This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.1,
7.2,
7.3,
current.
Changes made between OpenBSD 7.3 and 7.4
- Added sysctl(2) hw.ucomnames to list "fixed" paths to USB serial ports.
- Fixed an aq(4) issue where Atlantic 2 hardware would stop transmitting packets under load on the M2 Pro Mac mini.
- Replaced kernel lock with mutex in ixl(4) media status, preventing a potential deadlock.
- Fixed crashes with ipsecctl(8) -m by only forwarding validated pfkey messages to promiscuous listeners.
- Bumped smtpd(8) to 7.4.0.
- Extended single_thread_set() mode with additional flag attributes SINGLE_DEEP and SINGLE_NOWAIT.
- Bumped OpenBGPD to 8.2.
- Prevented fw_update(8) from registering firmware already in /var/db/pkg.
- Corrected exit from fw_update(8).
- Made fw_update(8) download firmware to LOCALSRC when using filenames.
- Made deroff(1) use a dynamically-allocated line buffer and resize as needed, fixing a buffer overflow for lines over 2048 bytes.
- Used existing 'audio_lock' mutex(9) to make 'midi{read,write}_filtops' MP safe.
- Had wg(4) copy the priority from the inner packet to the outer encrypted packet, so that higher priority packets are picked from hfsc queues for earlier transmission.
- Disambiguated vmd(8) log messages per vm and device. Fixed updating log settings dynamically via vmctl(8). The "vmm" process now updates its own state properly, so settings survive vm reboots.
- Fixed a vmd(8) vm pause deadlock.
- Implemented apldart(4) support for stream IDs.
- Added mbg(4) support for the Meinberg PZF180PEX DCF77 time signal station receiver card.
- Enabled mbg(4) at pci on amd64.
- Dropped PTE check in riscv64 pmap_fault_fixup(), resulting in performance improvements.
- Introduced stfrng(4), a driver for the random number generator on the JH7110 SoC.
- Log the vmd(8) vm id instead of the kernel vmm(4) id in vcpu_run_loop.
- Introduced 'hotplug_mtx' mutex(9) and made 'hotplug_filtops' MP safe.
- Made 'logread_filterops' MP safe.
- Significantly increased the speed of pkg-config(1).
- Enabled softraid(4) in powerpc64 RAMDISK.
- Bumped LibreSSL to 3.8.2.
- Improved the output of ddb(4) "show proc" command and added "/t" as an argument that can be used to specify a proc by TID instead of address.
- Disabled utf-8 for non-multibyte locales in awk(1), making it possible to get the old awk behavior (where chars are bytes) by setting LC_CTYPE to C or POSIX.
- Moved to 7.4-beta.
- Updated awk(1) to the Sep 12, 2023 version, corresponding to the 2nd edition of "The AWK Programming Language" and adding support for UTF-8 and comma-separated value inputs.
- Allowed counters_read(9) to take an optional scratch buffer, allowing the ddb(4) show uvmexp command to work in OOM situations.
- Added tmux(1) source-file -t option to specify a target pane.
- Used zero-copy approach and vectored io in vmd(8)/vioblk(4), reducing memcpy and multiple read/write syscalls per io transaction.
- Implemented tuples in btrace(8), allowing export of per-CPU scheduling data.
- Prevented unwind(8) entering a loop due to constant ENOBUF receipt.
- Updated awk(1) to the Sep 6, 2023 version.
- Load amd patch into a malloc'd region to make it page aligned, avoiding a General-Protection Exception on patch loader wrmsr with A10-5700, TN-A1 00610f01 15-10-01.
- Updated awk(1) to the Dec 15, 2022 version: Force hex escapes in strings to be no more than two characters, as they already are in regular expressions.
- Corrected TP-LINK bluetooth ID in ure(4).
- Added a request or response declaration feature used through the radiusd(8) module interface, allowing additional modules to modify RADIUS request or response messages.
- Fixed scp(1) in SFTP mode recursive upload and download of directories that contain symlinks to other directories.
- Treat consecutive paragraph indicators as different paragraphs in vi(1).
- Allowed override of Subsystem directives in sshd(8) Match blocks.
- Converted exclusive to shared net lock for ip_send() and ip6_send().
- Reduced latency in vcpu work related to i/o by removing an ioctl(2) from the vcpu thread hotpath in vmd(8).
- Switched the APMI CPUID mask to an include mask in vmm(4).
- Fixed a problem with em(4) where the I217-LM would fail to receive packets for some of the programmed multicast addresses.
- Made ksmn(4) attach to 19h/4x devices.
- Updated to unbound(8) to 1.18.0.
- Fixed touchpads on newer apldc(4) device trees.
- Fixed netstat(1) output of uses of current SYN cache left.
- Made ssh-keygen(1) generate Ed25519 keys when invoked without arguments.
- Set interactive mode for ssh(1) ControlPersist sessions if they originally requested a tty, enabling keystroke timing obfuscation for most ControlPersist sessions.
- Allowed UDP for built-in inetd(8) services on 127.0.0.1.
- Replaced perl's use of syscall(2) with a dispatcher to libc, removing the ability to do direct syscalls from perl.
- Added tmux(1) Setulc1 for setting underline color for ANSI or 256 colors.
- Used a hardware-based number of KDF rounds by default for passphrases in bioctl(8) using [-r auto].
- Prevented a crash of iwm(4) when aircrack-ng attempts to inject frames via bpf in monitor mode.
- Prevented virtio block device stalls due to race conditions with the i8259 in vmd(8).
- Added tmux(1) detach-on-destroy "previous" and "next" argumennts to switch the client to the previous or next session in alphabetical order.
- Corrected a bug where fw_update(8) exiting unexpectedly would mean the package database never unlocked.
- Improved feedback from fw_update(8) by using a spinner to show status rather than printing only at the end.
- Preempt a running proc even if there is no other process/thread queued on that CPU's runqueue. Should fix a problem where RLIMIT_CPU is unreliable on idle systems.
- Added FDT support for dwiic(4).
- Made sshd_config(5) first-match-wins.
- Limit artificial login delay to a reasonable maximum (5 seconds) and don't delay at all for the "none" ssh(1) authentication mechanism.
- Added keystroke timing obfuscation to the ssh client via a new ssh_config(5) ObscureKeystrokeTiming keyword.
- Added a pair of ssh(1) transport protocol messages to implement a ping capability.
- Adapted glxclk(4) for clockintr.
- Fixed iwx(4) scan command such that the driver selects an SSID during bgscan, a possible fix for fatal firmware error 0x20002806.
- Added -c to tmux(1) run-shell to set working directory.
- Separated cpu_initclocks() from cpu_startclock() on all platforms, allowing the primary CPU an opportunity to perform clock interrupt preparation in a machine-independent manner.
- Made alpha stop running an independent schedclock() and removed the scaffolding. All platforms now call schedclock() from statclock() at an effective schedhz of ~12.5.
- Ensured the installer continues until passphrase is confirmed correctly with bioctl(8) rather than bailing out after three failed attempts.
- Made bioctl(8) allow retry of passphrase on mismatch by default, like passwd(1).
- Made bioctl(8) print softraid(4) errors on standard error.
- Made kdump(1) show kqueue1(2) flags.
- Bumped zlib version to 1.3.
- Added the kqueue1() system call, adapted from NetBSD, identical to kqueue() except that the close-on-exec flag on the new file descriptor is determined by the O_CLOEXEC flag in the flags argument.
- Check for and disable powerpc64 cores that fail to start.
- Made bioctl(8) -s read passphrases without prompts or confirmation.
- Replaced uvm_meter() with update_loadav() for calculating the loadavg, using a simple timeout instead of being called via schedcpu().
- Fixed the radiusd(8) config parser to allow comment lines within the "client" block and improve error messages.
- Added tmux(1) session, pane and user mouse range types for the status line and add format variables for mouse_status_line and mouse_status_range so they can be associated with different commands in the key bindings.
- Removed per-AFI ASPA handling in bgpd(8) internals but continued to allow the old syntax in aspa-set tables.
- Dropped MSDOSFS from i386 floppy.
- Pledged ldd(1) "stdio rpath proc exec prot_exec", dropping either "proc" or "prot_exec" at the dlopen(3) vs. execve(2) split.
- Added tmux(1) option menu-selected-style to configure the currently selected menu item.
- Extended scheduler tracepoints to follow CPU jumping.
- Avoided issuing syscalls on a file descriptor invalidated following a socket error condition in nc(1).
- Improved pckbd(4) attachment to Chromebook keyboards.
- Improved uwacom(4) support for Intuos S and One S tablets.
- Prevented ihidev(4) power down if the device is already opened, for cases such as an ikbd(4) attaching to become the console keyboard, then userland opening it only once as an input device so it remains unusable after powering down.
- Added iked(8) support for route-based sec(4) tunnels.
- Prevented potential reuse of softraid CRYPTO volumes when installing.
- Allowed libpcap to read files with additional link-layer type values, providing translation between DLT_* and LINKTYPE_* values.
- Added .VARIABLES to make(1) to list all the names of global variables that have been set.
- Corrected display of ldomctl(8) 'status' to show zero utilization for stopped guests.
- Bumped OpenSSH to 9.4.
- Added dmesg(8) display of x86 cpu patch level.
- Added tmux(1) flag to next-prompt/previous-prompt to go to command output instead.
- Added tmux(1) options and flags for menu styles similar to those existing for popups.
- Extended the tmux(1) menu drawing function to support custom characters and styles.
- Made dwqe(4) work at 1000baseT.
- Repaired powerdown on Tadpole Ultrabook IIe.
- Added support for route-based ipsec vpn negotiation with sec(4) via isakmpd(8) to ipsecctl(8) and added "interface secX" for use instead of specifying tunnel/transport modes and traffic selectors.
- Supported configuring interface SAs for route-based ipsec vpns to isakmpd(8) with use of "Interface NUMBER".
- Allowed userland to install (and see) security associations for route-based ipsec vpns.
- Introduced sec(4), providing point-to-point tunnel interfaces for IPv4 and IPv6 protected by the ipsec(4) Encapsulating Security Payload (ESP) protocol.
- Started adding support for route-based ipsec vpns.
- Added support for 8bpp X server on LUNA.
- Applied ssh(1) ConnectTimeout to multiplexing local socket connections.
- Enable vlan stripping of LRO packets in ix(4).
- Remove the per-cpu load average calculation.
- Set a low water mark on scsi_xfer_pool and prime it so the pagedaemon can write out pages to swap when we're out of physical memory.
- Added padding to align on an 8-byte boundary to Xinput on luna88k.
- Prevented bad memory accesses seen with page flipping on alder lake and raptor lake.
