-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy path73.html
1719 lines (1616 loc) · 78.1 KB
/
73.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<head>
<meta charset=utf-8>
<title>OpenBSD 7.3</title>
<meta name="description" content="OpenBSD 7.3">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/73.html">
</head><body>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.3
</h2>
<table>
<tr>
<td>
<a href="images/DryGarden.png">
<img width="227" height="303" src="images/DryGarden-s.gif" alt="Dry Garden"></a>
<td>
Released Apr 10, 2023. (54th OpenBSD release)<br>
Copyright 1997-2023, Theo de Raadt.<br>
<br>
7.3 Song: "<a href="lyrics.html#73">The Wizard and the Fish</a>"<br>
Artwork by George Mager.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.3/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata73.html">the 7.3 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus73.html">detailed log of changes</a> between the
7.2 and 7.3 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-73-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/openbsd-73-base.pub">
RWQS90bYzZ4XFms5z9OodrFABHMQnW6htU+4Tmp88NuQiTEezMm2cQ3K</a>
<tr><td>
openbsd-73-fw.pub:
<td>
RWRSJW95RokBEZUxBFvPCEdtQPg2WMExzMIcjnXzVpIwUpyZZmfXun5a
<tr><td>
openbsd-73-pkg.pub:
<td>
RWTJxSCZzSPKGp8unIp/yxG2lvCXJg5lFVvbOBQUvKEnGHFAO8RPg3mr
<tr><td>
openbsd-73-syspatch.pub:
<td>
RWShXqVD7hfbBpWb1B5EGr1DUX8kkjkTueCsa243lLNocuuVU+2eWMn5
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.3.
For a comprehensive list, see the <a href="plus73.html">changelog</a> leading
to 7.3.
<ul>
<li>Various kernel improvements:
<ul>
<li>Added <a href="https://man.openbsd.org/waitid.2">waitid(2)</a>,
wait for process state change.
<li>Added <a href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>,
specify the call stub for a specific system call.
<li>Added <a href="https://man.openbsd.org/getthrname.2">getthrname(2)</a> and
<a href="https://man.openbsd.org/setthrname.2">setthrname(2)</a>,
get or set thread name.
<li>Added WTRAPPED option for <a
href="https://man.openbsd.org/waitid.2">waitid(2)</a> to control
whether CLD_TRAPPED state changes, i.e., ptrace(2) on a process, are reported.
<!-- kernel internals -->
<li>Introduced <a
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>, a
machine-independent clock interrupt scheduler. Switched all
architectures to use the new subsystem.
<li>Introduced a new kern.autoconf_serial <a
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> that can be used
by userland to monitor state changes of the kernel device tree.
<li>Fixed <a href="https://man.openbsd.org/pmap.9">pmap(9)</a> bugs
involving entering an executable mapping for a page before
synchronizing the data and instruction cache on arm64 and riscv64.
<li>Removed copystr(9) from the public API.
<li>Added <a
href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>.
Offers fast access to the system runtime clock at the cost of precision.
<li>Prevent detaching ("bioctl -d detach") of a boot volume on a RAID managed by <a
href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
<li>On arm64, avoid using 1GB mappings for the identity map in the
early kernel bootstrap phase and when booting the secondary CPUs. This
avoids accidentally mapping memory regions that should not be mapped
(i.e. secure memory) as all mapped memory can be accessed
speculatively.
<li>On arm64, add a machdep.lidaction <a
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> for <a
href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> Apple Silicon
laptops.<br>
The arm64 default for the machdep.lidaction is 1, making the
system suspend when the lid is closed. <a
href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> provides support
for the lid position sensor.
<li>Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
wakeups while other CPUs are still active.
<li>Added new <a href="https://man.openbsd.org/dt.4">dt(4)</a> tracing ioctl
DTIOCGARGS to get the types of probe arguments.
</ul>
<li>SMP Improvements
<ul>
<li>Unlocked <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
href="https://man.openbsd.org/munmap.2">munmap(2)</a>, and <a
href="https://man.openbsd.org/mprotect.2">mprotect(2)</a>.
<li>Unlocked <a href="https://man.openbsd.org/sched_yield.2">sched_yield(2)</a>.
<li>Added support for per-CPU counters to
<a href="https://man.openbsd.org/evcount.9">evcount(9)</a>.
Useful for counting events that are prone to occur simultaneously
across multiple CPUs, like clock interrupts and IPIs.
<li>Moved <a href="https://man.openbsd.org/pf.4">pf(4)</a> purge
tasks out from under the kernel lock.
<li>Unlocked <a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>
SIOCGIFCONF, SIOCGIFGMEMB, SIOCGIFGATTR, and SIOCGIFGLIST.
<li>Protected interface tables in <a
href="https://man.openbsd.org/pf.4">pf(4)</a> with PF_LOCK(), allowing
removal of NET_LOCK() protection from the <a
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> code path in pf.
