Announcement

Collapse
No announcement yet.

OpenBSD Drops Support For Loadable Kernel Modules

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenBSD Drops Support For Loadable Kernel Modules

    Phoronix: OpenBSD Drops Support For Loadable Kernel Modules

    Interestingly the OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release...

    http://www.phoronix.com/vr.php?view=MTgyNDI

  • #2
    Really? I thought driver stuff was mostly done via modules? As in at bootup, 'I can see you've got the xyz ethernet thingy, I'll load the kernel module for that'. And then voila, your ethernet works.

    Does this mean that the kernel for OpenBSD will be pre-compiled with a crap-tonne of drivers that you'll never use, or that the user will have to compile their own kernel?

    The security concerns must be pretty significant because that tradeoff ain't pretty, unless I'm misunderstanding something.

    Comment


    • #3
      Assuming they keep the same policy, no, users will not need to compile their own kernels. Instead, all drives will be compiled into the kernel by default. OpenBSD wants to avoid having users compile their own kernels, but I think they dropped this support because of concerns of copyleft and proprietary modules tainting the kernel with code they'd be unable to patch against. In addition, despite the fact that kernel modules are dropped that aren't needed, the Linux kernel still runs like shit on the same hardware, and is a serious kludge for it. Its fine for the desktop but only if all the questionable enhancements are ripped out.

      It is all part of their minimalist design philosophy, such as they don't need MAC either because MAC simply shifts the point of aim for hackers from simple to debug and diagnose software to a complex, pain in the ass piece of shit to use akin to SELinux, which has had exploits against it in the past. How many has OpenBSD had? At least ten-fold less, of not more.

      They're both conservative and insular compared to the other BSD projects so they move forward slow and steady, like the tortoise.

      Comment


      • #4
        Originally posted by kaprikawn View Post
        Really? I thought driver stuff was mostly done via modules? As in at bootup, 'I can see you've got the xyz ethernet thingy, I'll load the kernel module for that'. And then voila, your ethernet works.

        Does this mean that the kernel for OpenBSD will be pre-compiled with a crap-tonne of drivers that you'll never use, or that the user will have to compile their own kernel?

        The security concerns must be pretty significant because that tradeoff ain't pretty, unless I'm misunderstanding something.
        OpenBSD default kernel has everything built-in. The possibility to load modules was available, but you had absolutely no module to load except if you wrote some of your own. If you are able to write your own modules, you should be able to compile your kernel with the module inside.

        Comment


        • #5
          Security related decision I'd warrant.

          The worst Linux-specific compromises I've dealt with were all kernel module rootkits.

          Comment


          • #6
            Booting with all modules compiled in could be SLOW on some HW

            Originally posted by kaprikawn View Post
            Really? I thought driver stuff was mostly done via modules? As in at bootup, 'I can see you've got the xyz ethernet thingy, I'll load the kernel module for that'. And then voila, your ethernet works.

            Does this mean that the kernel for OpenBSD will be pre-compiled with a crap-tonne of drivers that you'll never use, or that the user will have to compile their own kernel?

            The security concerns must be pretty significant because that tradeoff ain't pretty, unless I'm misunderstanding something.
            OK, if I used BSD instead of Linux, and used a kernel with modules for all possible printers, drives, wifi cards, and anything else it might ever encounter compiled in, the result would be having to load about 200MB at boot time. My /lib/modules for any one kernel is about 192MB. Now, imagine booting this on a netbook, with only 1GB of RAM on the whole machine! It would take longer to load a kernel that size at boot, longer yet on a slow Atom netbbook, the kind that benefits the most from a fast boot,

            While OpenBSD probably does not target that kind of machine at all, it's a good reason for operating systems that do intend to run on small laptops and also older desktops never to abandon loadable modules.

            Of course, the ideal option would be knowing what you are ever going to run on a particular machine, to compile your own kernel with those modules and ONLY those modules included, then have the option to disable post-boot loading for security reasons. You have to load these anyway, so the total boot time should not change unless you have a ton of different peripherals that are not all used at once.

            My guess is OpenBSD is aiming itself at big hardware with lots of RAM that is not rebooted so often, where the security advantages of blocking malicious modules are at a maximum and the disadvantages matter the least. I've never seen an OpenBSD laptop, but I HAVE seen one (not my own) running FreeBSD. It often makes sense for someone who uses an OS all the time on other machines to use what he or she is familar with on personal machines as well.

            Comment


            • #7
              Originally posted by Zplay View Post
              If you are able to write your own modules, you should be able to compile your kernel with the module inside.
              And reboot the 200MB Kernel every time you test your module? ^^

              Comment


              • #8
                I think that the "mass of modules" is less of a critical problem on BSD as it is on Linux, simply as a function of being less featureful and having much lower hardware support. That makes it a heck of a lot easier and smaller to build everything in than it does when you're setting up a generic Linux distro that is supposed to work very will on pretty much ANY hardware, with full features.

                Linux, of course, also supports disabling of loadable kernel module support, and this feature is often used on Android... or should I say that this feature is often DISABLED on Android. The advantage there is that the kernel is built for that specific machine and ends up running around 10 MB when all put together. This reduces the security implications, overall kernel size, and memory utilization -- since all those modules would have to be loaded anyway.

                Having said that, I tend to suspect that they are more doing this out of a sense of purism than security or efficiency... even if they presented potential benefits in those areas to support the move. I.e., lets stick it to anyone trying to sell proprietary blob modules because... fuck you.

                Comment


                • #9
                  Probably the generic kernel has all you need. If not, you're probably going to recompile it anyway, because OpenBSD's build system makes it so quick and easy to do that. Then you don't even need to create an initrd.

                  I don't think I've ever needed loadable kernel modules on OpenBSD or NetBSD; it does indeed carry a risk of kernel rootkits being loaded that way (if you'd already suffered root compromise), which is why "securelevel" disables loading kernel modules among other things.

                  Comment


                  • #10
                    Originally posted by Luke View Post
                    OK, if I used BSD instead of Linux, and used a kernel with modules for all possible printers, drives, wifi cards, and anything else it might ever encounter compiled in, the result would be having to load about 200MB at boot time..
                    > ll bsd
                    -rw-r--r-- 1 root wheel 9021491 Aug 1 2012 bsd
                    > ll /usr/lkm
                    total 8
                    drwxr-xr-x 2 root wheel 512 Aug 1 2012 .
                    drwxr-xr-x 16 root wheel 512 Aug 1 2012 ..

                    That's a stock kernel on a 5.2 i386 machine (yah, yah, I know, I'm upgrading when 5.6 comes out).
                    As you can see, there's no loadable kernel modules installed and the kernel is 9 MB, not 200.

                    Confused? Look here -> http://www.openbsd.org/i386.html#hardware , compare and contrast with your Linux kernel.

                    Comment

                    Working...
                    X