OpenBSD 7.5 locks down with improved disk encryption support and syscall limitations
The most secure Unix-like OS to date?
The OpenBSD project's 56th release is arguably the most secure Unix-like OS to date.
OpenBSD's point releases are no less significant than any others, and as such, OpenBSD 7.5 has some significant changes amid a lot of smaller ones. One of the biggies is very specific and quite niche, while the other is something that would be seen as a major improvement on more mainstream OSes, but which for this project barely merits a mention in the release notes.
The less significant of the major updates in this release is that now OpenBSD's relatively rudimentary and rather user-unfriendly installation program has a new option:
Added support in the installer to encrypt the root disk with a key disk.
OpenBSD has supported passphrase- and key-disk-based disk encryption during installation for a while, mainly as a fiddly manual process and then as a guided option (using a passphrase) since OpenBSD 7.3. Now, from 7.5, the guided installer will ask if you want to use a key disk, which in turn means, as per the release notes, the OS supports "disk encryption in unattended installations with autoinstall, both with a plaintext passphrase or a key disk." Which is handy.
Encrypting the root partition is the sort of function that consumer-facing OSes promote as a major improvement in system security. The Reg FOSS desk has worked in at least one company that mandates full-disk encryption for all staff computers, although our own personal perspective is more along the lines of XKCD 538.
OpenBSD has its own unique and complex partitioning system, as we mentioned when we looked at version 7.1. By default it creates multiple relatively small partitions, and splits the OS's files across them all. The result can be that, even though this is a small and lightweight Unix-like OS, it's quite easy to run out of disk space. This is because it applies complex sets of permissions on its different subsidiary file systems. For instance, only programs on certain partitions can be executed, so if a cracker managed to get write access to somewhere they shouldn't, the permissions on most of the mount points mean that they wouldn't be able to run a script.
OpenBSD 7.5's encryption approach creates a "softraid" virtual disk, and then encrypts everything within it. So it's more effective than it sounds. While more familiar OSes, such as Windows and most Linux distros, tend to keep all their files in one big partition, this way preserves OpenBSD's subdivided setup, while keeping the whole assemblage encrypted. Putting the option up front in the installer makes things easier for those setting up new systems.
The more significant change is the new pinsyscalls() system call, which makes sure that all system calls can only be called from a specific place in memory, so a hijacked binary doesn't have easy access to the system's guts. This works alongside the existing pledge()
, which places strict restrictions on which OS system calls a particular binary is allowed to access. The functionality builds upon the older pinsyscall() which appeared in OpenBSD 7.3 a year ago.
For the technical details, project lead Theo de Raadt posted the backstory in late 2023, with a small update last January. It offers a measure of protection against return-oriented programming attacks, as the OpenBSD Journal explains. De Raadt also gave a talk at the CanSecWest conference conference in 2023, and the talk's slides [PDF] put pinsyscalls()
in context as being a new layer of protection rather than a panacea.
It's controversial how much real-world protection will result from this. The snarky "Is OpenBSD Secure?" site isn't impressed, and has published a pinsyscall
critique explaining why.
- PumpkinOS carves out a FOSS PalmOS-compatible runtime environment
- Virtually and actually, LXC 6 and Incus 6 are here – both LTS versions
- VMS Software prunes OpenVMS hobbyist program
- Canonical cracks down on crypto cons following Snap Store scam spree
There are other changes and refinements in this release, including tweaks to the pf
firewall, refreshed graphics drivers imported from Linux 6.6.19, a new console font, IPv6 support over PPP, and improved performance on multicore computers.
As an experiment, we installed a copy on our testbed ThinkPad W500 machine. With the help of a handy guide to dual booting, we managed to install into an existing primary partition. The installer booted successfully from an existing Ventoy USB key, and while it detected the machine's Intel IWN 5000 Wi-Fi card, it warned us that it didn't include the necessary firmware and wouldn't work until we installed it. It's a known issue and once installed, it proved very easy to fix. Post-install, we just ran fw_update -a
. This command finds and installs missing firmware and after that the interface worked fine, picking up the WLAN configuration info we entered during installation.
The one thing that didn't happen on its own was installing a bootloader. We had to manually add a few lines to a GRUB2 config file to chainload OpenBSD's own bootloader. (We found various more complex ways, such as copying the OpenBSD bootloader to a Linux partition, but the method in the link above was the simplest and it worked fine.) OpenBSD is not really intended to dual-boot with anything else. If you want to experiment, we suggest dedicating a machine to the job … but it can be done.
The result is as Spartan as one might expect. This OS is not really intended to be a graphical desktop. Even so, it managed to compare favorably to the other BSDs we've tried. Unlike FreeBSD, it (optionally) configures graphics support straight from the setup program. It installs the Xenocara X11 server, a graphical login screen and a very basic window manager. Unlike NetBSD, it started successfully from Ventoy, which is the OS-hopper's friend. We were able to install Firefox with a single command – pkg_add firefox
– and get online.
There are a few installation guides out there that may help, such as this one from Keith Burnett and this from Martin Chang. We can only agree with the conclusion of the second of those:
OpenBSD is surprisingly usable. There's less magic in it. Which is a good thing. That means I have more control over what my system looks like and is doing.
We also like this summary:
Pros: htop
only fills half of your terminal, and you know exactly what each process does because you put them there. A few well-written man
pages are the complete documentation of the system. The whole thing is run by a handful of shell scripts.
Cons: exactly the same text, but read with a different tone.
The original idea behind Unix was that it was small and simple enough to understand everything on your computer – what it was there for, why, and what it did. OpenBSD still is pretty close to that ideal: one writeup called it "cozy". And if you like a more complete desktop, this release includes KDE Plasma 5. ®
Editor's note: This article was revised to clarify the timeline of changes to OpenBSD's disk encryption support.