00:00:09 oops, wrong channel, sorry for the noise here 00:39:27 Yaazkal: there is never noise here.. carry on though lol 00:41:59 it was a mistake, but at least it was beautiful :) 05:08:15 ˜/4 08:05:55 jmnbtslsQE: Yeah, it's close to that. I'm not using dhcp, but it appears to be caused by my nic accepting rtadv, but I would expect that to honor the rc.conf variable too 08:15:02 BSD 4 ever 08:16:11 still waiting for the video of the raspberry pi 5 running freebsd 08:16:20 and if bhyve works 09:03:23 andrew@ did a talk about arm64 at EuroBSDCon yesterday 09:03:42 it's been a decade since it got started 11:20:19 anybody here doing cross-compile for riscv64? 11:20:55 using devel/riscv64-none-elf-gcc from ports I keep hitting this: 11:20:59 /usr/local/bin/riscv64-none-elf-ld: cannot find -lm: No such file or directory 11:24:25 shouldn't it complain while compiling, as it can't find the headers, instead of while linking, riscv64-none-elf-gcc seems to be just the compiler and no libc 11:25:28 Yaaay, firefox-esr got updated. 11:25:54 nimaje, it's not complaining while compiling. only that linker message 11:26:05 nimaje, so I need to find a libc somewhere 11:27:14 and is there a reason why you want to use gcc instead of clang/llvm? 11:28:50 I seem to recall that last time I checked llvm had no support for rv32ic 11:28:51 Huh. What was my quitmsg? 11:29:00 I can be entirely wrong tho 11:29:02 I think irssi crashed. 11:29:20 just "Remote host closed the connection" 11:29:34 Huh. 11:31:53 jbo: llc15 -march=riscv32 -mattr=help lists c as possible feature for me, so it should be supported 11:39:55 nimaje, why would devel/riscv64-none-elf-gcc ship without a libc tho? 11:42:27 for which system would it have a libc? some embeded device, some other embeded device, linux, freebsd 4.11? 11:43:24 nimaje, true that... 11:43:35 on linux everybody seems to be using the SiFive pre-built toolchain 11:43:49 https://www.youtube.com/@EuroBSDcon/streams https://events.eurobsdcon.org/2024/schedule/ 11:46:34 hm, I would think "Lunch @ 1400" means Lunch at 14:00 o'clock, but why is that at 17:00? 12:16:14 Think it's timezone dependent, just had lunch here 18:13:41 a while back, somoene was talking about a program to let you enter the geli boot up phrase over a serial console 18:13:49 If you see this, how's it going> 18:15:10 shouldn't that just work automatically if a serial console is configured? 18:16:46 its pre loaded kernel 18:17:09 so I "believe" they were shimming something into the uefi stub 18:17:23 I could be and probably am wrong 18:17:52 nut, I have a frozen snickers bar, so brain freeze is a valid excuse 18:18:03 * timothias omnoms 18:20:45 Uhm... There have been various attempts at an automated remote unlock of a fully encrypted systems. Here are some references I have saved off. 18:20:50 https://github.com/Sec42/freebsd-remote-crypto/ 18:20:54 https://phryk.net/article/howto-freebsd-remote-bootable-crypto-setup/ 18:20:57 https://github.com/emtiu/freebsd-outerbase 18:21:05 i am not very familiar with geli but freebsd doesn't normally use a uefi stub... isn't the geli support built into loader.efi? so as long as loader is configured to use the serial console it should just work 18:21:41 I could be wrong, but what I remember is they were talking about a way to have geli over the serial console 18:21:51 I have been softly poking at things in that space. I am thinking I will do something of my own creation but it will be a variation on the outer-base design. That's the way I was thinking of doing it before looking at it and they have things pretty well moved along there. 18:21:51 so you could be headless 18:22:09 Right. Headless. Most servers are headless. 18:22:26 it should be called pumpkin 18:22:29 Look at the https://github.com/emtiu/freebsd-outerbase project and se what you think. 18:22:44 right now I have a usb keyboard 18:22:50 Hmm... Headless horseman. Sure! 18:23:22 my approach (the linked article) sets up an entire second freebsd install that's unencrypted but minimal. this by itself is vulnerable to be changed by anyone with hardware access. still haven't looked into secureboot which might help mitigate that. 18:23:23 my soul is a pumpkin 18:24:26 for the record there is nothing production about my workspace, I have a refurb lenovo sitting on the corner of my desk, and dont want a keyboardmonitor taking up space 18:24:46 also means that the loaded kernel always comes from an unencrypted filesystem, so take this into account when adopting this approach. 18:24:47 I have some nefarious tasks that work better in bsd that I do from time to time 18:25:45 phryk, That's also the practical result on the GNU/Linux side when using a LUKS encrypted system and say something like mandos there too. It's hard perhaps impossible not to have some bootstrap kernel at the start. 18:26:51 rwp: I even considered a bar code scanner with the password in a barcode 18:27:20 yeah, my understanding is that linux does a similar thing but puts it all into one image that's loaded as ramdisk on boot. that might make it easier to secure with secureboot, tho. even if the kernel is plaintext readable, that's not a problem as long as you can ensure that it hasn't been tampered with – which cryptographic signatures should provide… hence secureboot. 18:27:41 People have joked about having a camera on the system pointing at a poster on the wall with a QR code. If the machine were taken then the QR code would no longer be present. :-) No that's not totally secure and it's a joke but still funny! 18:28:24 reminds me of the lava lamp rng 18:28:34 crowdstrike, people were doing that with bitlocker sequences 18:29:32 I am not warmed up to SecureBoot for various reasons. It's a complicated total-subject to talk about. Almost always problematic. 