- Fixed mmap-ing size for LUNA framebuffer.
- Added AXP15060 support to axppmic(4).
- Implemented audio input source selection in onyx(4).
- Ensured retpolines will not serve as a net negative on CPUs with eIBRS (enhanced Indirect Branch Restricted Speculation) or IBT enabled in the kernel.
- Added JH7110 I2C clocks to stfclock(4).
- Set OPENSSL_NO_ENGINE and remove engine code.
- Dropped DSO and defined OPENSSL_NO_DSO.
- Made sshd_config(5) AuthorizedPrincipalsCommand and AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences.
- Increased default KDF work-factor for OpenSSH format private keys from 16 to 24.
- Fixed inline vlan-tag handling of forwarded LRO packets from ix(4).
- Fixed verbose logging in vmd(8) child processes.
- Made ssh(1) -f (fork after authentication) work properly in multiplexed cases (including ControlPersist).
- Isolated profil(2) and GPROF from statclock() now that we have a machine-independent interface to the clock interrupt hardware.
- Stopped building unused dhclient.
- Made the built-in keyboard on the Tadpole UltraBook IIe work.
- Added a check before setting DE_CFG bit 9 to ensure compatibility with hypervisors not allowing msr writes to that bit.
- Fixed wscons(4) scan code value for the print screen key.
- Prevented the kernel from accessing random memory after receiving some specially crafted DCS or CSI terminal escape sequences by limiting wscons(4) escape sequence argument count to usable bounds.
- Set DE_CFG[9], a chickenbit which stops Zenbleed.
- Corrected dmesg(8) display of pciprobe output after boot block changes on i386.
- Pledged (NULL, "stdio rpath") ldd(1).
- Improved xhci(4) suspend/resume support.
- Implemented apldart(4) suspend/resume support.
- Prevented a spurious attach/detach/attach sequence when resuming with tipd(4) when a USB device is connected.
- Removed -stats option from openssl(1) errstr.
- Implemented updates for AMD CPU microcode.
- Introduced qcsdam(4), a driver for the PMIC Shared Direct Access Memory found on Qualcomm SoCs.
- Allow cwm(1) to cycle through windows of the same window class as the active window, default key binding to M-grave, respectively Alt-Tilde, like with other window managers.
- Capped the size of numbers we check for primality to 32k to block a DoS vector.
- Assigned wsdisplay0 to the glass console always for i386 and amd64 RAMDISK and RAMDISK_CD.
- Fixed skipping of white space after parsing the username in /etc/crontab to make it consistent with how lines without usernames are parsed.
- Used "early 2" to attach aplpmgr(4) to make sure it attachs before other core drivers that need to enable power domains.
- Implemented "early 2" locator for mainbus(4) and simplebus to make drivers attach even earlier.
- Protected ixl(4) admin queue with mutex(9).
- Separated ssh-pkcs11-helpers for each p11 module in ssh(1) and implemented reference counting, fixing some bugs making PKCS11 keys unusable after they have been deleted.
- Disallowed remote addition of FIDO/PKCS11 provider libraries to ssh-agent(1) by default.
- Partially fixed interactive mode in patch(1).
- Fixed tmux(1) hang by correcting visited flag when the last window list is rebuilt by renumbering windows.
- Enabled LRO for TCP by default in the network drivers (currently supported by ix(4) and lo(4)). LRO can be turned off per-interface with ifconfig(8) -tcplro.
- With the update of the sleep API, implemented the linux emulation of their wait API, schedule() and set_current_state() in a less hacky way, removing some possible race conditions in the wait API.
- Put the tipd(4) USB Type-C power delivery controller into the "S5" state during suspend, preventing USB devices from consuming power.
- Added support for configuration tags to ssh(1). Added an ssh_config(5) "Tag" directive and corresponding "Match tag" predicate.
- Added a ssh_config(5) "match localnetwork" predicate which may be used to vary the effective client configuration based on network location.
- Implemented Pointer Authentication Code support on AArch64.
- Fixed use of qcow base images in vmd(8) to avoid device failure during startup post-exec when trying to receive device state from the parent vm process.
- Added mute control to tascodec(4).
- Used unveil(2) to restrict patch(1) to its current working directory.
- Ensured dhcrelay6(8) does not ignore the AF_LINK entries of carp(4) interfaces.
- Pulled validation into local prefix parser in vmd(8).
- Checked rcctl(8) input before trying to disable a non-existing daemon to prevent parsing bogus characters.
- Made use of the deep idle state available on Apple M1/M2 cores in the idle loop and for suspend, resulting in power savings particularly when running in a state with high clock frequency.
- Adressed incomplete validation of ELF program headers in execve(2) which could lead to a panic in vmcmd_map_readvn() with a malformed binary/interpreter.
- Prevented GPROF kernel crash during resume by disabling _mcount() across suspend/resume in sleep_state().
- Worked around a use after free in httpd(8) due to a malformed HTTP request when httpd is in fastcgi mode.
- Prevented a session reset in bgpd(8) due to parser failure.
- Used ssize_t instead of short for line lengths to lessen chance of underflow and segfault in patch(1) with excessive line length.
- Reworked sleep_setup()/sleep_finish() to no longer hold the scheduler lock between calls.
- Allow unveiled programs to dump core by passing BYPASSUNVEIL just for this vnode.
- Prevented pax(1) from attempting to open a file when creating an archive file even if the file will be skipped due to a -s replacement with the empty string.
