From owner-freebsd-cloud@freebsd.org Fri Jan 1 21:01:16 2021 Return-Path: Delivered-To: freebsd-cloud@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 293F04D41BC for ; Fri, 1 Jan 2021 21:01:16 +0000 (UTC) (envelope-from 01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com) Received: from a8-60.smtp-out.amazonses.com (a8-60.smtp-out.amazonses.com [54.240.8.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6y9k65KXz3r5j for ; Fri, 1 Jan 2021 21:01:14 +0000 (UTC) (envelope-from 01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ae7m2yrxjw65l2cqdpjxuucyrvy564tn; d=tarsnap.com; t=1609534873; h=Subject:To:Cc:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=3ylDKVNtlMybZoDXXE1fOTOituChryFi9/xj+e8pFaA=; b=J1ezqXtPOXS5stcK6XHiJ6Bt7L7IchF/Wg1Z2iVf8AXTiJCh5fM1E7ismkjPDa18 s2Pq9T2FS6HN5rRP/bg+2RXUt2XPzLDqc/LesE26EkuQnArRjv7EjOo8ccj+XilkYFB H6BsXQcHXfUM2ha/HByodOtWwdQZk47/sWahlM04= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1609534873; h=Subject:To:Cc:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=3ylDKVNtlMybZoDXXE1fOTOituChryFi9/xj+e8pFaA=; b=gZmEA+N09wi3nVL2NFlSQPok2uqYFT/zz1i1mGFrVKUVl9Fsp1rbqiQWH83wHxiK dZEHl5qRwUDG0Au98AgDIo/qqdUKGypEdJhuFwI/A6z2s5bnrATUqTqA0k9hxLPQ3Vd OrHWuzQ94iZ50YV8N39gfDhg8afnUI8haoP2bWSY= Subject: Re: FreeBSD on AWS Graviton (t4g) To: Rafal Lukawiecki Cc: freebsd-cloud@freebsd.org References: <7AA5AFAB-E42A-4A59-BCA5-9B15BD58B81B@rafal.net> <01000176bfa4236e-f12b57d0-7000-4a31-acb2-5660d60eb714-000000@email.amazonses.com> <4E347E37-113D-4AFC-BD7E-AC83FF27C2E0@rafal.net> From: Colin Percival Message-ID: <01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@email.amazonses.com> Date: Fri, 1 Jan 2021 21:01:13 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <4E347E37-113D-4AFC-BD7E-AC83FF27C2E0@rafal.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-SES-Outgoing: 2021.01.01-54.240.8.60 Feedback-ID: 1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-Rspamd-Queue-Id: 4D6y9k65KXz3r5j X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tarsnap.com header.s=ae7m2yrxjw65l2cqdpjxuucyrvy564tn header.b=J1ezqXtP; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=gZmEA+N0; dmarc=pass (policy=none) header.from=tarsnap.com; spf=pass (mx1.freebsd.org: domain of 01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com designates 54.240.8.60 as permitted sender) smtp.mailfrom=01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com X-Spamd-Result: default: False [-1.20 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tarsnap.com:s=ae7m2yrxjw65l2cqdpjxuucyrvy564tn,amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[54.240.8.60:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[54.240.8.60:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none]; FORGED_SENDER(0.30)[cperciva@tarsnap.com,01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com]; RCVD_COUNT_ZERO(0.00)[0]; RWL_MAILSPIKE_POSSIBLE(0.00)[54.240.8.60:from]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[54.240.8.60:from]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,01000176bfc11e27-d9bc8837-8493-4d00-a641-40779143ca0d-000000@amazonses.com]; MAILMAN_DEST(0.00)[freebsd-cloud] X-BeenThere: freebsd-cloud@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "FreeBSD on cloud platforms \(EC2, GCE, Azure, etc.\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2021 21:01:16 -0000 On 1/1/21 12:47 PM, Rafal Lukawiecki wrote: >> On 1 Jan 2021, at 20:29, Colin Percival > > wrote: >> On 1/1/21 4:33 AM, Rafal Lukawiecki wrote: >>> Colin, would I be able to build an updated RELEASE in the AMI maker before >>> I call mkami? In the days of 11.1 I had to recompile the kernel to use your >>> patch (many thanks!) and so I did something like this: >>> >>> $ svnlite --non-interactive --trust-server-cert-failures=unknown-ca co >>> https://svn.freebsd.org/base/releng/11.1/ >>> /usr/src/ >>> $ make DESTDIR=/mnt kernel -j16 > > Thanks. I suppose I should have asked a different question, sorry for not > being clearer. What is the best way, in your opinion, to create a > security-patched ARM AMI? Would this approach do it? I have never tried > patching FreeBSD from source since I have always relied on freebsd-update, but > since that is not an option on arm64 (yet) I would be grateful for your pointers. Yes, if you want to build an AMI which is FreeBSD 12.2-RELEASE + security / errata patches, you can launch the AMI Builder, then # svnlite co https://svn.freebsd.org/base/releng/12.2/ /usr/src/ # make -C /usr/src DESTDIR=/mnt \ buildworld buildkernel installkernel installworld It's just possible that the memory disk won't have enough space, in which case you would need to attach another EBS volume and mount it on /usr/obj, but if you've updated FreeBSD systems before you're familiar with such issues... -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid