FreeBSD 14.0-RELEASE Release Notes
Abstract
The release notes for FreeBSD 14.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 14-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
Introduction
This document contains the release notes for FreeBSD 14.0-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
The release distribution to which these release notes apply represents the latest point along the 14-STABLE development branch since 14-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
The release distribution to which these release notes apply represents a point along the 14-STABLE development branch between 13.2-RELEASE and the future 14.1-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
This distribution of FreeBSD 14.0-RELEASE is a release distribution. It can be found at https://www.FreeBSD.org/releases/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 14.0-RELEASE can be found on the FreeBSD Web site.
This document describes the most user-visible new or changed features in FreeBSD since 13.2-RELEASE. In general, changes described here are unique to the 14-STABLE branch unless specifically marked as MERGED features.
Typical release note items document recent security advisories issued after 13.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Upgrading from Previous Releases of FreeBSD
Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity. Note that freebsd-update cannot be used to roll back to the previous release after updating to a new major version.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
There have been a number of improvements in the boot loaders, and upgrading the boot loader on the boot partition is recommended in most cases, in particular if the system boots via EFI. If the root is on a ZFS file system, updating the boot loader is mandatory if the pool is to be upgraded, and the boot loader update must be done first. Note that ZFS pool upgrades are not recommended for root file systems in most cases, but updating the boot loader can avoid making the system unbootable if the pool is upgraded in the future. The bootstrap update procedure depends on the boot method (EFI or BIOS), and also on the disk partitioning scheme. The next several sections address each in turn.
Notes for systems that boot via EFI, using either binary or
source upgrades: There are one or more copies of the boot loader on
the MS-DOS EFI System Partition (ESP), used by the firmware to boot
the kernel. The location of the boot loader in use can be
determined using the command efibootmgr -v
. The value
displayed for BootCurrent
should be the number of the
current boot configuration used to boot the system. The
corresponding entry of the output should begin with a
+
sign, such as
+Boot0000* FreeBSD HD(1,GPT,f859c46d-19ee-4e40-8975-3ad1ab00ac09,0x800,0x82000)/File(\EFI\freebsd\loader.efi) nda0p1:/EFI/freebsd/loader.efi (null)
The ESP may already be mounted on /boot/efi. Otherwise, the partition may be
mounted manually, using the partition listed in the
efibootmgr
output (nda0p1
in this case):
mount_msdosfs /dev/nda0p1 /boot/efi
. See
loader.efi(8) for another example.
The value in the File
field in the efibootmgr
-v
output, \EFI\freebsd\loader.efi
in this
case, is the MS-DOS name for the boot loader in use on the ESP. If
the mount point is /boot/efi, this
file will translate to
/boot/efi/efi/freebsd/loader.efi
. (Case does not
matter on MS-DOSFS file sytems; FreeBSD uses lower case.) Another
common value for File
would be
\EFI\boot\bootXXX.efi
, where XXX
is
x64
for amd64, aa64
for aarch64, or
riscv64
for riscv64; this is the default bootstrap if
none is configured. Both the configured and default boot loaders
should be updated by copying from /boot/loader.efi to the correct path in
/boot/efi.
For systems that boot via BIOS and use the GPT partition scheme,
bootstrap upgrades are optional unless a ZFS root pool will be
upgraded (which is discouraged). Upgrades are only possible if the
freebsd-boot
partition is at least 180K. (512K is now
standard.) The device name and the partition index can be
identified using the command gpart show
, such as:
=> 34 246162605 ada0 GPT (224G) 34 1024 1 freebsd-boot (512K)
When using ZFS, the bootcode can be updated by running the
command gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1
ada0
. If updating with a UFS root, the bootcode can be
updated by running the command gpart bootcode -b /boot/pmbr
-p /boot/gptboot -i 1 ada0
, although this should not be
necessary. Note that the freebsd-boot
partition size
is running up against a hard limit, and this scheme may not be
supportable in the future. Users of such systems should consider an
upgrade to EFI, possibly by carving space from an existing swap
partition.