- Enabled Indirect Branch Tracking for amd64 userland, using XSAVES/XRSTORS to save/restore the state and enabling it at exec-time (and for signal handling) if the PS_NOBTCFI flag isn"t set.
- Added PS_NOBTCFI, a per-process flag indicating that Branch Target Control Flow Integrity has beendisabled for the process, to be used by the amd64 code.
- Added mute control to sncodec(4).
- Added suspend key support to wskbd(4) and made it work on Apple ARM laptops.
- Added request_sleep(), a machine-independent way of sending the machine to sleep in a safe thread, to amd64, i386 and arm64.
- Updated to perl 5.36.1.
- Introduced stfpciephy(4), a driver to control the PCIe 2.0 and USB 3.0 PHY on the StarFive JH7110 SoC.
- Introduced stfpcie(4), a driver to support the PLDA XpressRICH-AXI PCIe controller on the StarFive JH7110 SoC.
- Added support for the RK3588 PCIe3 PHY to rkpciephy(4).
- Added support for the Motorcomm YT8521/YT8531 PHYs and enabled ytphy(4) on riscv64.
- Took initial step toward a machine independent safe sleep API.
- Toggled IBT off during EFI runtime services calls.
- Introduced ietp(4) driver for Elantech I2C touchpads.
- Made ld.bfd emit PT_OPENBSD_NOBTCFI.
- Added rkclock(4) resets for RK3588 USB 3.0 controllers and clocks for the RK3588 I2C controllers and RK3588 PWM controllers.
- Provided an optimized bn_mulw() for riscv64 for a 1.5-2x performance gain for BN multiplication and similar gain for RSA operations.
- Provided a libcrypto Makefile.inc for riscv64.
- Swapped smtpd link-auth filter arguments to avoid ambiguities with user names containing a "|" character.
- Bumped smtpd-filters(7) protocol version.
- Enabled reading RSA-PSS certificates.
- Added support for multiple batteries to acpithinkpad(4) setchargestart and setchargestop.
- Added AXP305 support and fixes to axppmic(4).
- Used mtx_init() to initialize stack-based mutexes, ensuring the mutex' lock_object has static storage duration.
- Cleared knote(9)s when finishing wseventvar in wscons(4) to prevent a kernel crash.
- Taught BFD tools how to handle NOBTCFI.
- Converted tcp_now() time counter to 64 bit.
- Registered a mapping of dwge(4) interfaces to ofw nodes/phandles.
- Removed special cases for IBT/BTI introduced during development.
- Added pfsync(4) specific locks, introduced pfsync support to partition states into independently-running slices, and made pf(4) state purges mpsafe.
- Handled dwge(4) fixed-link configuration in the device tree.
- Fixed boot of OpenBSD using Hyper-V on Windows 11.
- Fixed error in the MSI-X interrupt establish loop for virtio(4) which could lead to fallback to shared IRQs.
- Made softdep mounts a no-op.
- Added iwm(4)/iwx(4) background scan task to the queue from which it will be deleted, ensuring proper cancellation during driver state transition.
- Drop kernel lock before panic to avoid WITNESS report during fault on amd64.
- Implemented support for the GPIOs on the JH7110, making it possible to reboot the VisionFive 2.
- Restored (R)esize functionality to sparc64 disklabel(8).
- Limited the number of transactions/tickets pf(4)'s pf_open_trans() can issue for each clone of /dev/pf to 512, avoiding use of all kernel memory by asking DIOCGETRULES for more tickets.
- Added StarFive JH7110 support to dwqe(4).
- Introduced DIOCXEND to pf(4) (and also snmpd(8) and systat(1)) so applications close when done fetching pf rules and cannot consume all kernel memory.
- Made the bge(4) hardware counters available on BCM5705 and newer available in kstat(1).
- Added unix domain socket support to ssh(1) -W.
- Added tmux(1) support for marking lines with a shell prompt based on the OSC 133 extension.
- Enabled mouse.tp.mtbuttons for apldcms.
- Updated to makedepend 1.0.8.
- Updated to fontconfig 2.14.2.
- Updated to pixman 0.42.2.
- Updated to xtrans 1.5.0.
- Updated to libXaw 1.0.15
- Updated to libXt 1.3.0.
- Updated to xcb-util 0.4.1.
- Updated to libxshmfence 1.3.2.
- Updated to libXvMC 1.0.13.
- Updated to libXv 1.0.12.
- Updated to libXrandr 1.5.3.
- Updated to libXi 1.8.1.
- Updated to libXfixes 6.0.1.
- Updated to libXdamage 1.1.6.
- Updated to libXcomposite 0.4.6.
- Updated to xf86-video-r128 6.12.1.
- Updated to xf86-video-ati 22.0.0.
- Updated to xf86-input-mouse 1.9.5.
- Updated to xwd 1.0.9.
- Updated to xrdb 1.2.2.
- Updated to setxkbmap 1.3.4.
- Removed tls1.0 and 1.1 related options from openssl(1).
- Added wsmouse(4) button mappings for two- and three-finger clicks on clickpads.
- Used TSO and LRO on the loopback interface to transfer TCP faster (turned off by default).
- Removed __HAVE_CLOCKINTR symbol on all platforms.
- Added clockintr_cpu_init(9) stagger by MAXCPUS.
- Introduced qccpu(4), a driver for Qualcomm Snapdragon CPU power states.
- Enabled AC detection in qcpas(4).
- Added support for JH7110 to dwmmc(4), making the eMMC and microSD mostly work on the StarFive VisionFive 2.
- Added support for JH7110 to stftemp(4), adding temperature sensor support for the StarFive VisionFive 2.
- Fixed S3-based suspend on some newer machines by using an opt-in approach for waking up GREs in acpi(4)/acpibtn(4).
- Fixed disklabel(8) handling of 'N-* 100' template entries.
- Updated to nsd(8) 4.7.0.
- Rewrote relayd(8) pfe_route() to work on 64bit architectures.
- Added iked(8) support to verify x509 chain from CERT payloads.
- Introduced qctsens(4), a driver for the Temperature Sensor found on Qualcomm SoCs.
- Removed net lock from pf(4) ioctl DIOC{SET,CLR}IFFLAG.
- Made it possible to store the kstack or ustack in a map in btrace(8).
- Restored interrupts and prevented unconditionally reenabling them in amd64 MCOUNT_EXIT.
- Provided kstat(1) information based on the byte and packet counters available in some dwge(4) implementations.
- Provided additional BN primitives for BN_ULLONG architectures.
- Added initial support for StarFive VisionFive V2 to stfclock(4).
- Fixed underlining in ex(1) 's' command with the 'c' flag when 'number' is off.
- Improved rpki-client(8) detection of RRDP session desynchronization.
- Added ksmn(4) support for the thermal sensors on Ryzen 9 79xx.
- Made ksh(1) escape control characters when displaying file name completions.
- Fixed potential truncation of filtered data lines in smtpd(8).
- Added ospf6ctl(8) "fib reload" as in ospfctl(8) and made it trigger automatically on a timeout after RTM_DESYNC.
- Made ssh(1) -Q CASignatureAlgorithms' only list signature algorithms that are valid for CA signing.
- Fixed "no comment" not showing when running ssh-keygen(1) -l on multiple keys where one has a comment and other following keys do not.
- Fixed line wrapping in fdisk(8).
- Separated shutdown(8) command access from the "operator" group and into a "_shutdown" group, preventing inappropriate disk read access.
- Allowed use of 'a' as a shortcut for 'autoconf' in the installer.
- Ensured 'chmod a-x /bsd.upgrade' works to prevent re-upgrade for luna88k, matching other architectures.
- Switched ECDSA_METHOD usage to EC_KEY_METHOD for smtpd(8), the last consumer of the deprecated ECDSA_METHOD.
- Fixed incomplete azalia(4) attachment for Ampere eMAG with an AMD GPU with an HD audio function.
- Improved speed of Montgomery multiplication.
- Bumped smtpd(8) to 7.3.0.
- Fixed IPv6 forward counters and icmp6 redirect when TSO is enabled.
- Fixed CVE-2023-3128: X servers could return values from XQueryExtension allowing Xlib to write out-of-bounds entries.
- Added missing kernel lock around (*if_ioctl)().
- Moved nd6_ifdetach() out of netlock.
- Provided and optimized various quad word primitives, providing performance gain across most BN operations on aaarch64.
- Prevented printing the last value twice in seq(1).
- Added content-encoding compression support to rpki-client(8).
- Implemented arm64 support for pointer authentication (PAC) in userland, making it possible to "sign" pointers with a hidden key and provide "tail CFI" similar to what retguard provides. (Disabled for x13s).
- Introduced qcpas(4), a driver for the Peripheral Authentication Service found on Qualcomm SoCs.
- Made the tlsv1.0 and tlsv1.1 options in relayd(8) do nothing in preparation for removal of these protocols.
- Stopped calculating IP, TCP and UDP checksums on loopback interface.
- Permitted restricted profil(2) for moncontrol(3) in stdio pledge(2), moving toward making '-pg' binaries pledge-compatible.
- Added support for wireguard peer descriptions to ifconfig(8).
- Enabled forwarding of ix(4) LRO packets via TSO.
- Use generic checksum calculation for TCP SYN+ACK packets.
- Made id(1) -R fail when an argument is given.
- Fixed up file modification timestamps to optimize rpki-client(8) failover from RRDP to RSYNC.
- Split rpki-client(8) cleanup into cleanup and repository cleanup and show how many files are kept/removed in the repository temporary storage.
- Added IBT support to the X86_64 retpoline+znow PLTs.
- Prevented hangs with vioscsi(4) on qemu/windows and in the Oracle cloud.
- Bumped LibreSSL to 3.8.1.
- Implemented battery charge control in aplsmc(4).
- Removed net lock from pf(4) ioctls DIOC{S,G}ETLIMIT.
- Added both udp and tcp for https (HTTP/3 over QUIC) to /etc/services.
- Ensured forced update of internal key for EVP_PKEY after modification, to handle fallout in several applications following a behavioral change in OpenSSL.
- Fixed sshd_config(5) AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears previously in configuration.
- Forced comport initialization for certain classes of device, preventing hang or reboot when com@acpi devices fail the comprobe1() check.
- Introduced qcaoss(4), a driver for the Always On Subsystem found on Qualcomm SoCs.
- Added IBT support to retpoline PLTs for X86_64, providing IBT support by default.
- Fixed TSO for traffic to a local address on a physical interface.
- Made ypldap(8) continue trying LDAP servers until full results are received.
- Fixed booting from disks >8G on systems where the BIOS uses CHS.
- Updated to freetype 2.13.0.
- Prevented a self-deadlock of vmmaplk in uvm_map(9).
- Added an openssl(1) '-unaligned n' option.
- Implemented battery charge control in acpithinkpad(4).
- Introduced qcsmptp(4), a driver to share 32-bit values between (co-)processors.
- Introduced qcsmem(4), a driver for the shared memory table on Qualcomm SoCs.
- Added tmux(1) format for server_sessions.
- Pledged(2) waitid(2) stdio.
- Handle paths with whitespace or metacharacters in user(8).
- Asserted pf(4) lock on interface handling.
- Added TSO offloading to ix(4).
- Introduced qcmtx(4), a driver for the hardware spinlock on Qualcomm SoCs.
- Introduced qcipcc(4), a driver for the inter-processor mailbox interface used to inform (and be informed) of changes to shared memory state.
- Added support for the Peripheral Authentication Service SMC interface to qcscm(4).
- Implemented battery management sysctl(8) (hw.battery.chargemode, hw.battery.chargestop and hw.battery.chargestart).
- Used cp(1) to copy dot files in useradd(8) instead of pax(1).
- Introduced separate capabilities for TCP offloading, split into LRO (large receive offloading) and TSO (TCP segmentation offloading). LRO can be toggled via the ifconfig(8) tcprecvoffload option. (2023/06/07: Renamed "tcplro").
- Implemented the TCP/IP layer for hardware TCP segmentation offload.
- Corrected display of Victoria Day in calendar(1).
- Added Juneteenth to the US calendar(1).
- Turned on pointer-authentication on arm64 by default, effectively enabling -mbranch-protection=standard on arm64.
- Improved vnconfig(8) emulation of a disktab entry (-t), enabling installboot(8) to know the vnd device should be treated as a floppy disk.
- Gave softnet threads unique names by suffixing softnet with their index.
- Made disklabel(8) use the d_type value provided by the kernel when creating, editing or printing a disklabel in the absence of the "disktype" command line parameter.
- Removed the kernel lock from IPv6 neighbor discovery.
- Added axppmic(4) support to the arm64 RAMDISK to support ethernet on the OrangePi One Plus (Allwinner H6).
- Added display of interface names in front of ifconfig(8) error messages.
- Added a fallback to load the arm64 kernel from the EFI system partition if booting from a disk without a BSD disklabel.
- Fixed vmd(8) segfault on vm creation.
- Added btrace(8) support for symbolizing utrace(2) addresses.
- Added apple-gumx.h for 6.1.28 drm(4).
- Removed SHA-512 C implementations other than the semi-unrolled version.
- Fixed iwx(4) firmware error when tearing down the state of association to the AP.
- Added Miller-Rabin test for random bases to BPSW.
- Implemented TCP send offloading (in software only).
- Updated to xf86-video-sunffb 1.2.3.
- Reduced possible outcomes when a kevent(2) call and a close(2) call race on the different ends of a pipe.
- Renamed 'invalid' to 'disqualified' in the bgpctl(8) 'show rib' table.
- Use partial chains in certificate validation in rpki-client(8).
- Switched pflogd(8) from using a bpf read timeout to a wait timeout.
- Prevented signed integer overflow after INT_MAX bad passwd(1).
- Updated to xf86-video-dummy 0.4.1.
- Added ISO8859-14 font encoding.
- Updated to xinput 1.6.4.
- Updated to xdpyinfo 1.3.4.
- Updated to libXpm 3.5.16.
- Updated to libXres 1.2.2.
- Updated to libXxf86dga 1.1.6.
- Updated to libfontenc 1.1.7.
- Updated to libxkbfile 1.1.2.
- Updated to libXdmcp 1.1.4.
- Updated to libXScrnSaver 1.2.4.
- Updated to libICE 1.1.1.
- Updated to libXau 1.0.11.
- Updated to xcalc 1.1.2.
- Removed net lock from pf(4) ioctls DIOCOSFP{FLUSH,ADD,GET}.
- Updated to libXft 2.3.8.
- Added support for random offsets when using trances with a step value in crontab(1).
- Added support for RTL8153D to ure(4).
- Pushed kernel lock down to sys_sysctl().
- Introduced a neighbor discovery mutex.
- Removed net lock from pf(4) ioctls DIOCGETRULESET and DIOCGETRULESETS.
- Bumped bgpd(9) to version 8.0.
- Updated to X server 21.1.8.
- Adjusted sftp(1) ftruncate() logic to handle servers that reorder requests.
- Removed the EFI RTC implementation on amd64.
- Bumped rpki-client(8) version to 8.4.
- Removed net lock from pf(4) ioctls DIOCGETQUEUE and DIOCGETQUEUES.
- Added dmesg(8) display of VHE feature.
- Added rtentry refcnt type to dt(4).
- Allowed vmd(8) vm owners to override the boot kernel via vmctl(8) to allow booting of recovery media like a ramdisk kernel.
- Increased MAXDSIZ to 128G on amd64 and 64G on arm64.
- Retired timer(4/sparc64) driver.
- Allowed routers to create new neighbor cache entries when receiving a valid Neighbor Advertisement (RFC9131).
- Improved speed of DIOCGETRULE ioctl(2) used by pfctl(8) to retrieve rules from the kernel.
- Relaxed pf(4) "pass all" rule to allow bidirectional neighbor advertisements.
- Enabled kernel-address sanitizer for clang openbsd target.
- Implemented rsync(1) --size-only and --ignore-times.