<li>Unlocked <a
href="https://man.openbsd.org/getsockopt.2">getsockopt(2)</a> and <a
href="https://man.openbsd.org/setsockopt.2">setsockopt(2)</a>.
<li>Completed removing kernel lock from IPv6 read ioctls.
<li>Unlocked <a href="https://man.openbsd.org/minherit.2">minherit(2)</a>.
<li>Made <a href="https://man.openbsd.org/tun.4">tun(4)</a> and <a
href="https://man.openbsd.org/tap.4">tap(4)</a> event filters MP-safe.
<li>Unlocked <a href="https://man.openbsd.org/utrace.2">utrace(2)</a>.
<li>Stopped holding the vm_map lock while flushing pages in <a
href="https://man.openbsd.org/msync.2">msync(2)</a> and <a
href="https://man.openbsd.org/madvise.2">madvise(2)</a>. Prevents a
3-thread deadlock between <a
href="https://man.openbsd.org/msync.2">msync(2)</a>, page-fault and <a
href="https://man.openbsd.org/mmap.2">mmap(2)</a>.
<li>Unlocked <a
href="https://man.openbsd.org/select.2">select(2)</a>, <a
href="https://man.openbsd.org/pselect.2">pselect(2)</a>, <a
href="https://man.openbsd.org/poll.2">poll(2)</a>, and <a
href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>.
</ul>
<li>Direct Rendering Manager and graphics drivers
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 6.1.15
<li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: Added
support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino",
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33."
<li>Fixed frame buffer corruption and additional bugs after wakeup
on Apple Silicon laptops and the Lenovo x13s.
<li>Added support for the backlight connector property to <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> as in <a
href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>, making <a
href="https://man.openbsd.org/xbacklight.1">xbacklight(1)</a> work
when using the Xorg modesetting driver.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Updated <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> to
permit SVM guests read access to MSR_HWCR and MSR_PSTATEDEF.
Guests can use these registers on AMD 17h and 19h hosts to
determine the TSC frequency without calibrating against a
second clock.
<li>Allocated reference for vm and vcpu SLISTs in <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a>, keeping vmm from
triggering excessive wakeup calls while iterating through the list of
vms while servicing an <a
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>.
<li>Set <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> RAX guest
register state based on VMCB.
<li>Removed locking in <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> vmm_intr_pending,
reducing slowdowns due to requests for a lock held while the VM is
running.
<li>Increased speed of delivery of interrupts to a running vcpu in <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Made <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> treat vcpu
lists as immutable, removing the need to reference count individual
vcpu objects and use a rwlock.
<li>Implemented zero-copy operations on virtqueues in <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Provided a detailed e820 memory map when booting <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests with SeaBIOS.
When a vm initializes memory ranges, we now track what each range
represents. This information can be used to supply the e820 memory map
to SeaBIOS via the fw_cfg interface allowing it to properly
communicate memory ranges to a guest operating system. With this
special cases in ports can be removed.
<li>Added thread names to vm processes in <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>, visible in <a
href="https://man.openbsd.org/ps.1">ps(1)</a>.
<li>Hid the WAITPKG cpu feature from <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests, preventing
invalid instruction exceptions. Also added WAITPKG feature
identification to i386 and amd64.
<li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to
only open /dev/vmm once, having the parent process send the fd to the
vmm child process.
<li>Restricted <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
exposed cpuid extended feature flags.
<li>Adjusted <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> error
paths to avoid removal of configuration-defined (known) VMs on error.
<li>Stopped being paranoid about hypervisor correct PKU handling.<br>
Added saving and restoring guest PKRU to <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a>. Expose the PKU cpuid
bit to the guest if in use on the host.
<li>Made <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> scan the
PCI bus to determine bootorder strings.
</ul>
<li>Various new userland features:
<ul>
<li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
argument support for msyscall, pledge, unveil, __realpath, ypconnect
and __tmpfd.
<li>Added <a
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> and <a
href="https://man.openbsd.org/munmap.2">munmap(2)</a> reporting to <a
href="https://man.openbsd.org/kdump.1">kdump(1)</a>.
<li>Added <a
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting
for process kills due to <a
href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned
syscall address.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>Allow TZ to contain absolute paths starting with /usr/share/zoneinfo.
All absolute paths were ignored in 7.2 to avoid
<a href="https://man.openbsd.org/unveil.2">unveil(2)</a> violations.
<li>Made <a href="https://man.openbsd.org/ldomctl.8">ldomctl(8)</a>
accept more descriptive name-based paths in addition to number-based
paths in <a
href="https://man.openbsd.org/ldom.conf.5">ldom.conf(5)</a>.
<li>Dropped support for $rc_exec in <a
href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>. The rc_exec
function should be used instead.
<li>Excluded /tmp/*.shm files from /tmp cleaning in <a
href="https://man.openbsd.org/daily.8">daily(8)</a>. Removing them
interferes with programs that use shared memory via <a
href="https://man.openbsd.org/shm_open.3">shm_open(3)</a>.
<li>Added zap-to-char and zap-up-to-char to <a
href="https://man.openbsd.org/mg.1">mg(1)</a>. Bound zap-to-char to
M-z.
<li>Fixed handling of escaped backslashes in <a
href="https://man.openbsd.org/vi.1">vi(1)</a> ex_range.
<li>Added support to <a
href="https://man.openbsd.org/gunzip.1">gunzip(1)</a> for zip files
that contain a single member.
<li>Fixed <a href="https://man.openbsd.org/ed.1">ed(1)</a> to print
bytes read/written and the ? prompt to stdout, not stderr.
<li>Changed the vmstat view in <a
href="https://man.openbsd.org/systat.1">systat(1)</a> to measure
elapsed time with <a
href="https://man.openbsd.org/clock_gettime.2">clock_gettime(2)</a>
instead of statclock ticks.
<li>Improved the periodic display in <a
href="https://man.openbsd.org/iostat.8">iostat(8)</a>.
<li>Fixed an edge case in <a href="https://man.openbsd.org/top.1">top(1)</a>
where summary statistics for offline CPUs were displayed.
<li>Added support for a personal <a
href="https://man.openbsd.org/units.1">units(1)</a> library by passing
-f multiple times.
<li>Changed <a href="https://man.openbsd.org/df.1">df(1)</a> to
round up fractional percentages.
<li>Fixed unbounded variable expansion in <a
href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>.
<li>Switched to use <a
href="https://man.openbsd.org/llvm-strip.1">llvm-strip(1)</a> on
architectures that use <a
href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a>.
<!-- rc scripts -->
<li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> reorder
libraries in parallel to <a
href="https://man.openbsd.org/netstart.8">netstart(8)</a>, as this
does not depend on network access.
<li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> print the
name of each library before relinking as a signal to the operator that
boot has not stalled.
<!-- audio -->
<li>Added a -w flag to <a
href="https://man.openbsd.org/audioctl.8">audioctl(8)</a> for
displaying variables periodically.
<li>Added short options for <a
href="https://man.openbsd.org/timeout.1">timeout(1)</a> --foreground
and --preserve-status.
<li>Added signal as a full argument name for <a
href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s.
<li>Fixed .wav files generated by <a
href="https://man.openbsd.org/aucat.1">aucat(1)</a> by using extended
header format.
<!-- disks ... -->
<li>In <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>, use the
size of the largest chunk of free space, not the total of all such
chunks, when checking for sufficient space to add a partition.
<li>Extended <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template
parsing to allow "[mount point] *" as the specification for putting
the maximum available free space into a partition. Extended
command line parsing to allow "T-" as the specification to read the
template from stdin.
<li>Repaired <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
to check for D_VENDOR flag in d_flags, not d_secpercyl.
<li>Removed remnants of DEC standard 144 bad sector code from
<a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
and
<a
href="https://man.openbsd.org/disktab.5">disktab(5)</a>.
<li>Removed last references to d_drivedata field from <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
<li>Enhanced <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
auto allocation to use all possible free space.
<li>Enhanced <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
to ensure valid partition offsets and sizes after rounding.
<li>Enhanced <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
simple editor to allow '*' when the action is 'delete'.
<li>Removed <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
code related to defunct disk types 'hd' and 'svnd'.
<li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
to set the correct 'bootable' bit in GPT partitions.
<li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
to use GPT_UUID_NBSD_UFS for NetBSD GPT partition entries.
<li>Added UEFI defined GPT partition type GPT_UUID_LEGACY_MBR to
the partition types
<a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
recognizes.
<li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
to avoid spurious warnings when editing unused GPT partition.
<li>Fixed <a href="https://man.openbsd.org/cdio.1">cdio(1)</a>
error displays and plugged a leak in the error path.
<li>Removed pointless :ob#0:pb#0:[tb=swap:] and
:pb#N:ob#0: lines from various <a
href="https://man.openbsd.org/disktab.5">disktab(5)</a>
entries.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>Suspend/Resume improvements
<ul>
<li>Extended arm64 suspend/resume to include support for parking
CPUs in a WFE/WFI loop.
<li>Put CPUs in the lowest P-state before the final suspend step,
needed for systems where we park CPUs in a low-power idle state
ourselves.
</ul>
<li>system-on-chip devices
<ul>
<!-- SoC -->
<li>Added support for the Rockchip RK3566/RK3568 SoCs.
<li>Added support for the Rockchip RK3568 processor.
<li>Added support for the RK3568 PCIe controller to <a
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
<li>Added <a
href="https://man.openbsd.org/qcdwusb.4">qcdwusb(4)</a>, a driver
controlling the interface logic for the Synopsys DesignWare USB 3.0
controller found on various Qualcomm Snapdragon SoCs.
<li>Added support for the PCIe controller on the Qualcomm SC8280XP
to <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
<li>Added <a
href="https://man.openbsd.org/qcpmicgpio.4">qcpmicgpio(4)</a>, a
driver for the GPIO block inside the Qualcomm PMICs.
<li>Added <a href="https://man.openbsd.org/qcpmic.4">qcpmic(4)</a>,
a driver for the SPMI-connected PMICs found on Qualcomm SoCs.
<li>Added <a href="https://man.openbsd.org/qcspmi.4">qcspmi(4)</a>,
a driver for the SPMI PMIC Arbiter found on Qualcomm SoCs.
<li>Added <a href="https://man.openbsd.org/qcpdc.4">qcpdc(4)</a>, a
driver for the Qualcomm Power Domain controller found on Qualcomm
SoCs.
<li>Added <a href="https://man.openbsd.org/qcpwm.4">qcpwm(4)</a>, a
driver for the PWM found on Qualcomm SoCs.
<li>Added <a href="https://man.openbsd.org/qcpon.4">qcpon(4)</a>, a
driver for the Qualcomm PMIC block that hosts the powerkey and reset
input.
<li>In <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a>,
handled different register layouts in modern Rockchip SoCs as seen in
the RK356x and RK3588.
<li>Added support for RK356x TSADC clocks to <a
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
<li>Added GMAC-related RK356x clocks to <a
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
<li>Added RK3588 support to <a
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and <a
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>.
<li>Added <a href="https://man.openbsd.org/mvortc.4">mvortc(4)</a>,
a driver for the RTC on the ARMADA 38x series.
<li>Added <a href="https://man.openbsd.org/mvodog.4">mvodog(4)</a>,
a driver for the watchdog on the ARMADA 38x series.
<li>Implemented <a
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> support
for explicit routing to use alternative pin muxings.
<li>Added <a href="https://man.openbsd.org/ytphy.4">ytphy(4)</a>, a
driver for the MotorComm YT8511 PHY.
<li>Made <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a>
work on RK356x with U-Boot.
<li>Added initialization code for RK356x in <a
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> to prevent
kernel hangs.
<li>Implemented setting the parent clock for RK356x in <a
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
<li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>
code to bring up the PCIe controller on the RK356x.
<li>Added <a
href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>, a driver
for the PCIe 3.0 PHY found on the RK356x.
<li>Added <a
href="https://man.openbsd.org/rkcomphy.4">rkcomphy(4)</a>, a driver
for the "naneng" combo PHY found on the RK356x (and RK3588). Only
PCIe, SATA and USB3 support are implemented.
</ul>
<li>Improved support for Apple arm64 hardware
<ul>
<!-- Apple -->
<li>Made <a
href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> recognize M1
laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on
these systems.
<li>Added suspend/resume support to <a
href="https://man.openbsd.org/aplns.4">aplns(4)</a>.
<li>Implemented wakeup interrupt support in <a
href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>.
<li>Added suspend/resume support to control the power domain to <a
href="https://man.openbsd.org/aplsart.4">aplsart(4)</a>.
<li>Made the power button function as a wakeup button during suspend
in <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
<li>Added <a href="https://man.openbsd.org/aplpwm.4">aplpwm(4)</a>,
a driver for the PWM controller found on Apple Silicon.
<li>Improve Apple support by increasing the <a
href="https://man.openbsd.org/apliic.4">apliic(4)</a> transfer
completion timeout to 100ms to accommodate USB Type-C PD chips.
<li>Added <a href="https://man.openbsd.org/tipd.4">tipd(4)</a>, a
driver fixing USB hotplug of type-C connectors on Apple Silicon
hardware.
<li>Improved <a
href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a> range check to
protect against overflow.
<li>Added <a
href="https://man.openbsd.org/aplefuse.4">aplefuse(4)</a>, a driver
for the eFuses on Apple Silicon SoCs.
<li>Enabled <a
href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a> power
management for PCI devices.
<li>Disable the screen backlight with <a
href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> on Apple Silicon
laptops when the lid is closed.
</ul>
<li>X13s support
<ul>
<!-- x13s -->
<li>Worked around incomplete ACPI tables on the Lenovo x13s by
loading the alternate device tree binaries from disk.
<li>Set console output to the framebuffer on Lenovo x13s machines.
<li>Made the USB ports work after a suspend/resume cycle on the x13s.
</ul>
<li>Improved audio devices
<ul>
<!-- audio -->
<li>Made <a
href="https://man.openbsd.org/aplaudio.4">aplaudio(4)</a> calculate
the bit clock based on numbers of channels, bytes/sample and sample
rate.
<li>Set <a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>
and <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>
default volume to -30dB instead of the hardware default of 0dB
(maximum).
<li>Added <a
href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>, a driver for
the TI SNO12776/TAS2764 digital amplifier.
</ul>
<li>Other changes
<ul>
<!-- various USB -->
<li>Added support for the Wacom One M CTL-672 tablet to <a
href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>.