If the system boots via BIOS and uses the MBR partition scheme,
or has a GPT freebsd-boot
partition smaller than 180K,
then it is not possible to update the bootcode, and therefore to
upgrade the root ZFS storage pool.
Upgrading FreeBSD should only be attempted after backing up all data and configuration files. |
Security and Errata
This section lists the various Security Advisories and Errata Notices since 13.2-RELEASE.
Security Advisories
Advisory | Date | Topic |
---|---|---|
No advisories. |
Errata Notices
Errata | Date | Topic |
---|---|---|
No notices. |
Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2
FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases.
For 64-bit architectures, the base system is built with Position
Independent Executable (PIE) support enabled by default. It may be
disabled using the WITHOUT_PIE
knob. 9a227a2fd642
(Sponsored by Stormshield)
There is a new zfskeys
rc(8) service script, which allows for automatic decryption of
ZFS datasets encrypted with ZFS native encryption during boot. The
zfskeys
startup script supports autoloading of keys
stored on ZFS. See the
rc.conf(5) manual page for more information. 33ff39796ffe,
8719e8a951b7,
97aeda224356
(Sponsored by Modirum and Klara Inc.)
The chroot
facility supports unprivileged
operation, and the
chroot(8) program has a -n
option to enable its
use. a40cf4175c90
(Sponsored by EPSRC)
md5sum(1) and similar message-digest programs compatible with
those on Linux were added by having the corresponding BSD programs
run with the -r
option if the program name ends in
sum
. 086feed850c3
(Sponsored by Netflix)
The use of FIDO/U2F hardware authenticators has been enabled in
ssh
, using the new public key types
ecdsa-sk
and ed25519-sk
, along with
corresponding certificate types. FIDO/U2F support is described in
https://www.openssh.com/txt/release-8.2.
e9a994639b2a
(Sponsored by The FreeBSD Foundation)
The igc(4) driver for the Intel I225 Ethernet controller has been added, supporting 2.5 Gbps operation. 517904de5cca (Sponsored by Rubicon Communications, LLC ("Netgate"))
The mgb(4) network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. The driver has a number of caveats and limitations, but is functional. e0262ffbc6ae (Sponsored by The FreeBSD Foundation)
Two new daemons, rpc.tlsclntd(8) and rpc.tlsservd(8), are now built by default on amd64 and arm64. They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. 2b9cbc85d727 59f6f5e23c1a
UEFI firmware boot compatibility is improved for amd64. See the
loader.efi(8) amd64 Nocopy
section for more
detailed information. f75caed644a5(Sponsored
by The FreeBSD
Foundation)
Boot time performance improvements have been made to many kernel subsystems. (Sponsored by https://www.patreon.com/cperciva)
nvme(4) error handling has been significantly improved.
The handling of the lowest address on an IPv4 (sub)net (host 0)
has been changed so that packets are not sent as a broadcast unless
this address has been set as the broadcast address. This makes the
lowest address usable for a host. The old behavior can be restored
with the net.inet.ip.broadcast_lowest
sysctl. See
https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/
for background information. fd0765933c3c
The
growfs(7) startup script will now add a swap partition while
expanding the root file system if possible, and if one did not
previously exist. This is primarily useful when installing on an SD
card using a raw image. A new
rc.conf(5) variable has been added,
growfs_swap_size
, which can control the addition if
necessary. See
growfs(7) for details.
A new RC script, zpoolreguid
has been added, which
will assign a new GUID to one or more zpools, useful for
virtualization environments when sharing datasets.
The hostid
startup script will now generate a
random (version 4) UUID if there is no /etc/hostid file and no valid UUID from hardware.
Also, if there is no /etc/machine-id
file, the hostid_save
script will store a compact
version of the hostid (one without hyphens) in /etc/machine-id. This file is used by libraries
such as GLib. 62a149bf6219
862aab6281a5
baf1e9713969
ecad3f5c4d92
d6852eed98ed
It is now possible to add default routes for FIBs other than the
primary by using the defaultrouter_fibN
and
ipv6_defaultrouter_fibN
rc.conf(5) variables. 30659d1dcbcc
(Sponsored by ScaleEngine Inc.)