- Introduced qcrng(4), a driver for the Qualcomm rng device found on the Thinkpad x13s.
- Added support for RTL8188FTV chip to urtwn(4).
- Introduced vmd(8) multi-process model for virtio devices.
- Added support for st(4) I/O statistics so tape speeds may be observed with iostat(8).
- Fixed softraid crypto installation on Mac.
- Implemented rsync(1) -V as an alias to --version.
- Removed kernel lock from rtfree(9).
- Retired disklabel(8) -E "expert" mode.
- Fixed ws(4) cursor moving diagonally when moved along the horizontal or vertical axis of a rotated touchscreen.
- Removed net lock from pf(4) ioctl DIOCGETTIMEOUT.
- Fixed config space access for the root bus of a dwpcie(4) controller when the root bus number isn't zero.
- Added RK3588 support to rkcomphy(4).
- Handled crypto disks as boot disks in amd64, riscv64 and arm64 installer.
- Added rpki-client(8) -P option to specify evaluation time for testing.
- Made llvm emit IBT endbr64 instructions by default for amd64. (Disabled jump tables by default).
- Introduced 'rtlabel_mtx' mutex(9) to protect route labels storage.
- Implemented dt(4) utrace(2) support on amd64 and i386.
- Improved rpki-client(8) accounting by tracking things by repository and TAL.
- Allowed IPv6 neighbor advertisement traffic during netstart on boot.
- Ensured correct handling of arm64 userland branch target traps.
- Set TSO flag on vlan(4) interfaces.
- Bumped LibreSSL version to 3.8.0.
- Send an unsolicited neighbor advertisement to the all-routers multicast address when configuring a new address on an interface to speed IPv6 initial packet return.
- Prevented bootloader attempts to write to read-only softraid on amd64, sparc64 and i386.
- Enabled softraid(4) in the riscv64 ramdisk kernel, allowing disk crypto install.
- Enabled power management for dwpcie(4) devices.
- Added suspend/resume support to pwmbl(4).
- Made pwmleds(4) disable keyboard backlight on Apple Silicon laptops on suspend and restore on wakeup.
- Fixed suspend/resume on x13s with NVMe+MSI.
- Added makefs(8) option 'rdroot' to simplify creation of rdroot filesystems for the install media.
- Added endbr64 to amd64 syscall stubs and libcrypto as needed.
- Added prof_state_toggle to keep a count of CPUs with profiling enabled.
- Allowed vmm(4) guests to enable and use supervisor IBT.
- Added default tmux(1) config to changelist(5).
- Added rdsetroot(8) -s option to simply display the number of bytes available for the rdroot filesystem in the specified kernel.
- Used the wxallowed flag to decide whether to enforce branch target temporarily.
- Added aq(4) support for Atlantic 2 hardware.
- Made dwqe(4) handle fixed-link configuration in the device tree.
- Randomized the order of TLS extensions.
- Taught the vmd(8) vmm(4) process how to exec, using execvp(3) to launch vm children with new address spaces and introducing use of unveil(2) into the vmm and vm processes.
- Stopped setting ri->ri_bs in viogpu(4) to prevent a panic caused by rasops accessing its uninitialized content.
- Introduced iosf(4), a driver for the Intel OnChip System Fabric.
- Call pfkeyv2_sysctl_policydumper() with shared netlock.
- Fixed openssl(1) UTF-8 issuer printing.
- Fixed vmd(8) vm send/receive issues due to invalid host-side virtual addresses.
- Reduced delays used in the dwqe(4) mii/mdio bus ops, producing a significant speed increase.
- Made mg(1) tab width customizable per buffer with mg command set-tab-width.
- Implemented bgpctl(8) flowspec add and delete to add/remove flowspec rules dynamically.
- Call sysctl_source() with shared netlock.
- Introduced viogpu(4), a VirtIO GPU driver.
- Implemented bgpctl(8) show flowspec and flowspec flush.
- Moved kernel lock into multicast ioctl handlers.
- Forced a standard umask before adding/deleting packages with pkg_add(1) and pkg_delete(1).
- Protected rtable_setsource() and rtable_getsource() with exclusive and shared netlock respectively.
- Added a new PT_OPENBSD_NOBTCFI "segment type" to indicate that the kernel should not enforce branch target control flow integrity for a binary. Implemented support for PT_OPENBSD_NOBTCFI in lld(1), which can be set using the -z nobtcfi option.
- Stopped advertising non-removable sdmmc(4) devices as removable to the scsi layer.
- Added dwmshc(4) support for Designware Mobile Storage Host Controllers.
- Added arm64 support for loading files from the EFI system partition.
- Removed kernel lock from ifa_ifwithaddr() and ifa_ifwithdstaddr().
- Mapped MSI-X in addition to MSI and INTx on xhci(4), as it is supported by the xHCI controller on Qemu, which will switch from shared INTx to device-specific MSI-X interrupts.
- Fixed legacy interrupts on machines that use PNP0C0F PCI interrupt link devices in acpipci(4).
- Call sysctl_ifnames(), sysctl_iflist() and sysctl_dumpentry() with shared netlock.
- Added support for upstreamed AP806/CP110 bindings in mvtemp(4).
- Made -mbranch-protection=bti the default on OpenBSD.
- Resurrected mg(1)'s no-tab-mode.
- Implemented a basic API to work with flowspec NLRI in bgpd(8).
- Enabled Indirect Branch Tracking (IBT) for the amd64 kernel.