<li>Hooked up the same USB device drivers on riscv64 as done in the
arm64 architecture kernel.<br>Enabled access to <a
href="https://man.openbsd.org/usb.4">usb(4)</a>, <a
href="https://man.openbsd.org/ugen.4">ugen(4)</a>, <a
href="https://man.openbsd.org/ulpt.4">ulpt(4)</a>, <a
href="https://man.openbsd.org/ucom.4">ucom(4)</a> and <a
href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>.
<li>Added <a href="https://man.openbsd.org/uftdi.4">uftdi(4)</a>
support for FTDI FT232R.
<li>Added <a href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>
support for Bolt receivers and the Unified Battery feature often found
on newer Logitech HID++ hardware.
<!-- RTC -->
<li>Converted more RTC drivers to use todr_attach(). Quality of the
RTC is set such that "discrete" RTC chips are preferred over RTCs
integrated on a SoC.
<li>Added support for the DS1339 RTC as found on the PiJuice.
<li>Added <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>, a
driver for the RTC found on Qualcomm PMICs.
<li>Improved <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>
RTC reliability.
<!-- wscons -->
<li>Added cursor back tab support to <a
href="https://man.openbsd.org/wscons.4">wscons(4)</a> VT100
emulation.<br>Added aixterm bright color sequences (SGR 90-97 and
100-107).
<li>Added missing <a
href="https://man.openbsd.org/wscons.4">wscons(4)</a> bounds checks
when processing terminal escape sequences.
<li>Replaced broken UTF-8 logic in <a
href="https://man.openbsd.org/wscons.4">wscons(4)</a> with a better
one borrowed from Citrus.
<!-- other -->
<li>Introduced <a
href="https://man.openbsd.org/pijuice.4">pijuice(4)</a>, an apm/sensor
driver for the PiJuice HAT UPS.
<li>Added <a
href="https://man.openbsd.org/pwmleds.4">pwmleds(4)</a>, a driver for
PWM controlled LEDs.
<li>Implemented <a
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> support for the
(optional) MSI controller of the Synopsys DesignWare PCIe host bridge.
<li>Added <a
href="https://man.openbsd.org/icc.4">icc(4)</a> driver for
I2C Consumer Control devices.
<li>Prevented a possible crash when a <a
href="https://man.openbsd.org/ugen.4">ugen(4)</a> device is detached.
<li>Implemented wakeup interrupt handling in <a
href="https://man.openbsd.org/agintc.4">agintc(4)</a>.
<li>Enabled <a
href="https://man.openbsd.org/pcagpio.4">pcagpio(4)</a> and <a
href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>, making the SFP
port on the ClearFog Base (CN9130) work.
<li>Adopted a workaround for a bug in the ARM generic timer on the
A64, disabling userland timecounter support on affected hardware
pending a similar libc workaround.
<li>Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS).
<li>Implemented access to EFI variables ESRT through an <a
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> interface
compatible with what FreeBSD and NetBSD have.<br>
Created /dev/efi on amd64 and arm64.
<li>Added <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> support
for "enhanced descriptor" mode found on some variants of the Synopsys
DesignWare GMAC.
<li>Removed the <a
href="https://man.openbsd.org/OpenBSD-7.2/elansc.4">elansc(4)</a>
driver for AMD Elan SC520 System Controller.
<li>Made <a href="https://man.openbsd.org/ppb.4">ppb(4)</a> bus
range available after detaching, fixing unplugging and replugging
thunderbolt devices that were plugged in when the machine was booted.
<li>Reworked the arm64 architecture cpu_init_secondary() function to
allow use for both initial powerup and wakeup from deeper sleep
states.
<li>Added <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>,
a driver for Universal Flash Storage (UFS) Host Controllers.
<li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a>, a
driver for the ARM System Control and Management Interface.
<li>Added support for the Shenzhen Tangcheng Technology TCS4525
voltage regulator to <a
href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>.
<li>Added <a href="https://man.openbsd.org/psci.4">psci(4)</a> (ARM
Power State Coordination Interface) support for available deep idle
states as advertised in device trees.
<li>Added <a href="https://man.openbsd.org/eephy.4">eephy(4)</a>,
found on the Turris Omnia WAN port, to armv7.
<li>Added polling to <a
href="https://man.openbsd.org/tipmic.4">tipmic(4)</a> driver when
starting from a cold boot, fixing a hang on boot.
<li>Added a workaround for Intel Braswell/Cherry Trail mwait hang.
<li>Added the Armada 380 temperature sensor to <a
href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a> and enabled the
driver on armv7.
</ul>
</ul>
<li>New or improved network hardware support:
<ul>
<li>Enabled <a href="https://man.openbsd.org/em.4">em(4)</a> IPv4,
TCP and UDP checksum offloading and hardware VLAN tagging on devices
with 82575, 82576, i350 and i210 chipsets.
<li>Improved <a href="https://man.openbsd.org/mcx.4">mcx(4)</a>
performance by using interrupt-based command completion.
<li>Fixed a panic seen with <a
href="https://man.openbsd.org/rge.4">rge(4)</a> RTL8125 with MCLGETL.
<li>Add <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, a
driver for the Synopsys DesignWare Ethernet QoS controller used on the
NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake.
