Theologian Dr Corey Stephan has documented his exploration of installing OpenBSD on an old ThinkPad X270. He has posted his rather thorough personal notes which cover the intial setup, such as power management, performance tweaks, Wi-Fi configuration, audio and video, tracking -current, and getting software from the ports tree. He also goes into a bit of his favored tools and workflow.
It is hard not to cherish the partnership of a slightly older ThinkPad and OpenBSD. The ThinkPad X270 and OpenBSD are both minimalist, robust, and customizable. Specifically, the ThinkPad is minimalist with regard to features, robust with regard to physical durability, and customizable with regard to hardware repairability and replaceability. OpenBSD is minimalist with regard to code, robust with regard to security, and customizable with regard to every aspect of the system. Further, since a healthy number of OpenBSD's developers long have used ThinkPads (to the point that I have read some jokes come out of members of their ranks like 'I may use any kind of laptop that I may like, as long as it is a ThinkPad'), the operating system works brilliantly on the laptop — both with their stock settings.
Overall, installing and configuring OpenBSD -current on the ThinkPad X270 was the simplest minimalist installation of any operating system on any hardware that I ever have done, even simpler than Debian GNU/Linux or my beloved FreeBSD (and much simpler than a proprietary, dysfunctional operating system Windows or MacOS). Was the total setup process easier than, say, that of a GNU/Linux distribution that uses the Calamares installer and comes preconfigured with a huge array of GNU/Linux drivers? Well, no, it was not, but that is not the point. OpenBSD is secure, nimble, and customizable in an elegantly simple way that interoperates smoothly with this small ThinkPad for my mobile academic research and writing. Even in this topsy-turvy era in which other popular desktop operating systems are have many design choices for form over function, OpenBSD comes as a serious, professional product that is ready to let me focus on my work.
Previously:
(2021) Recent and Not So Recent Changes in OpenBSD That Make Life Better
(2020) Using OpenBSD Routing Tables to Segment the Home Network for Privacy
(2018) OpenBSD Chief De Raadt Says No Easy Fix For New Intel CPU Bug
and many others.
« Your Fork Could Someday be Made of Sugar, Wood Powders and Degrade on-Demand | Proton Expands its Private Tech Ecosystem With a Password Manager »
Related Stories
Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says.
The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs.
Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)".
But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."
OpenBSD user Lari Huttunen has a blog post in which he dives into using OpenBSD's rdomain(4) feature to sort work VPNs into separate kernel-level routing tables. This segregates the network traffic in such a way as to prevent traffic in separate routing tables from interacting. With many working from home, insecure work networks have begun to intrude into the home LANs via work-related VPNs. By adding the home network to a work VPN, the LAN becomes merged with work's internal network, usually quite insecure at that. His goal is to keep his personal home devices, especially the IoT items, separate from the now mandatory work-related VPNs on his small-office / home-office network. That way, the work networks can no longer access his appliances.
Problem Statement
Over the years, companies and corporations have become ever more hungry for everything related to their users' geolocation, telemetry, demography, relationsip with one another, interests, convictions, social preferences - you name it. At the same time, users wanting to consume digital services meet a lot of ridiculous restrictions depending on where they live and how they access the Internet. Ecojails, in one form or another are created by multi-national corporations in order to capitalize everything about their users' behavior. In 2020, this has all been exacerbated by everyone suddenly working from home if possible.
Motivation
This is why I wanted to research how identity-based routing could enhance users' privacy in a totally transparent way. I've never been a big fan of VPNs as a security solution, but have come to realize that they have a role to play in privacy. Since soon everything needs to be online to function from a vacuum cleaner to dish washer to toaster, it is increasingly difficult to keep the Internet of Targets at bay. Moreover, our personal telemetry devices feed out a constant stream of information to the ecojail masters, be they Apple, Google, Microsoft, Amazon, Alibaba or Netflix. Taking back control will not be easy and one will evidently need to compromise along the way, but realization is the first step to recovery.
Lari's solution works from tools provided by OpenBSD's base system.
Previously:
(2020) WireGuard Imported Into OpenBSD
(2019) How SSH Key Shielding Works
(2019) Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
(2014) OpenSSH No Longer has to Depend on OpenSSL
Consultant and author Peter N M Hansteen has written up an overview of recent and not so recent changes in OpenBSD that make life better (and may turn up elsewhere too). He covers a few decades of developments that he has found particularly useful and explains why. He covers greylisting, spam filters, OpenSSH, and of course PF.
When I found OpenBSD more than twenty years ago, my main Unix exposure was from working with Linuxes and FreeBSD. What attracted me to OpenBSD and finally had me buy an OpenBSD 2.5 CD set was the strong focus on security and code correctness. When the CD set and the classic wireframe daemon T-shirt finally arrived in the mail, I set about at first to install it on whatever spare hardware I had lying around.