The
bhyve(8) utility has gained virtio-input device emulation
support. This can be used to inject keyboard/mouse input events
into a guest. The command line syntax is: -s
<slot>,virtio-input,/dev/input/eventX
. 054accac71e0
The kdump(1) utility has gained support for decoding Linux system calls.
An nproc(1) utility has been added, compatible with the Linux program of the same name.
The
uuidgen(1) utility has a new option -r
to generate
a random UUID, version 4. f176fe8e7f63
The
bhyve(8) hypervisor and kernel module
vmm(4) now support more than 16 vCPUs in a guest. By default
bhyve permits each guest to create the same number of vCPUs as the
count of physical CPUs on the host. This limit can be adjusted via
the loader tunable hw.vmm.maxcpu
. ee98f99d7a68
Address Space Layout Randomization (ASLR) is enabled for 64-bit
executables by default. It can be disabled as needed if
applications fail unexpectedly, for example with segmentation
faults. To disable for a single invocation, use the
proccontrol(1) command: proccontrol -m aslr -s disable
command
. To disable ASLR for all invocations of a binary,
use the
elfctl(1) command: elfctl -e +noaslr file
.
Problems should be reported via the problem reporting system,
https://bugs.freebsd.org, or posting to the
freebsd-stable@FreeBSD.org
mailing list. b014e0f15bc7
(Sponsored by Stormshield)
LLVM’s AddressSanitizer can be used in amd64 kernels. See the kasan(9) manual page for more information. 38da497a4dfc (Sponsored by The FreeBSD Foundation)
A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. cde70e312c3f (Sponsored by The FreeBSD Foundation)
The state of the arm64 linux(4) ABI was brought to parity with the amd64 linux(4) ABI. ccc510b46340, 9931033bbfbe
In order to facilitate ABI compatibility of stable
branches, the CPU affinity system calls are now more tolerant of
CPU sets that are smaller than used by the kernel. This will
facilitate increases to the size of the kernel set,
MAXCPU
. 47a57144af25
f35093f8d6d8
(Sponsored by Juniper Networks, Inc.)
It is now possible to take snapshots on UFS filesystems when
running with journaled soft updates. Thus it is now possible to do
background dumps on live filesystems running with journaled soft
updates. Background dumps are requested by using the
-L
flag to
dump(8). (In previous releases UFS snapshots were incompatible
with journaled soft updates.) 78f412987605
(Sponsored by The FreeBSD Foundation)
The kernel wg(4) WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. 744bfb213144 (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation)
KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. 05a1d0f5d7ac (Sponsored by Netflix)
Radix tables and lookups are now supported for MAC addresses in ipfw(4). This allows MAC address tables to be constructed and used for filtering. 81cac3906eb9
Changes new to 14.0-RELEASE
Userland
This section covers changes and additions to userland applications, contributed software, and system utilities.
Userland Configuration Changes
The default shell for the root user is now sh(1), which has many new features for interactive use. d410b585b6f0
The default mail transport agent (MTA) is now the Dragonfly Mail Agent (dma(8)) rather than sendmail(8). Configuration of the MTA is done via mailer.conf(5). sendmail(8) and its configuration remain available. a67b925ff3e5
The mta_start_script
configuration variable has
been retired from
rc.conf(5), along with the othermta
startup
script. 616f32ea6da7
jail(8) now supports .include
directives in
jail.conf(5) files, with support for filename globbing.
e82a62943529
The one-time password facility OPIE,
opie(4), has been removed from the base system. If you still
wish to use it, install the security/opie
port. Otherwise, make sure to remove or comment out any mention of
pam_opie
and pam_opieaccess
from your PAM
policies.
etcupdate(8) will normally take care of this for the stock
policies. 0aa2700123e2
The SHARED_TOOLCHAIN
build configuration option has
been removed. Building a statically-linked toolchain is still
possible using the general NO_SHARED
option. 77f6be448408
(Sponsored by The FreeBSD Foundation)
Locale handing has been upgraded to CLDR 41.0 and Unicode 14.0. e87ec409fa9b
The layout configuration has been added for the new French bépo keyboard (version 1.1rc2) normalized by French national organization for standardization as "NF Z71‐300". abdcd967dc0c
An rc.d
script (see
rc(8)) is now allowed to have a status
method even
if it does not define procname
or have a PID file.
