From nobody Mon Nov 13 17:58:33 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4STcc94McZz4wTq9 for ; Mon, 13 Nov 2023 17:58:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4STcc93Y1hz4TKK; Mon, 13 Nov 2023 17:58:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699898313; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8XCKeZDL0L4blOhxbxA+KXNFOY5AtYku9ujPHdEEqy4=; b=G+Wkur085TM6DQUXwwTNjQ2jRnP1wg8Xw7P9dslpTJ434w44VXecXR9ZqIDWtIqlFGKgMQ EzZNCt2X8ewLAjTEjHePWeJz7soKNR+ZwvZ+pxeKQfYdWq3xl5LOPEGk6FWhv0Xn2p4XT4 lUkDHmmxQJ8CPUcoI39W6//s95eX0xABkZ16IKLh+iMqAEJI7Qd43atCjCuUK3MdLPJ0Ao KL5XN2jSHn+Qrs3V4cEzNJBJsT4+o7PeUPUrg46BSvW56Zf38ikSimAl9Gl334SfAVo11d 2bx9Zj4WfopAl/CxZhmqj0PvkG+ZkUq7wZpfjrkQkhvAIYy7d3mzKKy5dJApJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699898313; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8XCKeZDL0L4blOhxbxA+KXNFOY5AtYku9ujPHdEEqy4=; b=UVdFDB4wqCsjT+Blh/abNShwJvVFz7KudkqaBbHuPnFiT22vM/8JESbdPQnhtDR8d1oeSd iE3xEPJfSaioAz2aYU7VaVsovRE0fu7ufMeWTrMy4d/bces76Y/B5wfRx16qfCavC2hO5e JVDLLgTRrGp0ZJpZImJuttNTehKCrSaCOBdLpyiX12Iw2bM9WFV5v4i26iDTTlvub29HE8 XTW8zJL6t2LwSjcC5Cpg2xPrnJHdn5TDigQgE9CIqLxF9QoALES+mSmpBTnTXyNPb+GHdf LKaG1Fk/dMzLX3YT3OfZOhjYTmXoZaiO+w9d0CSmHezrfXpikUak0DNMf+9CnA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699898313; a=rsa-sha256; cv=none; b=OVuexLESbn22xgK8GP29TSFgXPMfuQXptoThUip6eAG8F06eUVHWCRSl/giG4DYHk5KgBy VvnwFutmFzz4aQvwnJiz4N/wOY9mLk6h+zSX4DGy4FmusyYx+9/EypNB2bVZFTF6pJZ0tB iFFj0CjS2RyUwjEkwIn1M+2ok47RpiSxkKnGdfrVOlzGmOtwdkU+/QEk/HW1JVLFqTeK1B wA7Wx8Q53TqOomL5ZFu0nxiqjc+wrudmV+9TFrqDb3PHMRCB0cbVkYphaDv9xBrTU4GtV7 g5U76PKBNNXHPXHicvs/mH9ajR0DeZh1i+Ma01oE+zEJ/WoTtMsju30tis2UsQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4STcc92bpNz1S8; Mon, 13 Nov 2023 17:58:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3ADHwXDY011521; Mon, 13 Nov 2023 17:58:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3ADHwXMr011518; Mon, 13 Nov 2023 17:58:33 GMT (envelope-from git) Date: Mon, 13 Nov 2023 17:58:33 GMT Message-Id: <202311131758.3ADHwXMr011518@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Ed Maste Subject: git: ecc754a01c - main - 14.0 relnotes: higlights of work that was MFC'd to 13.1/13.2 List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ecc754a01ca3281c8b6add29b465345babb9e71c Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/doc/commit/?id=ecc754a01ca3281c8b6add29b465345babb9e71c commit ecc754a01ca3281c8b6add29b465345babb9e71c Author: Ed Maste AuthorDate: 2023-11-10 15:07:28 +0000 Commit: Ed Maste CommitDate: 2023-11-13 17:56:15 +0000 14.0 relnotes: higlights of work that was MFC'd to 13.1/13.2 Reviewed by: karels, jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42546 --- website/content/en/releases/14.0R/relnotes.adoc | 131 +++++++++++++++++++++++- 1 file changed, 129 insertions(+), 2 deletions(-) diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc index c9e3e0c3ff..534f45fa7f 100644 --- a/website/content/en/releases/14.0R/relnotes.adoc +++ b/website/content/en/releases/14.0R/relnotes.adoc @@ -127,6 +127,131 @@ This section lists the various Security Advisories and Errata Notices since {rel |=== +[[mfc-highlights]] +== Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2 +FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. +Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases. + +For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default. +It may be disabled using the `WITHOUT_PIE` knob. +gitref:9a227a2fd642[repository=src] + +There is a new `zfskeys` man:rc[8] service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. +The `zfskeys` startup script supports autoloading of keys stored on ZFS. +See the man:rc.conf[5] manual page for more information. +gitref:33ff39796ffe[repository=src], gitref:8719e8a951b7[repository=src], gitref:97aeda224356[repository=src] +(Sponsored by Modirum and Klara Inc.) + +The `chroot` facility supports unprivileged operation, and the man:chroot[8] program has a `-n` option to enable its use. +gitref:a40cf4175c90[repository=src] +(Sponsored by EPSRC) + +man:md5sum[1] and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the `-r` option if the program name ends in `sum`. +gitref:086feed850c3[repository=src] +(Sponsored by Netflix) + +The use of FIDO/U2F hardware authenticators has been enabled in `ssh`, using the new public key types `ecdsa-sk` and `ed25519-sk`, along with corresponding certificate types. +FIDO/U2F support is described in https://www.openssh.com/txt/release-8.2[https://www.openssh.com/txt/release-8.2]. +gitref:e9a994639b2a[repository=src] +(Sponsored by The FreeBSD Foundation) + +The man:mgb[4] network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. +The driver has a number of caveats and limitations, but is functional. +gitref:e0262ffbc6ae[repository=src] +(Sponsored by The FreeBSD Foundation) + +Two new daemons, man:rpc.tlsclntd[8] and man:rpc.tlsservd[8], are now built by default on amd64 and arm64. +They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". +These daemons are built when WITH_OPENSSL_KTLS is specified. +They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. +gitref:2b9cbc85d727[repository=src] gitref:59f6f5e23c1a[repository=src] + +UEFI firmware boot compatibility is improved for amd64. +See the man:loader.efi[8] `amd64 Nocopy` section for more detailed information. +gitref:f75caed644a5[repository=src](Sponsored by https://www.freebsdfoundation.org[The FreeBSD Foundation]) + +Boot time performance improvements have been made to many kernel subsystems. +(Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) + +man:nvme[4] error