Index: website/content/en/releases/14.0R/relnotes.adoc =================================================================== --- website/content/en/releases/14.0R/relnotes.adoc +++ website/content/en/releases/14.0R/relnotes.adoc @@ -125,6 +125,131 @@ |=== +[[mfc-highlights]] +== Significant changes merged into FreeBSD 13.x +FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. +Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13.x minor releases. + +For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default. +It may be disabled using the `WITHOUT_PIE` knob. +gitref:9a227a2fd642[repository=src] + +There is a new `zfskeys` man:rc[8] service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. +The `zfskeys` startup script supports autoloading of keys stored on ZFS. +See the man:rc.conf[5] manual page for more information. +gitref:33ff39796ffe[repository=src], gitref:8719e8a951b7[repository=src], gitref:97aeda224356[repository=src] +(Sponsored by Modirum and Klara Inc.) + +The `chroot` facility supports unprivileged operation, and the man:chroot[8] program has a `-n` option to enable its use. +gitref:a40cf4175c90[repository=src] +(Sponsored by EPSRC) + +man:md5sum[1] and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the `-r` option if the program name ends in `sum`. +gitref:086feed850c3[repository=src] +(Sponsored by Netflix) + +The use of FIDO/U2F hardware authenticators has been enabled in `ssh`, using the new public key types `ecdsa-sk` and `ed25519-sk`, along with corresponding certificate types. +FIDO/U2F support is described in https://www.openssh.com/txt/release-8.2[https://www.openssh.com/txt/release-8.2]. +gitref:e9a994639b2a[repository=src] +(Sponsored by The FreeBSD Foundation) + +The man:mgb[4] network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. +The driver has a number of caveats and limitations, but is functional. +gitref:e0262ffbc6ae[repository=src] +(Sponsored by The FreeBSD Foundation) + +Two new daemons, man:rpc.tlsclntd[8] and man:rpc.tlsservd[8], are now built by default on amd64 and arm64. +They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". +These daemons are built when WITH_OPENSSL_KTLS is specified. +They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. +gitref:2b9cbc85d727[repository=src] gitref:59f6f5e23c1a[repository=src] + +UEFI firmware boot compatibility is improved for amd64. +See the man:loader.efi[8] `amd64 Nocopy` section for more detailed information. +gitref:f75caed644a5[repository=src](Sponsored by https://www.freebsdfoundation.org[The FreeBSD Foundation]) + +Boot time performance improvements have been made to many kernel subsystems. +(Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) + +NVMe error handling has been significantly improved. + +The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. +This makes the lowest address usable for a host. +The old behavior can be restored with the `net.inet.ip.broadcast_lowest` sysctl. +See https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/[https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/] for background information. +gitref:fd0765933c3c[repository=src] + +The man:growfs[7] startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. +This is primarily useful when installing on an SD card using a raw image. +A new man:rc.conf[5] variable has been added, `growfs_swap_size`, which can control the addition if necessary. +See man:growfs[7] for details. + +A new RC script, `zpoolreguid` has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets. + +The `hostid` startup script will now generate a random (version 4) UUID if there is no [.filename]#/etc/hostid# file and no valid UUID from hardware. +Also, if there is no [.filename]#/etc/machine-id# file, the `hostid_save` script will store a compact version of the hostid (one without hyphens) in [.filename]#/etc/machine-id#. +This file is used by libraries such as GLib. +gitref:62a149bf6219[repository=src] gitref:862aab6281a5[repository=src] gitref:baf1e9713969[repository=src] gitref:ecad3f5c4d92[repository=src] gitref:d6852eed98ed[repository=src] + +It is now possible to add default routes for FIBs other than the primary by using the `defaultrouter_fibN` and `ipv6_defaultrouter_fibN` man:rc.conf[5] variables. +gitref:30659d1dcbcc[repository=src] +(Sponsored by ScaleEngine Inc.) + +The man:bhyve[8] utility has gained virtio-input device emulation support. +This will be used to inject keyboard/mouse input events into a guest. +The command line syntax is: `-s ,virtio-input,/dev/input/eventX`. +gitref:054accac71e0[repository=src] + +The man:kdump[1] utility has gained support for decoding Linux system calls. + +An man:nproc[1] utility has been added, compatible with the Linux program of the same name. + +The man:uuidgen[1] utility has a new option `-r` to generate a random UUID, version 4. +gitref:f176fe8e7f63[repository=src] + +The man:bhyve[8] hypervisor and kernel module man:vmm[4] now support more than 16 vCPUs in a guest. +By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. +This limit can be adjusted via the loader tunable `hw.vmm.maxcpu`. +gitref:ee98f99d7a68[repository=src] + +Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. +It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. +To disable for a single invocation, use the man:proccontrol[1] command: `proccontrol -m aslr -s disable command`. +To disable ASLR for all invocations of a binary, use the man:elfctl[1] command: `elfctl -e +noaslr file`. +Problems should be reported via the problem reporting system, https://bugs.freebsd.org[], or posting to the `freebsd-stable@FreeBSD.org` mailing list. +gitref:b014e0f15bc7[repository=src] +(Sponsored by Stormshield) + +A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. +The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. +The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. +gitref:cde70e312c3f[repository=src] (Sponsored by The FreeBSD Foundation) + +The state of the arm64 man:linux[4] ABI was brought to parity with the amd64 man:linux[4] ABI. +gitref:ccc510b46340[repository=src], gitref:9931033bbfbe[repository=src] + +In order to facilitate ABI compatibility of `stable` branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. +This will facilitate increases to the size of the kernel set, `MAXCPU`. +gitref:47a57144af25[repository=src] gitref:f35093f8d6d8[repository=src] +(Sponsored by Juniper Networks, Inc.) + +It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. +Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. +Background dumps are requested by using the `-L` flag to man:dump[8]. +(In previous releases UFS snapshots were incompatible with journaled soft updates.) +gitref:78f412987605[repository=src] (Sponsored by The FreeBSD Foundation) + +The kernel man:wg[4] WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. +gitref:744bfb213144[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation) + +KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. +Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. +gitref:05a1d0f5d7ac[repository=src] (Sponsored by Netflix) + +Radix tables and lookups are now supported for MAC addresses in man:ipfw[4]. +This allows MAC address tables to be constructed and used for filtering. +gitref:81cac3906eb9[repository=src] + //// // Sample release notes entry. The man:fsck_msdosfs[8] utility includes a variety of enhancements, including reducing the memory footprint, a new flag, `-M`, which disables the use of man:mmap[2], and others. @@ -701,8 +826,10 @@ Layer 3 filtering on man:if_bridge[4] will do surprising things which aren't fail-safe, so `net.link.bridge.pfil_member` and `net.link.bridge.pfil_bridge` now default to zero. gitref:22893e584032[repository=src] -man:netlink[4] is a user/kernel communication protocol used primarily for network configuration. -It has been expanded and improved, and a number of network configuration utilities have been converted to use netlink. +man:netlink[4] is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. +It has been expanded and improved and enabled by default. +A number of network configuration utilities have been converted to use netlink. +gitref:3091d980f581[repository=src] The deprecated `NgATM` (netgraph ATM support) and remaining ATM support have been removed.