2651609fcbd7
Userland Application Changes
The base64(1) utility has been added. 540a99289bb1
The bhyve(8) hypervisor now has optional TPM (Trusted Platform Module) passthrough support. This is not direct access, but commands from the guest are forwarded to the physical TPM. 67c26eb2a57c
GPU passthrough has been improved in bhyve(8) for AMD and Intel GPUs. This is a work in progress; passthrough does not work in all cases, and the configuration is not yet documented.
The cpuset(1) utility has been moved from /usr/bin to /bin so that it is always available during startup processing. /usr/bin/cpuset is now a symbolic link. f05948d4e98d
The
date(1) utility now has a -z
option for timezone
conversion. 31edf56b1571
The
diff(1) utility now supports a --color
option for
colorized output. f38702e5a52e
The deprecated fmtree(8) utility has been removed. e4d63c5d5ff8
freebsd-update(8) now documents that files under /var/db/freebsd-update may be deleted if an upgrade is not in progress and rollback will not be required. 80b003e81684 (Sponsored by The FreeBSD Foundation)
A new fwget(8) utility inspects the system for peripherals that need firmware, and installs the appropriate packages for them. For now, only the PCI subsystem is supported, and only video firmware for Intel and AMD GPUs is known. d198b8774d2c d198b8774d2c (Sponsored by Beckhoff Automation GmbH & Co. KG)
The usability of
head(1) and
tail(1) has been improved by consistently supporting the
-q
and -h
options, allowing numbers with
SI suffixes, and removing the 2^31 limit on lines for
head(1). 643ac419fafb
makefs(8) now has experimental ZFS support. It can create a ZFS pool, backed by a single disk vdev, containing one or more datasets populated from the staging directory. 240afd8c1fcc (Sponsored by The FreeBSD Foundation)
The minigzip(1) utility has been removed. 278d080bad9F
The
mandoc(1) utility has a workaround for lack of macro processing
in list -width
handling, resulting in more accurate
widths for list columns. bbb2d2ce4220
(Sponsored by Dell EMC Isilon)
The
mixer(8) utility no longer tries to guess whether a volume is
absolute or a percent. It now accepts a percentage with
%
appended, otherwise a volume is absolute. 4014365e4219
The netcat
utility
nc(1) can now be an if_tun
(tun(4))
broker. cef7ab70ff44
(Sponsored by Zenarmor) (Sponsored by OPNsense) (Sponsored by
Klara, Inc.)
The
netstat(1) utility now computes correct column widths with the
-i
option, making the -w
option
unnecessary. 372e3d561d82
The
portsnap(8) utility has been removed. Users are encouraged to
fetch the ports tree by using pkg install git
and then
git clone https://git.FreeBSD.org/ports.git
/usr/ports
. df53ae0fdd98
The pw(8) and bsdinstall(8) programs now create home directories for users in /home by default rather than /usr/home. The default symbolic link for /home, referencing /usr/home, is no longer created. bbb2d2ce4220
The
sleep(1) utility now accepts units other than seconds, and
accepts multiple delay values that are summed (for example,
1h 30m
). 34978f7edd15
be038c3afcae
The sockstat(1) utility is now run in a sandbox with capsicum. 94dc57159532 c5a2d8c5f517
The
systat(1) utility has a new command, iolat
, which
reports I/O latencies computed by the CAM I/O scheduler. 22054f88914b
(Sponsored by Netflix)
A new utility, tcpsso(8), is able to apply a socket option to an existing TCP endpoint, for example changing the congestion control module or the TCP stack. 881631a2a371 (Sponsored by Netflix)
The Telnet daemon, telnetd(8), has been removed. A port is available if necessary, net/freebsd-telnetd. The client is not affected. 0eea46fb1f83
The PROFILE
option is disabled by default, thus
profiled versions of system libraries are not provided.