handling has been significantly improved. + +The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. +This makes the lowest address usable for a host. +The old behavior can be restored with the `net.inet.ip.broadcast_lowest` sysctl. +See https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/[https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/] for background information. +gitref:fd0765933c3c[repository=src] + +The man:growfs[7] startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. +This is primarily useful when installing on an SD card using a raw image. +A new man:rc.conf[5] variable has been added, `growfs_swap_size`, which can control the addition if necessary. +See man:growfs[7] for details. + +A new RC script, `zpoolreguid` has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets. + +The `hostid` startup script will now generate a random (version 4) UUID if there is no [.filename]#/etc/hostid# file and no valid UUID from hardware. +Also, if there is no [.filename]#/etc/machine-id# file, the `hostid_save` script will store a compact version of the hostid (one without hyphens) in [.filename]#/etc/machine-id#. +This file is used by libraries such as GLib. +gitref:62a149bf6219[repository=src] gitref:862aab6281a5[repository=src] gitref:baf1e9713969[repository=src] gitref:ecad3f5c4d92[repository=src] gitref:d6852eed98ed[repository=src] + +It is now possible to add default routes for FIBs other than the primary by using the `defaultrouter_fibN` and `ipv6_defaultrouter_fibN` man:rc.conf[5] variables. +gitref:30659d1dcbcc[repository=src] +(Sponsored by ScaleEngine Inc.) + +The man:bhyve[8] utility has gained virtio-input device emulation support. +This can be used to inject keyboard/mouse input events into a guest. +The command line syntax is: `-s ,virtio-input,/dev/input/eventX`. +gitref:054accac71e0[repository=src] + +The man:kdump[1] utility has gained support for decoding Linux system calls. + +An man:nproc[1] utility has been added, compatible with the Linux program of the same name. + +The man:uuidgen[1] utility has a new option `-r` to generate a random UUID, version 4. +gitref:f176fe8e7f63[repository=src] + +The man:bhyve[8] hypervisor and kernel module man:vmm[4] now support more than 16 vCPUs in a guest. +By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. +This limit can be adjusted via the loader tunable `hw.vmm.maxcpu`. +gitref:ee98f99d7a68[repository=src] + +Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. +It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. +To disable for a single invocation, use the man:proccontrol[1] command: `proccontrol -m aslr -s disable command`. +To disable ASLR for all invocations of a binary, use the man:elfctl[1] command: `elfctl -e +noaslr file`. +Problems should be reported via the problem reporting system, https://bugs.freebsd.org[], or posting to the `freebsd-stable@FreeBSD.org` mailing list. +gitref:b014e0f15bc7[repository=src] +(Sponsored by Stormshield) + +A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. +The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. +The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. +gitref:cde70e312c3f[repository=src] (Sponsored by The FreeBSD Foundation) + +The state of the arm64 man:linux[4] ABI was brought to parity with the amd64 man:linux[4] ABI. +gitref:ccc510b46340[repository=src], gitref:9931033bbfbe[repository=src] + +In order to facilitate ABI compatibility of `stable` branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. +This will facilitate increases to the size of the kernel set, `MAXCPU`. +gitref:47a57144af25[repository=src] gitref:f35093f8d6d8[repository=src] +(Sponsored by Juniper Networks, Inc.) + +It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. +Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. +Background dumps are requested by using the `-L` flag to man:dump[8]. +(In previous releases UFS snapshots were incompatible with journaled soft updates.) +gitref:78f412987605[repository=src] (Sponsored by The FreeBSD Foundation) + +The kernel man:wg[4] WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. +gitref:744bfb213144[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation) + +KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. +Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. +gitref:05a1d0f5d7ac[repository=src] (Sponsored by Netflix) + +Radix tables and lookups are now supported for MAC addresses in man:ipfw[4]. +This allows MAC address tables to be constructed and used for filtering. +gitref:81cac3906eb9[repository=src] + //// // Sample release notes entry. The man:fsck_msdosfs[8] utility includes a variety of enhancements, including reducing the memory footprint, a new flag, `-M`, which disables the use of man:mmap[2], and others. @@ -703,8 +828,10 @@ gitref:137818006de5[repository=src] Layer 3 filtering on man:if_bridge[4] will do surprising things which aren't fail-safe, so `net.link.bridge.pfil_member` and `net.link.bridge.pfil_bridge` now default to zero. gitref:22893e584032[repository=src] -man:netlink[4] is a user/kernel communication protocol used primarily for network configuration. -It has been expanded and improved, and a number of network configuration utilities have been converted to use netlink. +man:netlink[4] is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. +It has been expanded, improved, and enabled by default. +A number of network configuration utilities have been converted to use netlink. +gitref:3091d980f581[repository=src] The deprecated `NgATM` (netgraph ATM support) and remaining ATM support have been removed.