[...] OpenBSD has had traffic shaping available in the ALTQ subsystem since the very early days. ALTQ was rolled into PF at some point, but the code was still marked experimental 15 years after it was written, and most people who tried to use it in anger at the time found the syntax inelegant at best, infuriating or worse at most times.
So Henning Brauer took a keen interest in the problem, and reached the conclusion that all the various traffic shaping algorithms were not in fact needed. They could all except one be reduced to mere configuration options, either as setting priorities on pass or match rules or as variations of the theme of the mother algorithm Hierarchical Fair Service Curve (HFSC for short).
Soon after, another not-small diff was making the rounds. The patch was applied early in the OpenBSD 5.5 cycle, and for the lifetime of that release older ALTQ setups were possible side by side with the new queueing system.
OpenBSD is a complete operating system and originally forked from NetBSD back in 1995 which forked from 386BSD which was ported from 4BSD. It's emphasis is on portability, standardization, correctness, proactive security, and integrated cryptography. The current release, 6.9, is its 50th release.
Previously:
(2020) Using OpenBSD Routing Tables to Segment the Home Network for Privacy
(2020) The OpenBSD Project's 25th Anniversary
(2020) WireGuard Imported Into OpenBSD
(2017) OpenBSD and the Modern Laptop
and many more...
(Score: 0) by Anonymous Coward on Sunday April 23, @03:09AM (6 children)
(Score: 3, Informative) by canopic jug on Sunday April 23, @04:41AM (4 children)
When OpenBSD works, it works well. Their team focuses on quality and correctness. I would not be surprised if the total number of OpenBSD developers over the lifetime of the project was smaller than the current number of active Linux (kernel) developers by at least an order of magnitude so the support is going to be limited pretty much to what the developers themselves need, DRM issues aside. However, between restricted boot [fsf.org] and other DRM gotchas, including legal tangles [copyright.gov], FOSS, including the BSDs and even Linux, will soon be locked out of new hardware forever.
Money is not free speech. Elections should not be auctions.
(Score: 2, Insightful) by Anonymous Coward on Sunday April 23, @07:23AM
Really? Lots of big customers are using Linux. I'm sure AMD and gang will happily sell to Amazon, Google, Cloudflare, etc if Intel and gang don't want to.
Lots of those motherboard manufacturers support "secure boot" but don't require it. Heck some don't even care about enforcing it by default... ;)
(Score: 1, Insightful) by Anonymous Coward on Sunday April 23, @09:31AM (1 child)
I've been reading about this happening "soon" or "in the near future" for over 20 years now.
(Score: 4, Touché) by canopic jug on Sunday April 23, @11:35AM
I've been reading about this happening "soon" or "in the near future" for over 20 years now.
Exactly. And you'll notice that each year, more of the technologies warned about get established in the market. First they are off by default, then on by default but can be disabled, then mandatory.
Money is not free speech. Elections should not be auctions.
(Score: 1, Touché) by Anonymous Coward on Monday April 24, @05:14PM
Secure boot tells a PC "Don't run unsigned code at boot."
IMHO, the bug there isn't that Secure Boot exists and is enabled. The bugs are:
a.) the default keys for secure boot come from Microsoft and not a trusted third party.
b.) there is no standard procedure between hardware manufacturers for creating and deploying a new trusted key.
(Score: 5, Interesting) by Anonymous Coward on Sunday April 23, @04:55AM
It's not too bad these days. Pretty much all x86 just work out of the box with a better experience and easier install than most linux distros. ARM/aarch64 depends on if you can get the right dtbs and boot images from the board vendor, so often sucks and might require some install image surgery. Lack of bluetooth and hardware accelerated virtual machines are the big sticking points.
(Score: 3, Funny) by Dr Spin on Sunday April 23, @04:01PM
a serious, professional product that is ready to let me focus on my work.
It is well established that the public absolutely love arm-wrestling with their software, and really want it to be popular, bloated, bug infested, half thought out,
and have a mix of at least three different and incompatible UIs at the same time, rather than a choice of any one of six with actual merits.
.
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Informative) by daver!west!fmc on Sunday April 23, @07:04PM
About a year and a half ago I rescued a ThinkPad X61 ("works, hard disk removed", works a bit better with power supply and new battery and clock battery and SSD and some more RAM) and put FreeBSD 12.2 on because someone in Canada uses it to run something I hack on, and I'd already upgraded the rest of my FreeBSD stuff to 13. Anyway it'll run X.org and piewm and some editors and a C compiler and that's what I need it to do.