Hardware-based profiling (e.g.
hwpmc(4)) is preferred. fe52b7f60ef4
(Sponsored by The FreeBSD Foundation)
Compressed debug sections in binaries are enabled by default on little-endian targets. 47363e99d3d3 (Sponsored by The FreeBSD Foundation)
Configuration has been added to produce armv7 distribution sets, which can be useful in building jails on arm64. ac099daf6742
Contributed Software
One True Awk (awk(1))
has been updated to 20210727, which is 1st edition. (2nd edition
will be included in 14.1-RELEASE.) All the FreeBSD patches but one
have now been either up-streamed or discarded. Notable changes
include: locale is no longer used for ranges; better compatibility
with gawk
and mawk
. Note that hex strings
are interpreted as numbers as in earlier FreeBSD versions. This
will change in FreeBSD 15 to agree with upstream and current POSIX
standards. f39dd6a97844
23f24377b1a9
628bd30ab5a4
The bc(1) and dc(1) commands have been updated to version 6.6.0, which fixes a problem with line editing and complex scripts with multiple read() commands, and adds some functions to bc’s (non-standard) extended math library.
libbsdxml
(expat
,
libbsdxml(3)) has been upgraded to version 2.4.7. 7ed8e142a00d
libfido2
has been upgraded to version 1.13.0.
f540a43052c1
3e696dfb7009
95321fff46ec
(Sponsored by The FreeBSD Foundation)
The llvm-objdump(1) utility is now always installed as objdump(1). 86edb11e7491 (Sponsored by The FreeBSD Foundation)
OpenSSH has been upgraded to version 9.5p1. Full release notes are at https://www.openssh.com/txt/release-9.5. 676824f5cdf9 (Sponsored by The FreeBSD Foundation)
The scp(1) utility now defaults to the SFTP protocol, rather than the legacy scp/rcp protocol. This removes the need for double-quoting wildcard expansion characters. fb5aabcb990b (Sponsored by The FreeBSD Foundation)
RSA/SHA-1 signatures are now disabled by default in ssh(1). It is possible to enable them on a per-host basis in a user’s ~/.ssh/config file. 8c22023ca5e1 (Sponsored by The FreeBSD Foundation)
The VerifyHostKeyDNS
option for
ssh(1) now defaults to no
, following the OpenSSH
distribution. The X11Forwarding
option also defaults
to no
. 41ff5ea22cb9
77934b7a1301
(Sponsored by The FreeBSD Foundation)
HPN option handling has been removed from OpenSSH. HPN support was deprecated long ago, but the configuration options were still accepted (and ignored) for backwards compatibility. 348bea10b6f2 (Sponsored by The FreeBSD Foundation)
The VersionAddendum
option has been removed from
the
ssh(1) client. bffe60ead024
(Sponsored by The FreeBSD Foundation)
OpenSSL has been upgraded to version 3.0.12. This is a major upgrade from version 1.1.1, which has reached its end of life. Many components of the base system use a backward-compatible API, but will be migrated later. aa7957345732 930cec16d9ee b077aed33b7b (Sponsored by The FreeBSD Foundation)
tcpdump
has been upgraded to version 4.99.4.
ee67461e5682
171a7bbfc048
1ad8d2ee1f7d
(Sponsored by The FreeBSD Foundation)
libpcap
has been upgraded to version 1.10.4.