<li>Worked around an issue on the StarFive JH7100 SoC to make <a
href="https://man.openbsd.org/dwge.4">dwge(4)</a> Ethernet work
reliably on the StarFive VisionFive 1 board.
<li>In <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>,
passed MII flags depending on the phy mode specified in the device
tree, making the WAN port work on the Turris Omnia.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Increased the timeout for <a
href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> PCI devices to
avoid spurious firmware load failures, particularly on Apple M2 laptops.
<li>Implemented alternative mailbox handling mechanism required by
newer <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> firmware.
<li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>
issues with suspend/resume and possible firmware crashes on the M2
MacBook Air.
<li>Prevented an <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
firmware error when authentication to the AP times out.
<li>Fixed a crash in <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> when connecting to WEP
networks via <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> join.
<li>Fixed an alignment issue in <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx descriptors.
<li>Avoided trying to remove keys while doing crypto in hardware if
the station is not active in <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware, fixing a
firmware panic.
<li>Prevented potential panics by disallowing the <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> init task from running
in parallel to wakeup code during resume.
<li>Switched all <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
devices to -77 firmware images.
<li>Upgraded firmware images for <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a> 9260 and 9560 devices.
<li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> get the
primary channel number from AP beacon info, preventing problems on
40/80Mhz channels if there is a mismatch.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> session
protection event duration.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>Made net80211 drop beacons received on secondary HT/VHT
channels, preventing <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware panics and
making association work with 11ac APs which transmit beacons on
channels other than their primary.
<li>Made WEP encryption work on <a
href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
</ul>
<li>Installer, upgrade and bootloader improvements:
<ul>
<li>Made installer answers <code>!</code> and <code>(S)hell</code> drop into a <a
href="https://man.openbsd.org/ksh.1">ksh(1)</a> environment rather
than the more limited <a href="https://man.openbsd.org/sh.1">sh(1)</a>.
<li>Added support for configuring interfaces by lladdr (MAC).
<li>Made the installer skip interface configuration questions when no interfaces are available.
<li>Fixed resizing partitions on an auto-allocated disk that had a boot partition.
<li>Stopped the installer from asking to initialize disks that have
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks.
<li>Made efiboot fdt support device trees with NOPs in them (like the kernel version).
<li>Improved the default choice for the installer's install media
disk question to show the first disk that (a) is not the root disk and (b)
is not a disk with softraid chunks (hosting the root disk, for example).
<li>Stopped offering WEP in the installer if not supported.
<li>Fixed lock file error on installer exit/abort.
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>
support <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> silently skip
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> keydisks.
<li>Fixed passing explicit stages files to
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a>.
<!-- architecture specific -->
<li>Added <a
href="https://man.openbsd.org/mount_nfs.8">mount_nfs(8)</a> to the
sparc64 installer, to fetch sets over NFS.
<li>Copy the apple-boot firmware to EFI system partition, enabling
automatic bootloader updates on Apple Silicon computers.
<li>Made the installer stop printing MD post installation instructions on upgrades.
<li>Made it possible to set keyboard layout(s) in arm64's installer.
<li>Added initial support in the installer for guided disk
encryption for amd64, i386, riscv64 and sparc64.
<li>Added passing of boot device information from the bootloader to
the kernel on luna88k.
<li>Switched luna88k boot loader to MI boot code.
<li>Made the luna88k bootloader display a puffy boot logo.
<li>Made <a href="https://man.openbsd.org/ls.1">ls(1)</a> work
correctly in the luna88k bootloader.
<li>Made <a href="https://man.openbsd.org/time.1">time(1)</a> work
correctly in the luna88k bootloader.
<li>Removed dangerous user-settable "addr" variable from MI
bootloader, only compiling tty-related code on platforms where it
makes sense for the bootloader to control it.
<li>Added "machine poweroff" command on luna88k bootloader.
<li>Switched alpha to machine-independent boot blocks.
<li>Switched all architectures' ramdisks (except alpha's and luna88k's) to use
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>.
<li>Fixed ofwboot OpenFirmware <code>map</code> call to unbreak boot on some machines.
<li>Reduced ofwboot.net size after libz update to unbreak netboot on some machines.
<li>Made riscv64 bootloader support boot from RAID 1C softraid volumes.
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> support
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> on riscv64.
<li>Stopped creating defunct vax (ra, rx), hp300 (hd) and sparc (xy, xd)
devices in /dev.
</ul>
<li>Security improvements:
<ul>
<li>Permissions (RWX, MAP_STACK, etc.) on address space regions can
be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>,
so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a
href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with EPERM.
Most of the program static address space is now automatically
immutable (main program, ld.so, main stack, load-time shared
libraries, and dlopen()'d libraries mapped without RTLD_NODELETE).
Programmers can request non-immutable static data using the
"openbsd.mutable" section, or manually bring immutability to (page
aligned heap objects) using <a
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>.