18:29:46 rwp: I never bought the whole secureboot idea 18:30:07 timothias: then I read that its all borked up anyway 18:30:26 if they have physical access to the box, it dont matter anyway 18:30:55 rwp: yeah, been procrastinating secureboot for… *looks up blog* at least 3.5 years now.^^ 18:31:03 Conceptually the Linux initramfs initial boot from an unencrypted /boot fits conceptually with your outer-base unencrypted initial boot. Both boot that kernel and then decrypt then reroot. Conceptually very similar. And there seems no other way to do it. 18:34:06 In the end it all depends upon what threat models can be defended against. Very likely the outer-base defense is good enough against the threats any of us might face. 18:34:15 And it is definitely better than doing nothing at all. 18:34:16 i think the freebsd project was working on something to boot directly from an encrypted drive, but i guess that'll just move the pain point up to the uefi loader, which would still be unencrypted and need to be secured. 18:34:56 Right. It's just pushing the problem earlier. And into an area that is (for me anyway) more difficult to manage. More tedious to manage. 18:35:19 It is much easier to manage an initial minimum boot system than an initramfs or UEFI shell. 18:36:38 ye, definitely easier to actually build yourself. 18:37:08 Before I drop afk for lunch let me thank you phryk for your excellent posting on outerbase. I appreciate it! And as you can see I am citing it to other people as the best practice! :-) 18:37:20 Lunchtime! BBIAB. 18:39:44 rwp: you're welcome. i really want to improve upon it, tho – the article always gives me that itching sensation that i'm advising people to do something that's not actually "properly" secure. 18:58:55 is there any timetable for replacing MySQL with MariaDB? so many apps in pkg depend on it, while I write for Maria's bugs these days 19:12:29 do you mean using mariadb instead of mysql? i thought there was a toggle for that somewhere in the ports tree 19:13:28 is there? do tell 19:30:03 hmm... this might be it: head -105 /usr/ports/Mk/bsd.default-versions.mk | tail -2 # # Possible values: 8.0, 8.4, 9.0, 10.5m, 10.6m, 10.11m, 11.4m MYSQL_DEFAULT?= 8.0 19:40:52 and that would be find, except I want to use packages if at all possible 19:46:29 s/find/fine/ # bleh 19:55:28 How can I configure FreeBSD to lie about the protocol? 19:55:42 I'm on a network that doesn't allow IP traffic, but allows ARP 19:57:07 how can I configure freebsd to use 0x0806 for IPv4 instead of 0x0100? 19:57:41 Can freebsd lie about ethertype for specific hosts? 19:57:53 can PF be used to rewrite portions of packets? 19:59:50 Is there any way to rewrite the ethertype portion of packets before they leave the interface? 20:11:28 maybe I could use size ethertypes for IPv4 instead of 0x0800? 20:11:47 or a way to encapsulate ipv4 in the padding of arp 20:18:14 that sounds rather doubious; what makes you think IP traffic isn't allowed in the first place ? 20:18:24 why would you have ARP without IPv4 ? 20:18:46 how would you discriminate between legit ARP traffic and your encapsulated traffic ? 20:20:23 I mean even it you could do that, such ill-formed packets wouldn't make it past the first switch 20:20:49 s/it/if/ 20:23:01 I can arping my other host on the same layer2 segment but cannot icmp ping them and no IP traffic is making it despite having the correct headdr 20:23:21 the network administrator is incompetent and half the continent away 20:24:04 I tried forcing a broadcast arp entry since the wireless network is flooded with mdns announcements to see if that would get through but didn't work either 20:25:09 I figure that since I can arping to the unicast macs just fine, as well as to the bcast mac of ff:ff:ff:ff:ff:ff, there must be some kind of layer2 filter dropping based on ipv4 ethertype but not arp ethertype 20:26:46 I noticed there's padding in arp packets so I figured maybe I could encapsulate ip data inside of the padding of fake arp ethertype packets with the correct hwaddr src and dst, or I could use the legacy ethertype method of using the ethertype to specificy packet size instead of type. That would be more porfoment by allowing for larger packets then using the padding space in arp 20:27:19 Why wouldn't the packets make it past the first switch? 20:28:02 even in the worst case scenario, I could send it to FFFFFFFFFFFF and use a higher layer to do unicast 20:28:43 The network administrator doesn't know how to do anything and just deploys black boxes from cisco meraki 20:31:44 If I could just tunnel something over an ethertype that does forward, I'd be fine 20:32:19 I'm already having to do weird nonstandard hacks like UDPspeeder to overcome the varible 68-98% packet loss on this network 20:32:42 which thankfully helps enough to be able to use TCP again 20:32:48 can you see some VLAN traffic on either side ? maybe there's some sort of VLAN tagging/filtering involved 20:37:12 No, but both machines are within the same /21 private IPv4 network 20:37:17 assigned via DHCP 20:43:00 i'm going to try forcing 01:00:5e:00:00:fb as the hwaddr 20:48:08 nope 21:13:24 is there a preference for adding loopback addresses (those not associated with any interface, like you'd have on a router) on lo0 or on a dummy bridge interface, or somewhere else? 22:32:44 hello 22:38:43 ivy, loopback is an interface 22:40:45 by "lookback address" i mean any address which is not assigned to a normal L3 interface. on IOS those usually go on the loopback interface, but some other vendors put them elsewhere