6f9cba8f8b5e
dd744a896be3
(Sponsored by The FreeBSD Foundation)
xz
has been upgraded to version 5.4.3.
zlib
has been upgraded to version 1.3.
zstd
has been upgraded to version 1.5.2. (Sponsored
by Klara, Inc)
Deprecated Applications
mergemaster(8) has been deprecated. Its replacement is etcupdate(8). 398b12691b4f (Sponsored by The FreeBSD Foundation)
Runtime Libraries and API
The libncursesw
library (see
ncurses(3X)) has been split into libtinfow
and
libncursesw
. Linker scripts should make this
transparent for consumers.
pkg-config(8) files are now installed, to ease ports detecting
the ncurses
setup from base. 396851c20aeb
The ncurses(3X) library is now able to use terminfo(5) as well as termcap(5), and uses terminfo preferentially. 61f66a1f4403
The default search path for terminfo databases in ncurses(3X) now includes /usr/local/share/terminfo, facilitating the use of a database from ports or packages. b75fb12b6827
The prototype of qsort_r(3) has been modified to match POSIX, which adopted the glibc-based interface. af3c78886fd8
The COMPAT_LIB32
build option has been implemented
for aarch64 (arm64) and is enabled by default. This provides armv7
32-bit-compatible libraries and header files for arm64 systems for
building and running most armv7 32-bit binaries. f1d5183124d3
d5d97bed4ab6
a1b675731301
Cloud Support
This section covers changes in support for cloud environments.
FreeBSD now provides experimental ZFS-root EC2 AMIs on AWS. (Sponsored by https://www.patreon.com/cperciva)
FreeBSD now provides experimental cloud-init EC2 AMIs on AWS. See the net/cloud-init port for information. (Sponsored by https://www.patreon.com/cperciva)
FreeBSD now provides arm64 as well as amd64 images for Azure. Both UFS and experimental ZFS images are available. Gen2 VMs are now supported. (Sponsored by The FreeBSD Foundation) (Sponsored by Microsoft)
The Microsoft Azure Network Adapter (MANA) VF (virtual function) is now supported. ce110ea12fce (Sponsored by Microsoft)
The Google Virtual NIC (gve(4)) is now supported. 54dfc97b0bd9 (Sponsored by Google)
Kernel
This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.
General Kernel Changes
The SMP system now supports up to 1024 cores on amd64 and arm64. Many kernel CPU sets are now dynamically allocated to avoid consuming excessive memory. The kernel cpuset ABI has been updated to support the higher limit. 76887e84be97 d1639e43c589 9051987e40c5 e0c6e8910898 (Sponsored by The FreeBSD Foundation)
The ACPI system now supports the _CR3
critical
standby (S3
) threshold. b8a0dfb17e3b
The acpi_timer_test
is disabled by default, forcing
the use of ACPI-fast rather than ACPI-safe, and speeding the boot
process. The broken-ACPI-timers workaround can be re-enabled by
setting the hw.acpi.timer_test_enabled=1
tunable. If
timekeeping issues are observed, please test with
hw.acpi.timer_test_enabled=1
in
loader.conf(8) and report if that fixes the problem. a8b89dff6ac0
boottrace(4) is a new kernel-userspace interface for capturing
trace events during system boot and shutdown. Event annotations are
present in the boot and shutdown paths in the kernel; system
utilities (init(8),
shutdown(8),
reboot(8)); and
rc(8) scripts (via
boottrace(8)).
