ProHoster > Blog > internet news > OpenBSD 7.7 release

OpenBSD 7.7 release

The release of the free UNIX-like operating system OpenBSD 7.7 is presented. The OpenBSD project was founded by Theo de Raadt in 1995 after a conflict with the NetBSD developers that denied Theo access to the NetBSD CVS repository. After that, Theo de Raadt and a group of like-minded people created a new open operating system based on the NetBSD source tree, the main development goals of which were portability (13 hardware platforms are supported), standardization, correct operation, proactive security and integrated cryptographic tools. The size of the full installation ISO image of the base OpenBSD 7.7 system is 746 MB.

In addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven to be one of the most secure and high-quality solutions. Among them: LibreSSL (OpenSSL fork), OpenSSH, PF packet filter, OpenBGPD and OpenOSPFD routing daemons, OpenNTPD NTP server, OpenSMTPD mail server, text terminal multiplexer (similar to GNU screen) tmux, identd daemon with IDENT protocol implementation, BSDL alternative to the GNU groff package - mandoc, CARP (Common Address Redundancy Protocol) protocol for organizing fault-tolerant systems, lightweight http server, OpenRSYNC file synchronization utility.

Major changes:

  • The implementation of the drm (Direct Rendering Manager) framework is synchronized with the Linux kernel 6.12.21 (in the previous release - 6.6.52). The inteldrm driver implements support for the GPU used in Intel processors based on the Arrow Lake microarchitecture. The amdgpu driver adds support for the Ryzen AI 300 (Strix Point, Strix Halo, Krackan Point) and Radeon RX 9070 (Navi 48) GPUs.
  • The ARM64 port implements support for the SVE (Scalable Vector Extension) vector instruction set. On systems with Apple M1 ARM chips, power consumption states are set. In the physical memory page mapping mechanism (pmap, physical mapping), the operations of flushing the associative translation buffer (TLB) are optimized, which accelerates the execution of the kernel assembly test by about 5%. On hardware with support for the QARMA3 cipher, pointer authentication (PAC, Pointer Authentication Code) is enabled to protect the user space.
  • On x86_64 systems, support for the AMD SEV (Secure Encrypted Virtualization) mechanism, used in virtualization systems for protection, has been implemented for guest systems running using QEMU. virtual machines From interference by the hypervisor or host system administrator. A command for loading firmware into the chip has been added to the PSP driver used to configure and launch guest systems with AMD SEV enabled.
  • On x86_64 systems, the ability to allocate memory areas larger than 4 GB for DMA has been added.
  • Improved support for RISC-V, Sparc64, HPPA, i386 and Powerpc64 architectures.
  • Improved handling of out of memory (OOM) situations.
  • The ptrace tracing mechanism has been enhanced to allow setting breakpoints in multithreaded processes in the gdb debugger. Commands have been added to read and write the area where the processor state is saved in the traced process when using the XSAVE instruction.
  • The BT scripts (BPFtrace or Bug Tracing) used in the btrace tracing system now support multi-line constructs. Additional profiles and time interval naming (hz, us, ms, s) have been added to the btrace utility.
  • Added sysctl parameter kern.audio.kbdcontrol, when set to 0, the multimedia volume control keys on the keyboard will be treated as regular keys.
  • Improved crash handling and expanded checks when switching to sleep and standby modes.
  • Reworked the code for stopping processes when a signal is received, which solved problems with stopping multi-threaded processes that appeared in packages such as golang and mpv.
  • Support for multiprocessor systems (SMP) has been improved. TCP input and output timers now work in parallel, and the send() and recv() system calls have been switched to use a shared lock. Multiple user threads can now work with different sockets in parallel, and TCP output no longer blocks IP packet processing.

    The open, openat, ptsignal, psignal and prsignal system calls, as well as the kern.timeout_stats, kern.allowkmem, kern.video.record, net.inet.gre.allow, net.inet.gre.wccp, kern.global_ptrace, kern.wxabort and kern.malloc.kmemstat sysctls have been released from global blocking. The psp, wsmouse and wstpad drivers, as well as the video_filtops structure, have been moved to the mp-safe category.