The main internal data of <a
href="https://man.openbsd.org/malloc.3">malloc(3)</a>
is marked immutable.
<li>Some architectures now have non-readable code ("xonly"), both from
the perspective of userland reading its own memory, or the kernel
trying to read memory in a system call. Many sloppy practices in
userland code had to be repaired to allow this. The linker
(<a href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a> or
<a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>) option
--execute-only is enabled by default. In order of development: arm64,
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64
(sun4u only; unfinished).
<li>These can still benefit from switching to --execute-only binaries if the
cpu generates different traps for instruction-fetch versus data-fetch.
The VM system will not allow memory to be read before it was executed
which is valuable together with library relinking. Architectures
switched over include loongson.
<li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> and crt0
register the location of the <a
href="https://man.openbsd.org/execve.2">execve(2)</a> stub with the
kernel using pinsyscall(2), after which the kernel only accepts an
execve call from that specific location.
<li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a>
violations of <a
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy
to the daily mail, available by setting rc.conf.local(5)
accounting=YES.
<li>Added retguard (consistency-check the return address on the
stack) to amd64 syscalls.
<li>sshd random relinking at boot: Randomly relink and install <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>, resulting
in a sshd binary with unknown address layout after every reboot.
<li>Add another mitigation against classic BROP on systems without
execute-only mmu hardware-enforcement. A range-checking wrapper in
front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and
<a href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures
the userland source address doesn't overlap the main program text and
other text segments, thereby making these address ranges unreadable to
the kernel. No programs have been discovered which require reading
their own text segments with a system call.
<li>On arm64, introduce mitigation of the Spectre-BHB (Branch
History Injection) CPU vulnerability by using core-specific trampoline
vectors.
<li>Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and
userland on CPUs that support it to mitigate timing side-channel
attacks.
</ul>
<li>Changes in the network stack:
<ul>
<li>Made /dev/pf a clonable device to better track kernel resources
used by processes.
<li>Modified TCP receive buffer size auto-scaling to use the smoothed
RTT (SRTT) instead of the timestamp option, which improves performance
on high latency networks if the timestamp option isn't available.
<li>Relaxed the requirement for multicast support of interfaces for
configuring IPv6. This allows non-multicast interfaces such as
point-to-point interfaces and the NBMA / point-to-multipoint
interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6.
<li>Measure the TCP_KEEPALIVE timeout with <a
href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>
instead of the system uptime.
Prevents TCP connections from needlessly failing en masse after
waking a system from suspend.
<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state
keys. With this change, pf will hash traffic the same way that
hardware using a stoeplitz key will hash incoming traffic on rings.
stoeplitz is also used by the TCP stack to generate a flow id, which
is used to pick which transmit ring is used on nics with multiple
queues, too. Using the same algorithm throughout the stack encourages
affinity of packets to rings and softnet threads the whole way
through.
<li>Prevented possible kernel crashes by dropping TCP packets with
destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
and the stack.
<li>Fixed an endian swap bug causing problems with <a
href="https://man.openbsd.org/vlan.4">vlan(4)</a> on <a
href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems.
<li>Denied "pipex no" tunnel setting for <a
href="https://man.openbsd.org/pppx.4">pppx(4)</a> interfaces.
<li>Fixed <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a>
crashing on pf_state_key removal.
<li>Fixed a panic in <a
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there is
no data ready for bulk transfer.
<li>Turned off TCP Segmentation Offload (TSO) if interface is added
to layer 2 devices.
<li>Improved <a href="https://man.openbsd.org/vnet.4">vnet(4)</a>
to work better in busy conditions.
<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout
(BIOCSWTIMEOUT) between capturing a packet and making the buffer
readable, preventing, for example, <a
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every
half second even if there is nothing to read. By default this buffer
is infinite and must be filled to become readable.
<li>Avoided enabling TSO on interfaces which are already attached to a bridge.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>IPsec support was improved:
<ul>
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
support for configuring multiple name servers.
<li>Synced proc.c from <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a
href="https://man.openbsd.org/iked.8">iked(8)</a> to enable fork +
exec for all processes. This gives each process a fresh and unique
address space to further improve randomization of ASLR and stack
protector.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, <a
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a
href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>:
<ul>
<li>Improved performance by optimising the output filters.
<li>Add Autonomous System Provider Authorization (ASPA) validation
based on draft-ietf-sidrops-aspa-verification-12
<li>Introduce avs (ASPA validation state) filter and bgpctl
filter argument.
<li>Add ASPA support for the RTR protocol based on
draft-ietf-sidrops-8210bis-10.
<li>Improve open policy (RFC 9234) support and enable the capability
automatically if a role is specified for the peer.
<li>Introduce a per-neighbor 'role' configuration option to specify
the session role used by ASPA verification and the open policy
capability. The 'announce policy' statement was simplified at
the same time.
<li>Improve startup behaviour by introducing a small delay before
opening the connection to a new peer.
<li>Support for aspa-set table config which can be provided by
<a
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
<li>Make it possible to filter the RIB by invalid and leaked prefixes
in bgpctl and bgplgd.
