User Tools

Site Tools


en:openbsd_on_small_systems_in_general

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:openbsd_on_small_systems_in_general [2018/01/31 20:17] (current)
gman999 created
Line 1: Line 1:
 +====Building an OpenBSD Tor Relay on 32-bit/i386 Embedded Hardware====
 +
 +===Summary===
 +
 +64-bit/​amd64 and various ARM-based increasingly dominate the embedded hardware market with products such as the Raspberry PI, BeagleBones and PC Engines'​ APU2. All these newer devices are ideal for small Tor nodes. But older 32-bit/i386 hardware continues to be available,
 +
 +Small embedded computer systems such as OpenBSD runs well on small embedded hardware systems such as PC Engines'​ ALIX 32-bit/i386 boards or 64-bit/​amd64 APU2 boards. There is a lot of similar Intel-based hardware available, and it tends to be better supported on most open source Unix-like operating systems than newer ARM-based hardware.
 +
 +There are a multitude of methods for installing OpenBSD onto small embedded devices for either i386 or amd64.
 +
 +OpenBSD is well-supported on ARM version 7 hardware such as the BeagleBone Black. The AMX335x processor with 512MB of RAM is adequate for a Tor relay or bridge. As a small, fanless and low-power hardware device, BeagleBone Blacks (BBB) are ideal for residential Tor bridges.
 +
 +As a Tor node, OpenBSD on a BeagleBone Black provides the benefit of more diversity to the Tor network. First, as Linux kernel-based operating systems account for some 95% of Tor public relays, OpenBSD is a distinct system which can disrupt the monoculture. OpenBSD'​s security approach is different, it's methods of randomly generating numbers is different, it uses LibreSSL as opposed to the more popular OpenSSL, among many other differences.
 +
 +Additionally,​ most public Tor relays run on Intel/x86 computers, which represents another monoculture. Increasing diversity of hardware platforms in the Tor network potentially mitigate Intel/​x86-specific vulnerabilities. Currently, most low-level hardware attacks are aimed at Intel/x86.
 +
 +To minimize the need for frequent updates, this example will use the OpenBSD -stable branch, which is released on the first of May and November each year. Security updates to the operating system are simple with the new syspatch tool. The downside of this decision is OpenBSD'​s -stable ports are not updated as frequently as the -current branch.
 +
 +OpenBSD only provides stable application releases in its ports tree, which means that the Tor-alpha ports and packages are not available.
 +
 +===Hardware===
 +
 +The BeagleBone Black launched in 2013, but remains easy to find online and in many computer stores.
 +
 +Additional hardware required for installing OpenBSD on a BBB is a microSD card for the install of 2GB or larger, plus a TTL Serial Cable offered by online vendors such as Adafruit.
 +
 +OpenBSD will run from the 4GB eMMC, so a microSD card is not necessary after the install.
 +
 +===Preparation===
 +
 +The full installation notes for the OpenBSD armv7 plaform for 6.1 provides all the necessary steps for installation.
 +
 +To prepare the microSD card with the boot media the miniroot-am335x-61.fs file is required. Note that the miniroot-beagle-61.fs file is not for the BBB, but for the BeagleBoard.
 +
 +The OpenBSD mirror sites are available globally. The miniroot-am335x-6.1fs file is available in the relative path of OpenBSD/​6.1/​armv7/​ from the main mirror directory. For instance, to use the ftp4 mirror in the US, navigate to the 6.1, then armv7 directory. OpenBSD maintains a simple version/​architecture hierarchy in the mirror layout.
 +
 +Downloading the install set files, those ending in .tgz, is not necessary as the full install will be done over the internet in this example.
 +
 +To verify the integrity of the miniroot-am335x-61.fs file, download the SHA256 file. For verifying the digital signature, also download the SHA256.sig file. Instructions for checking both the file integrity and the digital signature on OpenBSD is available on the project web site.
 +
 +Each operating system writes disk images differently to a microSD card and similar media. The Unix tool dd is avaible on most Unix and Unix-like systems.
 +
 +On OpenBSD, assuming that /dev/sd1 is the microSD card, the boot image is written like this:
 +
 +$ dd if=nstall61.fs of=/​dev/​rsd1c
 +
 +Which should output something like:
 +
 +491520+0 records in
 +491520+0 records out
 +251658240 bytes transferred in 545.317 secs (461489 bytes/sec)
 +
 +To confirm the data is written to the microSD card, mount it and check the contents:
 +
 +$ mount /dev/sd1a /mnt
 +
 +$ ls /mnt/                                                                     
 +total 7382
 +drwxr-xr-x ​  4 root  wheel   512B Apr  1 16:23 ./
 +drwxr-xr-x ​ 15 root  wheel   512B Jun 13 21:06 ../
 +drwxr-xr-x ​  3 root  wheel   512B Apr  1 16:23 6.1/
 +-rw-r--r-- ​  1 root  wheel  85.2K Apr  1 16:23 boot
 +-rw-r--r-- ​  1 root  wheel   3.5M Apr  1 16:23 bsd
 +drwxr-xr-x ​  2 root  wheel   512B Apr  1 16:23 etc/
 +
 +===Install===
 +
 +The installation step requires connecting to the BBB with the serial cable with an ethernet connection, with the installation microSD card inserted in the BBB.
 +
 +Insert the microSD card into the slot on the bottom of the BBB board.
 +
 +Next, the 4-pin TTL serial cable needs to be connected to the BBB.
 +
 +There are four pins, black, green, white and red. Only three of the pins are used, and the red pin is not used.
 +
 +pin 1: black
 +
 +pin 4: green
 +
 +pin 5: white
 +
 +Using the USB power, boot the BBB, holding down the small button next to the xxxslot to
 +
 +The install target will be the eMMC storage on the BBB, and the microSD slot can be empty or used for other purposes. The 4GB of storage provided by the eMMC is more than adequate for full OpenBSD install. Earlier versions of OpenBSD'​s armv7 platform were restricted by slow input/​output speeds to the eMMC, but this has been resolved.
 +
 +===Maintenance===
 +
 +As with other operating systems, both the base operating system and the applications require regular updates. OpenBSD provides simple mechanisms for updating both. syspatch 8 enables painless binary security patching. pkg_add with the -u option should update the packages. At this point, the full /usr/ports tree needs to be populated and updated for package updates.
 +
 +In this case, net/tor is the critical application to keep updated. First update the ports tree, then update the port.
 +
 +$ cvs up -Pd
 +
 +$ cd /​usr/​ports/​net/​tor
 +
 +$ make update
  
en/openbsd_on_small_systems_in_general.txt ยท Last modified: 2018/01/31 20:17 by gman999