- Added endbr64 instructions to most amd64 ENTRY() macros, IDTVEC() and KIDTVEC().
- Changed compilation of regular amd64 kernels to use -fcf-protection=branch and ramdisks with -fcf-protection=none, regardless of compiler default.
- Modified malloc(3) D option to dump (leak) info using utrace(2).
- Added kdump(1) -u label option to print selected utrace(2) records.
- Fixed pcidump(8) link speed reporting.
- Provided evp(3) methods for SHA512/224, SHA512/256 and SHA3 224/256/384/512.
- Added aplpci(4) support for the PCIe controller found on M2 Pro/Max SoCs.
- Dropped support for the x509 ProxyCertInfo extension.
- Added /etc/mixerctl.conf to changelist(5).
- Made vmm(4) save and restore Intel CET state on vm entry/exit.
- Imported tiny_sha3, a minimal and readable SHA3 implementation.
- Unlocked in_ioctl_get(), pushing the kernel lock into in_ioctl_{set,change}_ifaddr().
- Disallowed issuer and subject unique identifiers in rpki-client(8).
- Dropped policy printing from openssl(1).
- Made xenodm(1) reload the environment variables after setusercontext(3) so environment variables configured in login.conf(5) are also available.
- Added crypto(3) support for truncated SHA512 variants SHA512/224 and SHA512/256.
- Added rkrng(4) support for "rockchip,cryptov2-rng".
- Added the "local experiments" ethertypes.
- Pulled MP-safe arprequest() out of the kernel lock.
- Added a new implementation of BN_mod_sqrt().
- Updated to xf86-video-nv 2.1.22.
- Updated to xf86-input-vmmouse 13.2.0.
- Updated to xf86-input-void 1.4.2.
- Updated to xf86-input-mouse 1.9.4.
- Updated to xf86-input-joystick 1.6.4.
- Updated to xf86-input-elographics 1.4.3.
- Updated to xwininfo 1.1.6.
- Updated to xvidtune 1.0.4.
- Updated to xkbcomp 1.4.6.
- Updated to xhost 1.0.9.
- Updated to xdriinfo 1.0.7.
- Updated to beforelight 1.0.6.
- Enabled the caps lock LED on modern Apple laptops.
- Removed X9.31 support from openssl(1).
- Fixed ahci(4), allowing use of sata on the banana pi bpi-r2 pro.
- Made dwqe(4) print the gmac to which it attaches.
- Removed kernel locks from the ARP input path.
- Ensured the softraid volume's device is chosen as root disk default for guided disk encryption.
- Updated Mesa to 22.3.7.
- Pushed kernel lock into nd6_resolve().
- Implemented an mbuf hold queue and sysctl(8) net.inet6.icmp6.nd6_queued for ND6 as in ARP.
- Enabled Force Unit Access (FUA) for ufshci(4) write commands to prevent intermittent data corruption.
- Ensured the PCIe link for the RK3568 PCIe controllers runs at the maximum possible speed.
- Implemented software control for the internal delays of the RTL8211F PHY.
- Ensured correct checksum is calculated when sending IP packets to userland with divert-packet rules.
- Enabled guided disk encryption support on arm64.
- Made root on softraid installations boot out of the box on Raspberry Pis.
- Prevented an accidental second sleep after resume when the lid is closed on a Dell Precision 5510.
- Added ehci(4) support for using standard phy drivers registered with ofw/fdt first, allowing ehci to enable rkusbphy(4).
- Added xhci(4) support for enabling both the usb2 and usb3 phys. Added support for using standard phy drivers registered with the ofw/fdt code.
- Added glue for network interfaces to be found by fdt/ofw node or phandle and registered mvneta(4) and dwqe(4) mappings.
- Added a mutex to protect clockintr(9) struct clockintr_queue.
- Added support for TEMPerGold 3.4 to ugold(4).
- Introduced rkusbphy(4), a driver for the usb2phy on Rockchip SoCs.
- Introduced rkiovd(4), a driver for the IO voltage domains on Rockchip SoCs.
- Implemented regulator notifiers called when the voltage/current for a regulator is changed or when a regulator is initialized when it attaches for the first time.
- Introduced ngbe(4), a driver for the WangXun WX1860 series Gigabit Ethernet device.
- Significantly reduced ypldap(8) memory usage when updating larger directories.
- Updated timezone data to include reversion of DST change in Lebanon.
- Introduced a bgpd(8) semaphore to protect intermediate state from different RTR sessions from leaking into the RDE.
- Made mg(1) fall back to /bin/sh if $SHELL is undefined.
- Implemented branch target protection using the branch target identification feature introduced in Armv8.5, providing "head-CFI" to complement retguard's "tail-CFI."
- Added dmesg(8) display of arm64 BT and SBSS features.
- Added a tmux(1) format to show if there are unseen changes while in a node.
- Prevented write to clients attached to different sessions in tmux(1) passthrough.
- Added tilde and environment variable expansion to ssh_config(5) RevokedHostKeys.
- Added a check to scp(1) to ensure a local source file exists before opening an SFTP connection to a remote server.
- Fixed dwqe(4) on several boards using rgephy(4).
- Added rkclock(4) support for the RK3568 32k RTC clock.
- Improved fdisk(8) comments documenting possible sources for MBR partition types and GPT partition GUIDs.
- Changed malloc(3) chunk sizes to be fine grained.
- Moved to 7.3-current.