From owner-freebsd-cloud@freebsd.org Fri Jan 1 20:47:17 2021 Return-Path: Delivered-To: freebsd-cloud@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AFF5E4D37EC for ; Fri, 1 Jan 2021 20:47:17 +0000 (UTC) (envelope-from raf+GE=5aa47aac@rafal.net) Received: from smtp-out-4.mxes.net (smtp-out-4.mxes.net [IPv6:2605:d100:2f:10::315]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6xsc4dnnz3pn0 for ; Fri, 1 Jan 2021 20:47:16 +0000 (UTC) (envelope-from raf+GE=5aa47aac@rafal.net) Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 5CF5A75996; Fri, 1 Jan 2021 15:47:08 -0500 (EST) From: Rafal Lukawiecki Message-Id: <4E347E37-113D-4AFC-BD7E-AC83FF27C2E0@rafal.net> Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD on AWS Graviton (t4g) Date: Fri, 1 Jan 2021 20:47:06 +0000 In-Reply-To: <01000176bfa4236e-f12b57d0-7000-4a31-acb2-5660d60eb714-000000@email.amazonses.com> Cc: freebsd-cloud@freebsd.org To: Colin Percival References: <7AA5AFAB-E42A-4A59-BCA5-9B15BD58B81B@rafal.net> <01000176bfa4236e-f12b57d0-7000-4a31-acb2-5660d60eb714-000000@email.amazonses.com> X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Sent-To: X-Rspamd-Queue-Id: 4D6xsc4dnnz3pn0 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[mxes.net:s=mta,rafal.net:s=tm]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2605:d100:2f:10::/112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; SPAMHAUS_ZRD(0.00)[2605:d100:2f:10::315:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[mxes.net:+,rafal.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[rafal.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2605:d100:2f:10::315:from]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:19844, ipnet:2605:d100::/32, country:US]; TAGGED_FROM(0.00)[GE=5aa47aac]; MAILMAN_DEST(0.00)[freebsd-cloud] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-cloud@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "FreeBSD on cloud platforms \(EC2, GCE, Azure, etc.\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2021 20:47:17 -0000 > On 1 Jan 2021, at 20:29, Colin Percival wrote: >=20 > On 1/1/21 4:33 AM, Rafal Lukawiecki wrote: >>=20 >>>> Oh, and a generic ARM issue: It's not a Tier 1 platform yet, so = freebsd-update >>>> doesn't work and packages aren't always as up-to-date as on x86. = But I think >>>> those are being worked on... >>=20 >> Colin, would I be able to build an updated RELEASE in the AMI maker = before I call mkami? In the days of 11.1 I had to recompile the kernel = to use your patch (many thanks!) and so I did something like this: >>=20 >> $ svnlite --non-interactive --trust-server-cert-failures=3Dunknown-ca = co https://svn.freebsd.org/base/releng/11.1/ /usr/src/ >> $ make DESTDIR=3D/mnt kernel -j16 >>=20 >> I am not sure what magic is being done by the AMI maker itself to = /mnt. I wonder if I could use this approach to build the kernel using = the latest patched release of ARM, at least until it moves to Tier 1. = Would I need to build the userland, too? Or are the security patches = installed by freebsd-update only affecting the kernel? >=20 > You can make any changes you like. Once you've SSHed into the AMI = Builder, > you're running FreeBSD, you have FreeBSD installed onto the disk, and = the > disk is mounted at /mnt, but those are all independent issues. >=20 > If you wanted you could launch the AMI Builder, unmount /mnt, and then = write > a Linux disk image onto the disk. (I can't imagine why you would want = to, > of course. But you're really not limited in what you can do.) Thanks. I suppose I should have asked a different question, sorry for = not being clearer. What is the best way, in your opinion, to create a = security-patched ARM AMI? Would this approach do it? I have never tried = patching FreeBSD from source since I have always relied on = freebsd-update, but since that is not an option on arm64 (yet) I would = be grateful for your pointers. Thank you again, very much. Rafal -- Rafal Lukawiecki Data Scientist=20 Project Botticelli Ltd=