boottrace(4) focuses on ease of use and is aimed primarily at
system administrators. It is available in the default
GENERIC
kernel and can be enabled by toggling a
sysctl(8) variable. da5b7e90e740
5a8fceb3bd9f
7b0a665d72c0
13ec1e3155c7
318d0db5fe8a
1ae2c59bcf21
(Sponsored by NetApp, Inc.) (Sponsored by Klara, Inc)
Support has been added to the kernel crypto for the XChaCha20-Poly1035 AEAD cipher. 8f35841f1f35 (Sponsored by The FreeBSD Foundation)
An API has been added to the kernel crypto for curve25519. 0c6274a819ff (Sponsored by The FreeBSD Foundation)
FreeBSD can now run inside the Firecracker VMM via the amd64
FIRECRACKER
kernel configuration. 469ad8603127
(Sponsored by https://www.patreon.com/cperciva)
FreeBSD now reboots faster. The
kern.reboot_wait_time
sysctl has been added to control
the delay before rebooting after printing all kernel messages on
the console. It defaults to 0. Setting it to 1 restores the
previous behavior (1 second delay). 84ec7df0d796
(Sponsored by https://www.patreon.com/cperciva)
A new DTrace provider, kinst
, has been added; see
dtrace_kinst(4). The provider allows kernel instructions to be
traced, similar to the FBT (function boundary tracing) provider
except that all instructions may be probed instead of just logical
entry and return instructions. f0bc4ed144fc
(Sponsored by Google, Inc. via GSoC 2022)
kinst
was ported to arm64 and riscv. 07864a8a2466
2d7bb03adb43
(Sponsored by The FreeBSD Foundation)
LLVM’s MemorySanitizer can now be used in amd64 kernels. See the kmsan(9) manual page for more information. a422084abbda (Sponsored by The FreeBSD Foundation)
LLVM’s AddressSanitizer can now be used in arm64 kernels as well as amd64. See the kasan(9) manual page for more information. 89c52f9d59fa (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
Support for asymmetric cryptographic operations has been removed from the kernel open cryptographic framework (OCF), as they are not used by modern OpenSSL versions. 76681661be28
A native timerfd(2) facility has been added to facilitate porting Linux programs that use timerfd. Previously, timerfd was only available under Linux emulation. For programs written only for FreeBSD, the kqueue(2) EVFILT_TIMER filter is preferred for establishing arbitrary timers. af93fea71038
The process visibility policy controlled by the
security.bsd.see_jail_proc
sysctl(8) knob was hardened by preventing unauthorized users
from attempting to kill, change priority of or debug processes with
same (real) UID in a sub-jail at random, which, provided the PID of
such a process is guessed correctly, would succeed even if these
processes are not visible to them. It was also made overridable by
MAC policies, as are the other process visibility policies.
7e21c691f295
63c01c18a8d3
(Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD
Foundation)
The process visibility policy controlled by the
security.bsd.see_other_gids
sysctl(8) knob was fixed to consider the real group of a
process instead of its effective group when determining whether the
user trying to access the process is a member of one of the
process' groups. The rationale is that some user should continue to
see processes it has launched even when they acquire further
privileges by virtue of the setgid bit, whereas they should not see
processes launched by a privileged user that temporarily enters the
user’s primary group. This new behavior is consistent with what
security.bsd.see_other_uids
has always been doing for
user IDs (i.e., considering some process' real user ID and not the
effective ID). 26ff4836c888
(Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD
Foundation)
The Zenbleed bug affecting AMD Zen2 processors is now
automatically mitigated (via chicken bit), preventing misbehavior
and data leaks on affected machines. If needed, applying the
mitigation can be manually controlled via the
machdep.mitigations.zenbleed.enable
sysctl(8) knob. Please consult the new
mitigations(7) manual page for more information. aea76bab1416
(Sponsored by The FreeBSD Foundation)
Devices and Drivers
This section covers changes and additions to devices and device drivers since 13.2-RELEASE.
Device Drivers
The default speed for serial communication in boot loaders,
kernel, and userland is now 115200 bps. Note that the early x86
BIOS bootloader (i.e., boot0sio
) does not support
rates above 9600 bps and is not changed. boot0sio
users may set BOOT_COMCONSOLE_SPEED=9600 to use 9600 for all of the
boot components, or use the standard boot0
and have
the boot2
stage start with the serial port at 115200.
4722ceb7d53e
(Sponsored by The FreeBSD Foundation)
The default bell tone is now 800Hz. It can be set with kbdcontrol(1) again. There is integration with devd(8) for people wishing to use their sound cards for the beep. ba48d52ca6c8 4ac3d08a9693 2533eca1c2b9 (Sponsored by Netflix)
When using the default
vt(4) console, the audible bell is no longer enabled by
default. It can be enabled with these commands: sysctl
kern.vt.enable_bell=1
and kbdcontrol -b normal
.