  • The VMM hypervisor has implemented the ability to use acpipci to attach PCI buses.
  • Provided the ability to define an alternative performance policy (perfpolicy) applied when the system is running on battery power.
  • The sysctl command now has the "-f file" option to load all settings from a file at once. In rc scripts, the new option is used to load sysctl.conf as a whole, instead of parsing it line by line.
  • The pkg_add command implements a call to ldconfig if the list of shared libraries has changed as a result of installing new packages.
  • Added support for new hardware. Improved support for MediaTek and Qualcomm Snapdragon SoCs (including X Elite). Improved support for Samsung Galaxy Book4 Edge, ThinkPad T14 Gen 5, Vivobook, ThinkPad X1 Nano Gen 2, ThinkPad X13, and various Chromebooks. Added ice driver for Intel E810 Ethernet 1Gb/10Gb/25Gb/50Gb/100Gb and ixv driver for Intel Ethernet 82598EB, 82559, and X540 virtual functions. Continued work on moving network operations to the network cards.
  • Sysupgrade has a mode for offline updating of systems using packages stored in the local file system.
  • The fw_update utility now has the ability to download (not install) firmware under a regular user without root rights. The "-l" flag has been added to display a list of drivers and files.
  • The sshd-auth process has protection against exploitation of vulnerabilities enabled, based on random relinking of the executable file at each system boot. Relinking allows making the shifts of functions unpredictable, which will make it difficult to create exploits using return-oriented programming methods.
  • The mountd process is isolated using the unveil system call.
  • The network stack implements support for AF_FRAME sockets and the IFT_ETHER protocol family, allowing applications to send and receive Ethernet frames. A new hashing method is used for outgoing UDP and TCP packets, which optimizes traffic distribution among queues and significantly (~20%) speeds up sending UDP for IPv4/IPv6 and TCP for IPv6. The tun device has the TUNSCAP ioctl implemented and the interaction between the kernel and user space has been optimized. A separate routing cache for each flow has been implemented. The vio driver has the multiqueue mode enabled.
  • The pfctl utility allows network interfaces and queues to be configured with throughput greater than 4Gbit.
  • In iked, the IKEv2 protocol implementation for IPsec, the "natt" option has been added to force the use of nat-t.
  • Relayd, a background process for redirecting and balancing requests, now supports client-side TLS certificates.
  • The network performance measurement tool tcpbench has added TLS support.
  • bgpd implements support for RFC 8654 (BGP Extended Message), RFC 8538 (BGP Notification Message), the "reject as-set" option is enabled by default, and Adj-RIB-Out caching is provided.
  • LibreSSL 4.1.0 adds experimental support for the loongarch64 architecture, offers new assembler implementations of the SHA-1, SHA-256, and SHA-512 algorithms for the amd64 architecture (using the SHA-NI instruction), new assembler implementations of SHA-256 and SHA-512 for Aarch64 (using the CE extension), simplified the MD5 implementation for amd64, provides caching of the list of revoked certificates (CRLs), and ported the ML-KEM 768 and 1024 implementation from BoringSSL.
  • OpenSSH has been updated. The list of changes can be found in the OpenSSH 10 announcement (DSA digital signature support has been removed, authentication operations have been separated into a separate sshd-auth process, and the hybrid key exchange algorithm "mlkem768x25519-sha256" is used by default).
  • The number of ports for the AMD64 architecture was 12593 (was 12312), for aarch64 - 12446 (was 12148), for i386 - 10429 (was 10534). Among the application versions in the ports:
    • Asterisk 16.30.1, 18.26.1, 20.13.0 and 22.3.0
    • Audacity 3.7.3
    • CMake 3.31.6
    • Chromium 135.0.7049.52
    • Emacs 30.1
    • ffmpeg 6.1.2
    • GCC 8.4.0 and 11.2.0
    • GNOME 47
    • Go 1.24.1
    • JDK 8u442, 11.0.26, 17.0.14 and 21.0.6
    • KDE Gears 24.12.3
    • KDE Framework 6.12.0
    • KDE Plasma 6.3.3
    • Krita 5.2.9
    • LLVM/Clang 13.0.0, 16.0.6, 18.1.8, 19.1.7
    • LibreOffice 25.2.1.2
    • Lua 5.1.5, 5.2.4, 5.3.6, 5.4.7
    • MariaDB 11.4.5
    • Mono 6.12.0.199
    • Mozilla Firefox 137.0 and ESR 128.9.0
    • Mozilla Thunderbird 128.9.0
    • Mutt 2.2.14 and NeoMutt 20250113
    • Node.js 22.14.0
    • OpenLDAP 2.6.9
    • PHP 8.2.28, 8.3.19 and 8.4.5
    • Postfix 3.10.1
    • PostgreSQL 17.4
    • Python 2.7.18 and 3.12.9
    • Qt 5.15.16 (+ patches from the KDE project) and 6.8.2
    • Ruby 3.2.8, 3.3.7, 3.4.2
    • Rest 1.86.0
    • SQLite 3.49.1
    • Shotcut 25.01.25
    • Sudo 1.9.16p1
    • Meerkat 7.0.7
    • Tcl/Tk 8.5.19 and 8.6.16
    • Vim 9.1.1265 and Neovim 0.10.4
    • Xfce 4.20.0
  • Updated third party components included with OpenBSD 7.7:
    • Xenocara graphics stack based on X.Org 7.7 with xserver 21.1.16 + patches, freetype 2.13.3, fontconfig 2.15.0, Mesa 23.3.6, xterm 395, xkeyboard-config 2.20, fonttosfnt 1.2.4.
    • LLVM/Clang 16.0.6 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.40.1 (+ patches)
    • NSD 4.9.1
    • Unbound 1.22.0
    • Ncurses 6.4
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patches)
    • Awk 20250116/XNUMX/XNUMX
    • Expat 2.7.1
    • zlib 1.3.1 (+ patches)

Source: opennet.ru

Add a comment