<li>Add OpenMetrics output to bgpctl for various BGP statistics and
add /metrics endpoint to bgplgd.
<li>Fix of incorrect length checks that allowed an out-of-bounds
read in bgpd.
</ul>
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
<ul>
<li>Add a new '-H' command line option to create a shortlist of
repositories to synchronize to. For example, when invoking
"rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility
will not connect to any other hosts other than the two specified
through the -H option.
<li>Add support for validating Geofeed (RFC 9092) authenticators. To
see an example download https://sobornost.net/geofeed.csv and run
"rpki-client -f geofeed.csv"
<li>Add support for validating Trust Anchor Key (TAK) objects. TAK
objects can be used to produce new Trust Anchor Locators (TALs) signed
by and verified against the previous Trust Anchor. See
draft-ietf-sidrops-signed-tal for the full specification.
<li>Log lines related to RRDP/HTTPS connection problems now include the
IP address of the problematic endpoint (in brackets).
<li>Improve the error message when an invalid filename is encountered
in the rpkiManifest field in the Subject Access Information (SIA)
extension.
<li>Emit a warning when unexpected X.509 extensions are encountered.
<li>Restrict the ROA ipAddrBlocks field to only allow two
ROAIPAddressFamily structures (one per address family). See
draft-ietf-sidrops-rfc6482bis.
<li>Check the absence of the Path Length constraint in the Basic
Constraints extension.
<li>Restrict the SIA extension to only allow the signedObject and
rpkiNotify accessMethods.
<li>Check that the Signed Object access method is present in ROA, MFT,
ASPA, TAK, and GBR End-Entity certificates.
<li>In addition to the 'rsync://' scheme, also permit other schemes
(such as 'https://') in the SIA signedObject access method.
<li>Check that the KeyUsage extension is set to nothing but
digitalSignature on End-Entity certificates.
<li>Check that the KeyUsage extension is set to nothing but keyCertSign
and CRLSign on CA certificates.
<li>Check that the ExtendedKeyUsage extension is absent on CA
certificates.
<li>Fix a bug in the handling of the port of http_proxy.
<li>The '-r' command line option has been deprecated.
<li>Filemode (-f) output is now presented as a text based table.
<li>The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
calculated with more accuracy. The calculation takes into account the
nextUpdate value of all intermediate CRLs in the signature path
towards the trust anchor, in addition to the expiry moment of the
leaf-CRL and CAs.
<li>Handling of CRLs and Manifests in the face of inconsistent RRDP delta
publications has been improved. A copy of an alternative version of
the applicable CRL is kept in the staging area of the cache directory,
in order to increase the potential for establishing a complete
publication point, in cases where a single publication point update
was smeared across multiple RRDP delta files.
<li>The OpenBGPD configuration output now includes validated Autonomous
System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
configuration block.
<li>When rpki-client is invoked with increased verbosity ('-v'), the
current RRDP Serial and Session ID are shown to aid debugging.
<li>Self-signed X.509 certificates (such as Trust Anchor certificates)
now are considered invalid if they contain an X.509
AuthorityInfoAccess extension.
<li>Signed Objects where the CMS signing-time attribute contains a
timestamp later then the X.509 certificate's notAfter timestamp are
considered invalid.
<li>Manifests where the CMS signing-time attribute contains a timestamp
later then the Manifest eContent nextUpdate timestamp are considered
invalid.
<li>Any objects whose CRL Distribution Points extension contains a
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
considered invalid in accordance with RFC 6487 section 4.8.6.
<li>For every X.509 certificate the SHA-1 of the Subject Public Key is
calculated and compared to the Subject Key Identifier (SKI). If a
mismatch is found the certificate is not trusted.
<li>Require the outside-TBS signature OID for every X.509 intermediate
CA certificate and CRL to be sha256WithRSAEncryption.
<li>Require the RSA key pair modulus and public exponent parameters to
strictly conform to the RFC 7935 profile.
<li>Ensure there is no trailing garbage present in Signed Objects beyond
the self-embedded length field.
<li>Require RRDP Session IDs to strictly be version 4 UUIDs.
<li>When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the signature path towards the trust
anchor and the timestamp when the signature path will expire.
<li>When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the optional CMS signing-time,
non-optional X.509 notBefore timestamp and non-optional X.509
notAfter timestamp.
</ul>
<li>Updated zlib to 1.2.13.
<li>Fixed a long-standing bug in a libreadline header that broke the
interactive Python command line interface.
<li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to
default to read-only unless -w is specified for write access (the
previous default).
<li>Stopped printing the prompt for non-interactive usage of <a
href="https://man.openbsd.org/tftp.1">tftp(1)</a>.
<li>Changed <a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a> to
only unveil /tftpboot if -t is specified.
<li>Added client certificate authentication and an optional SASL
EXTERNAL bind to <a
href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>.
<li>Adjusted ipv6 address width to align the display columns better