered a bar code scanner with the password in a barcode

yeah, my understanding is that linux does a similar thing but puts it all into one image that's loaded as ramdisk on boot. that might make it easier to secure with secureboot, tho. even if the kernel is plaintext readable, that's not a problem as long as you can ensure that it hasn't been tampered with – which cryptographic signatures should provide… hence secureboot.

People have joked about having a camera on the system pointing at a poster on the wall with a QR code. If the machine were taken then the QR code would no longer be present. :-) No that's not totally secure and it's a joke but still funny!

reminds me of the lava lamp rng

crowdstrike, people were doing that with bitlocker sequences

I am not warmed up to SecureBoot for various reasons. It's a complicated total-subject to talk about. Almost always problematic.

rwp: I never bought the whole secureboot idea

timothias: then I read that its all borked up anyway

if they have physical access to the box, it dont matter anyway

rwp: yeah, been procrastinating secureboot for… *looks up blog* at least 3.5 years now.^^

Conceptually the Linux initramfs initial boot from an unencrypted /boot fits conceptually with your outer-base unencrypted initial boot. Both boot that kernel and then decrypt then reroot. Conceptually very similar. And there seems no other way to do it.

In the end it all depends upon what threat models can be defended against. Very likely the outer-base defense is good enough against the threats any of us might face.

And it is definitely better than doing nothing at all.

i think the freebsd project was working on something to boot directly from an encrypted drive, but i guess that'll just move the pain point up to the uefi loader, which would still be unencrypted and need to be secured.

Right. It's just pushing the problem earlier. And into an area that is (for me anyway) more difficult to manage. More tedious to manage.

It is much easier to manage an initial minimum boot system than an initramfs or UEFI shell.

ye, definitely easier to actually build yourself.

Before I drop afk for lunch let me thank you phryk for your excellent posting on outerbase. I appreciate it! And as you can see I am citing it to other people as the best practice! :-)

Lunchtime! BBIAB.

rwp: you're welcome. i really want to improve upon it, tho – the article always gives me that itching sensation that i'm advising people to do something that's not actually "properly" secure.

is there any timetable for replacing MySQL with MariaDB? so many apps in pkg depend on it, while I write for Maria's bugs these days

do you mean using mariadb instead of mysql? i thought there was a toggle for that somewhere in the ports tree

is there? do tell

hmm... this might be it: head -105 /usr/ports/Mk/bsd.default-versions.mk | tail -2 # # Possible values: 8.0, 8.4, 9.0, 10.5m, 10.6m, 10.11m, 11.4m MYSQL_DEFAULT?= 8.0

and that would be find, except I want to use packages if at all possible

s/find/fine/ # bleh

How can I configure FreeBSD to lie about the protocol?

I'm on a network that doesn't allow IP traffic, but allows ARP

how can I configure freebsd to use 0x0806 for IPv4 instead of 0x0100?

Can freebsd lie about ethertype for specific hosts?

can PF be used to rewrite portions of packets?

Is there any way to rewrite the ethertype portion of packets before they leave the interface?

maybe I could use size ethertypes for IPv4 instead of 0x0800?

or a way to encapsulate ipv4 in the padding of arp

that sounds rather doubious; what makes you think IP traffic isn't allowed in the first place ?

why would you have ARP without IPv4 ?

how would you discriminate between legit ARP traffic and your encapsulated traffic ?

I mean even it you could do that, such ill-formed packets wouldn't make it past the first switch

s/it/if/

I can arping my other host on the same layer2 segment but cannot icmp ping them and no IP traffic is making it despite having the correct headdr

the network administrator is incompetent and half the continent away

I tried forcing a broadcast arp entry since the wireless network is flooded with mdns announcements to see if that would get through but didn't work either

I figure that since I can arping to the unicast macs just fine, as well as to the bcast mac of ff:ff:ff:ff:ff:ff, there must be some kind of layer2 filter dropping based on ipv4 ethertype but not arp ethertype

I noticed there's padding in arp packets so I figured maybe I could encapsulate ip data inside of the padding of fake arp ethertype packets with the correct hwaddr src and dst, or I could use the legacy ethertype method of using the ethertype to specificy packet size instead of type. That would be more porfoment by allowing for larger packets then using the padding space in arp

Why wouldn't the packets make it past the first switch?

even in the worst case scenario, I could send it to FFFFFFFFFFFF and use a higher layer to do unicast

The network administrator doesn't know how to do anything and just deploys black boxes from cisco meraki

If I could just tunnel something over an ethertype that does forward, I'd be fine

I'm already having to do weird nonstandard hacks like UDPspeeder to overcome the varible 68-98% packet loss on this network

which thankfully helps enough to be able to use TCP again

can you see some VLAN traffic on either side ? maybe there's some sort of VLAN tagging/filtering involved

No, but both machines are within the same /21 private IPv4 network

assigned via DHCP

i'm going to try forcing 01:00:5e:00:00:fb as the hwaddr

nope

is there a preference for adding loopback addresses (those not associated with any interface, like you'd have on a router) on lo0 or on a dummy bridge interface, or somewhere else?

hello

ivy, loopback is an interface

by "lookback address" i mean any address which is not assigned to a normal L3 interface. on IOS those usually go on the loopback interface, but some other vendors put them elsewhere