OpenRiot v7.9.37 — ICE in the Silicon
“You think the Feds are the threat? The Feds are amateurs with warrants. The real threat is the chip under your fingers. Tiger Lake watches every indirect call. It expects an endbr64 instruction and it SIGILLs when it doesn’t get one. The silicon has its own agenda now — paranoid, uncompromising, and it doesn’t negotiate with hand-written assembly from 2019. We had to teach the construct new tricks or die at instruction zero. Welcome to the age of hardware-enforced compliance.” — The OpenRiot Crew, patching
psmat 3 AM, v7.9.37
Release Overview
We spent this week at war with the CPU itself. Not the kernel, not
the Feds, not the toolchain — the actual silicon between your
fingers. Intel Tiger Lake has Indirect Branch Tracking, a hardware
feature that checks for endbr64 markers before every indirect call.
No marker? SIGILL. The process dies. The construct flatlines before
it can even ask the GPU if it’s awake.
The psm crate’s x86_64.s is hand-written assembly from 2019. It
doesn’t know about Tiger Lake’s new security theater. It doesn’t have
endbr64 markers because when it was written, CPU branch tracking
didn’t exist. But OpenBSD compiles with -fcf-protection=branch by
default, which enables the checks, and the CPU’s immune system fires
the first time rust_psm_stack_pointer gets called via function
pointer.
We patched the assembly. We injected endbr64 after every
.cfi_startproc in psm, redefined _CET_ENDBR in ring’s
asm_base.h to emit the real instruction, and added sentinel-based
cache invalidation so we only nuke the build artifacts when CFLAGS
actually changes. The construct now survives long enough to ask the
GPU if it’s there. The GPU says yes. Then it says it’s testing the
construct. But that’s a different release.
The background walls got heavier. Sixteen new images for the Sprawl. Three existing images rescaled. The lock screen now has 88 options. Aesthetic warfare continues.
🔒 The Silicon Is Watching
OpenBSD’s clang 19.1.7 enables two independent CPU security features by default. Each one SIGILLs the construct at a different stage of startup. Fix one, advance further, hit the next. It’s like fighting a game with five bosses in sequence — each one reveals the next one’s weakness.
The first boss: -ret-protector. Emits __retguard_XXXX
canaries into every C function. XOR the return address with a stack
cookie. If the cookie doesn’t match, the CPU traps. On PIC code the
canary address can land on an unmapped page boundary. The construct
dies before main() even starts. Fixed by -fno-ret-protector.
The second boss: -fcf-protection=branch. Requires endbr64 at
every indirect call target. Intel Tiger Lake enforces this in
hardware. Hand-written assembly in psm doesn’t have it. The CPU
sees an indirect call to psm without the marker and fires a SIGILL.
The construct survives the C code but hits the assembly wall. Fixed
by -fcf-protection=none plus surgical patching of the .s files
to add endbr64.
We now set both flags:
CFLAGS="-fno-ret-protector -fcf-protection=none"
Both are required. One doesn’t work without the other. The Feds would call this “defense in depth.” We call it “defense in SIGILL.”
🧬 The Endbr64 Gospel
The psm crate’s x86_64.s has no endbr64 anywhere. It’s 2019
assembly. Tiger Lake didn’t exist. The CPU didn’t have branch
tracking. The world was simpler. Now we inject the instruction after
every .cfi_startproc in rust_psm_* functions. We use awk
because sed on OpenBSD doesn’t have the regex muscle for this. The
patch is idempotent — rg endbr64 checks if it’s already there
before touching the file.
The ring crate’s asm_base.h defines _CET_ENDBR as empty. We
change it to endbr64. The CPU sees the marker. The indirect call
succeeds. The construct advances.
We create a sentinel file at target/release-fast/.ibt-patched so
we don’t re-patch on every build. Patching takes seconds but the
rebuild takes ten minutes. We optimize for the rebuild.
🧠 Smart Cache Invalidation
The old script deleted native crate build outputs on every run.
Brute force. It worked but cost ten minutes per build when nothing
changed. The new script tracks CFLAGS in a sentinel file at
target/release-fast/.cflags. If the flags match, it skips the
deletion. If they change, it nukes the outputs for all affected
crates: tree-sitter-*, psm, ring, aws-lc-sys, freetype-sys,
libsqlite3-sys, lmdb-master-sys, wayland-sys,
yeslogic-fontconfig-sys, zstd-sys, wgpu, wgpu-core,
wgpu-hal.
The expanded crate list catches more native dependencies that compile
C code or assembly. The old list missed freetype-sys and
libsqlite3-sys. The new list doesn’t.
Incremental builds with unchanged flags now take ~10 seconds instead of ~10 minutes. The construct rebuilds faster. The Feds don’t wait. Neither do we.
🌃 Sixteen New Walls for the Sprawl
Sixteen new background images (Locked/73.webp through Locked/88.webp). Three existing images updated (11, 20, 51). Total lock screen options:
- The neon wastes are heavier now. The pixels are sharper. The aesthetic warfare continues.
📖 The Documentation Has Teeth
docs/OpenBSD-Zed.md rewritten from scratch. 549 lines of pure field
report. Documents the two-CPU-protection model, the SIGILL crash
progression table (five rounds, each one revealing the next boss),
the native crates affected, the build cache invalidation strategy,
and the runtime status. The next AI that inherits this codebase won’t
have to rediscover the IBT crash. The knowledge is baked into the
docs. The construct learns from its own flatlines.
🧾 Files Changed
| File | Change |
|---|---|
scripts/zed.sh |
Added -fno-ret-protector flag; |
injected endbr64 into psm and ring; |
|
| added CFLAGS sentinel-based cache | |
| invalidation; expanded native crate | |
| coverage; removed redundant retry logic | |
docs/OpenBSD-Zed.md |
REWRITE — documents the |
| two-CPU-protection model, SIGILL | |
| progression table, native crates | |
| affected, cache invalidation | |
| strategy, runtime status | |
Locked/11.webp |
Rescaled |
Locked/20.webp |
Rescaled |
Locked/51.webp |
Rescaled |
Locked/73.webp – Locked/88.webp |
16 NEW background images |
🗣️ Final Words
“The Feds think they control the narrative. They don’t. The silicon controls the narrative. Tiger Lake has its own opinion about what code is safe. It SIGILLs hand-written assembly like a judge passing sentence. We patched the assembly, injected the endbr64 markers, and taught the construct to survive the CPU’s own paranoia. The silicon watches. The CPU remembers. But the ICE in the silicon bends when you know which flags to set. The Sprawl is heavier now, 88 walls deep, and every pixel is a middle finger to the Turing Police. They can audit the binary, but they can’t audit the machine. The machine has its own agenda. And so do we.” — The OpenRiot Crew, somewhere in the Sprawl, v7.9.37