Hacker News new | comments | show | ask | jobs | submit login
OpenBSD drops loadable kernel module support (openbsd.org)
40 points by antonios on Nov 3, 2014 | hide | past | web | favorite | 19 comments



Various folks, such as this site: http://geodsoft.com/howto/harden/OpenBSD/kernel.htm have suggested turning of loadable kernel modules to harden a kernel.

The two things that loadable modules provide (runtime configuration, and third party proprietary code support) are not that valuable. I've always turned off loadable modules when I've build custom BSD kernels for servers for exactly that reason. I get around the propietary code issue by making sure the server I configure has hardware for which non-proprietary and/or source available drivers exist. Which for servers is generally network and disk drivers so pretty easy.


Are they going to build all the supported HW device drivers all into the kernel image?

Serial Drivers, all the USB related drivers, all the printers, networks card, graphics card driver?

How big will the new kernel image be?

It also make dev/debugging driver task much harder as it requires complete reboot system to test it.

Also, what about FS? such as ZFS? Build in by default, disable by default, load and reboot different kernel everytime I need something?


   > Are they going to build all the supported HW device 
   > drivers all into the kernel image?
Historically that was what the 'Generic' kernel was, something which would boot on any system. A typical system configuration would be to boot the generic kernel, edit the configuration file to select only those devices and features that were going to be used, config and then make that kernel. Then boot from the configured kernel from then on.

There has been both a lot of research and debate about various 'microkernel' strategies where the core of the micro-kernel really only knows how to access the boot disk and load modules. Then as hardware is probed and discovered, modules to support that hardware is loaded.

As a desktop machine kernel, micro-kernels allow for changes in the hardware configuration to occur fairly easily without a lot of user visible fuss. But they do leave open the vulnerability that the module system can be exploited. Server systems generally change less frequently and hardware changes beyond adding or removing a disk drive are often quite rare.

Things are always trade-offs.

I wonder if there is anyone doing mixed virtualization studies. Using a hypervisor that is locked down for the lower layer and then booting the "user" machine for interactive use. This is a very powerful architectural choice and was been used for decades in IBM's mainframe OS. Perhaps we'll see a consumer OS based on those principles at some point.


Modules have nothing to do with microkernels. A system like you are describing is still a monolithic kernel. It changes nothing about the behavior of the system, it just saves a couple of MB of RAM. A microkernel runs the drivers as separate userspace programs, there are no modules involved.


OpenBSD strongly discourages non-default kernel configurations [1], so anything they consider supported is just compiled in to the default kernel.

[1] http://www.openbsd.com/faq/faq5.html#Why


    $ du -h /bsd
    11.3M   /bsd
Interestingly, the ramdisk/recovery kernel with a bunch of shell utilities built in is only 8.7M. I guess it saves more space by omitting fancy graphics drivers than is taken up by the recovery tools.


OpenBSD doesn't support ZFS or any exotic filesystems.


Wouldn't even just supporting samba, nfs alone without kernel module will make the kernel bigger than needed?

Or does OpenBSD doesn't support those network fs neither?

If smbd/nfsd build in by default, wouldn't a single kernel image with samba/nfs build-in to kernel by default trigger more attack vector/surface especially if I just want to run a simple LAMP stack?

Sorry for the OpenBSD noob questions. I am just curious on tradeoff on the decision turn off the kernel module completely.


I don't have an answer for this, but I believe they support nfs out of the box.


>Are they going to build all the supported HW device drivers all into the kernel image?

They always have. No drivers were modules. Modules were just there because netbsd had them. Kernel modules were already not being used at all in OpenBSD, they are removing an unused "feature".


Loadable kernel modules have long been known to be the source of potential security risks due to the fact that the kernel now has a way to intentionally load code into itself. A project like OpenBSD to me should never have included this feature in the first place, but I hear the mechanism that is being dropped is and old and obsolete version that nobody ever used.


> is and old and obsolete version that nobody ever used.

Is there another mechanism?

If not, I see this as a step backwards.


If you see it as a step backwards, then you've obviously never used openbsd, so why would they care? It is a completely unnecessary "feature" that has not been used at all in at least 15 years.


Here's a link to the phoronix article on the change. There's a bit of discussion about it in the comments as well.

http://www.phoronix.com/scan.php?page=news_item&px=MTgyNDI


Anyone know of a link to the rationale?


Not a link, but I can tell you that one of the philosphies OpenBSD dev's enjoy is 'trim useless code for maintainability and security.'

LKM hasn't been worked on, improved on, or maintained in any significant way, so... it went away.

There won't be any fanfare made about it officially, because the dev group didn't seem to care about it anymore. Anything un-needed or considered bloat in OpenBSD goes this route eventually,. not with a bang but a whimper.

edit: Having looked at the article, it seems a bit sensationalized by Phoronix. Unfortunately the OpenBSD maintainers didn't care as much as this writer at Phoronix seems to have done.


I think it was only being used to load policies into pf, and that was no longer needed as the useful policies were all included. That may have been a comment from the latest episode of bsdnow.tv, or a discussion I had recently I forget which sorry...


Can't link to it because it is such a non-issue that nobody would even mention it. They just removed some dead code. OpenBSD has not used the kernel modules system in 15+ years. This is only "news" because people unfamiliar with openbsd assume it is like linux and must use modules. It is not and does not.


34 linux users upvoted this article.

OpenBSD is not Linux. The "story" is a non-event in OpenBSD world.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: