Date: Mon, 20 Apr 2015 13:31:16 +0000 (UTC) From: David Chisnall <theraven@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46576 - head/en_US.ISO8859-1/htdocs/news/status Message-ID: <201504201331.t3KDVGET087078@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: theraven (src,ports committer) Date: Mon Apr 20 13:31:16 2015 New Revision: 46576 URL: https://svnweb.freebsd.org/changeset/doc/46576 Log: Editing pass. Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml Sat Apr 18 12:51:58 2015 (r46575) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml Mon Apr 20 13:31:16 2015 (r46576) @@ -119,17 +119,18 @@ <p>We have been working hard the last few months to ensure the robustness of our ASLR implementation. We have - written a helpful manpage. We have updated the patch on + written a manpage and updated the patch on FreeBSD's code review system (Phabricator). Our ASLR - implementation is in heavy use by the HardenedBSD team + implementation is in use by the HardenedBSD team in production environments and is performing robustly.</p> <p>The next task is to compile the base system applications as - Position-Independent Executables (PIEs). In order for + Position-Independent Executables (PIEs). For ASLR to be effective, applications must be compiled as - PIEs. It is likely that this part will take a long time - to accomplish, given the complexity surrounding + PIEs to allow the main binary, as well as shared libraries, to be + located at random addresses. It is likely that this part will take a + long time to accomplish, given the complexity surrounding building the libraries in the base system. Even if applications are not compiled as PIEs, having ASLR available still helps those applications (like HardenedBSD's secadm) @@ -142,11 +143,6 @@ <task> <p>Test our patch against 11-CURRENT.</p> </task> - - <task> - <p>For &os; committers: work with us to get this merged - into &os;.</p> - </task> </help> </project> @@ -224,7 +220,7 @@ </task> <task> - <p>Add a new property (through xfconf-query) in order to + <p>Add a new property (through xfconf-query) to allow users to change the greyscale value of quicklaunch icons in x11/xfce4-dashboard (this feature is only available in the unstable release).</p> @@ -754,7 +750,7 @@ WITHOUT_FORTH=y</pre> Address and Undefined Behavior Sanitizers in the base system toolchain.</p> - <p>Like the 3.5.0 release, these components require C++11 + <p>As with the 3.5.0 release, these components require C++11 support to build. C++11 support is available in &os; 10.0 and later on the x86 architectures.</p> @@ -1044,7 +1040,7 @@ WITHOUT_FORTH=y</pre> the X.Org component updates were submitted by Matthew Rezny.</p> <p>The location where fonts get installed was overhauled and - the way to handle fonts from the plist got simplified. Now all + the way to handle fonts from the plist has been simplified. Now all fonts are installed in <tt>/usr/local/share/fonts</tt> as required by the XDG rules. Furthermore, making a port for fonts should be easier: more aspects, such as calling fc-cache(1), are @@ -1329,7 +1325,7 @@ WITHOUT_FORTH=y</pre> possible.</p> <p>First of all, we would like to welcome Tobias Berner to - the ranks of the area51 committers. He has been regularly mentioned + the ranks of the area51 (the KDE ports staging area) committers. He has been regularly mentioned in our recent status reports, and has finally received committer privileges to our experimental repository. Becoming an area51 committer is usually the first step towards becoming a kde@ @@ -1672,7 +1668,7 @@ WITHOUT_FORTH=y</pre> way.</p> <p>An auto-assigner for ports issues was implemented, - resembling what GNATS' successfully did in the past. A <a + resembling what GNATS successfully did in the past. A <a href="https://bugs.freebsd.org/bugzilla/page.cgi?id=dashboard.html">dashboard</a> page within Bugzilla provides users and committers with common queries and overall statistics; many other smaller tweaks, @@ -1756,7 +1752,7 @@ WITHOUT_FORTH=y</pre> of interrupt delivery without reprogramming MSI/MSI-X registers or IO-APICs. The original intent was to allow hypervisors to safely delegate interrupt programming for devices owned by - guests to the guest OS. But IR is also needed to avoid some + guests to the guest OS. IR is also needed to avoid some limitations in IO-APICs and to make interrupt rebalancing atomic and transparent. Support has been committed as r280260.</p> @@ -1765,7 +1761,7 @@ WITHOUT_FORTH=y</pre> It is believed that the only missing platform code to handle big machines is parsing the "Processor Local x2APIC Structure" and "Local x2APIC NMI Structure" from the ACPI Multiple APIC - Description Table (MADT), which report LAPIC IDs > 255, and + Description Table (MADT), which report LAPIC IDs > 255, and handling boot on such systems with the x2APIC mode enabled by firmware. The work to complete that is expected to be relatively trivial, and can be done with access to a real @@ -1899,7 +1895,9 @@ WITHOUT_FORTH=y</pre> interposes on all updates to virtual memory translations to assert protections on physical memory, thus significantly reducing the trusted computing base for memory access control - enforcement. We incorporated the nested kernel + enforcement. </p> + + <p>We incorporated the nested kernel architecture into &os; on x86-64 hardware by write-protecting Memory-Management Unit (MMU) translations and de-privileging the untrusted part of the kernel, thereby enabling the entire @@ -1910,8 +1908,11 @@ WITHOUT_FORTH=y</pre> against code injection attacks. We also demonstrate, by introducing write-mediation and write-logging services, that the nested kernel architecture allows kernel developers to isolate - memory in ways not possible in monolithic kernels. The - performance of the nested kernel prototype shows modest + memory in ways not possible in monolithic kernels, though security + benefits from this will require adding policies that have not yet been + designed.</p> + + <p>The performance of the nested kernel prototype shows modest overheads: less than 1% average for Apache, 3.7% average for sshd, and 2.7% average for kernel compilation. Overall, our results and experience show that the nested kernel design can be @@ -1939,21 +1940,15 @@ WITHOUT_FORTH=y</pre> <p>We are very interested in feedback on the design of the nested kernel, and having discussions about how it might get - upstreamed. This is our first time contributing to an open - source project, so even simple advice is likely to be useful.</p> + upstreamed. </p> <p>We are also hoping to gain additional contributors and interest in the project! The nested kernel has the potential to enhance commodity operating system design, and &os; is a major operating system in use today which has high impact. - However, the implementation is merely a research prototype and + The current implementation is merely a research prototype and requires significant effort to make production-ready (see the - list of tasks). Some of this work is underway during - refactoring for an implementation in the <a - href="https://www.freebsdfoundation.org/journal/articles">HardenedBSD - project</a>, which is a much cleaner version of the core system - and is integrated into the &os; build system, but is only about - 50% completed.</p> + list of tasks). </p> <p>Finally, we have developed an interface to write-protect data structures in the kernel and are soliciting ideas for uses @@ -1976,7 +1971,7 @@ WITHOUT_FORTH=y</pre> specially consider the stack if it is used to execute code), protect IDT and SMM, and add IOMMU protections. We also need to do some optimizations where we batch calls into the nested - kernel on process creation (FORK) and mmap operations. The + kernel on process creation (<tt>fork</tt>) and <tt>mmap</tt> operations. The motivation for these implementation directives can be reviewed in the paper.</p> </task> @@ -1986,7 +1981,7 @@ WITHOUT_FORTH=y</pre> </task> <task> - <p>Port and refactor for a newer version of &os;. The + <p>Port and refactor for &os;-HEAD. The current implementation is a research prototype and requires some refactoring to make it clean and consistent, as well as make it relevant to modern versions of &os;.</p> @@ -2586,18 +2581,18 @@ WITHOUT_FORTH=y</pre> </links> <body> - <p>Lots of work has been done on the pkg(8) front, that brought + <p>Lots of work has been done on the pkg(8) front, which has brought pkg(8) to the 1.5.0 release.</p> <p>Special attention has been spent on the test suite, the number of tests went from around 20 to more than 70. Mostly - functional tests. Each test can in fact test many different + functional tests, each of which tests many different features.</p> <p>One of the main highlights is initial support for - provides/requires has been implemented, while it is still - simple, it is good enough to allow fixing lot of situation when - dealing with php related ports: able to safely upgrade from one + provides/requires. This is still + simple but is good enough to allow fixing lot of situations when + dealing with php-related ports: PHP can now safely upgrade from one major version to another. This allows for the pecl/pear packages to be reinstalled each time a minor php upgrade is done.</p> @@ -2615,7 +2610,7 @@ WITHOUT_FORTH=y</pre> plist</li> </ul> - <p>pkg now support fetch resume for http/ftp</p> + <p>pkg now supports resume for http/ftp downloads</p> </body> <help>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504201331.t3KDVGET087078>