225639e7db68
Improvements have been made in DPAA2 (second generation Data
Path Acceleration Architecture — a hardware-level networking
architecture found in some NXP SoCs). It runs NXP-supplied firmware
which provides DPAA2 objects as an abstraction layer, and provides
a dpni
network interface. Separation between DPAA2
channels has been improved significantly in order to isolate access
to the DMA resources and cleanup operations, and avoid kernel
panics under heavy network load (1 Gbit/s links). Other
improvements include FDT/ACPI MDIO support, netboot over DPAA2 and
separate command portals (DPMCP) support.
Support for the Arm Corelink DMC-620 Memory Controller, and the
CMN-600 Coherent Mesh Network Controller, have been added to
hwpmc(4) and libpmc
. See
pmc.dmc-620(3) and
pmc.cmn-600(3). 1459a22787ea
59191f3573f6
(Sponsored by ARM) (Sponsored by Ampere Computing)
A fix has been implemented for frame buffer addressing that affects frame buffers mapped above 4 GB physical on i386 and Book-E powerpc. a78bb831a17f
The iwlwifi(4) driver for Intel wireless interfaces has been updated to the latest version, supporting chipsets up to WiFi 6E AX411/AX211/AX210, and with preparations for upcoming BX and SC chipsets. (Sponsored by The FreeBSD Foundation)
The rtw88(4) driver for Realtek wireless PCI interfaces has been updated.
A kvm_clock driver has been added for the KVM paravirtualized clock. 6c69c6bb4c7f (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
There have been stability fixes and enhancements to the KPI to support Linux device drivers, along with the net80211 layer for wireless drivers. (Sponsored by The FreeBSD Foundation)
NVMe disks are now nda
devices by default, for
example nda0
; see
nda(4). Symbolic links for the previous
nvd(4) device names are created in /dev. However, configuration such as
fstab(5) should be updated to refer to the new device names.
Options to control the use of nda
devices and symbolic
links are described in
nda(4). bdc81eeda05d
(Sponsored by Netflix)
The previous
qat(4) driver has been replaced with Intel’s QAT driver. The
new version provides additional interfaces to the chipset’s
cryptographic and compression offload functionality. This will have
no visible change for most users; however, the new driver does not
support Atom C2000 chipsets. To preserve support for those
chipsets, the old driver has been renamed to
qat_c2xxx
. Users of
qat(4) on C2000 hardware will thus need to ensure that
qat_c2xxx(4) is loaded instead of
qat(4). 78ee8d1c4cda
f4f56ff43dbd
(Sponsored by Intel Corporation)
Deprecated and Removed Drivers
The
pms(4) driver, pmspcv
, has been removed from the
GENERIC
kernel configurations for x86, as it was large
and uncommonly used. It can be loaded as a module by placing
pmspcv_load="YES"
in
loader.conf(5). 95e4f5ef7cce
(Sponsored by Rubicon Communications, LLC ("Netgate"))
The VESA option has been removed from the x86
GENERIC
and MINIMAL
kernel
configurations. It is still available as a kernel module. VESA is
not used by the default console,
vt(4). 777526ed8382
b8cf1c5c30a5
(Sponsored by The FreeBSD Foundation)
Drivers for ISA sound cards have been removed. 92e6b4712b53 df51e63eb5d7 aa83e9b189d6 754decef384a 5126e5eeeb5e 716924cb4832 9054e296819f (Sponsored by The FreeBSD Foundation)
The AHB bus front end has been removed from ath(4), as it was used only by MIPS. 37c8ee8847fa
The deprecated amr(4) driver has been removed. 60de2867c9fc (Sponsored by Netflix)
The obsolete iscsi_initiator(4) has been removed. Its replacement, iscsi(4), was introduced several major releases ago. 48cb3fee2586 (Sponsored by The FreeBSD Foundation)
The deprecated iir(4) driver has been removed. 399188a2c60c (Sponsored by Netflix)
The deprecated mn(4) sync serial driver has been removed. 0cff00ae682a (Sponsored by The FreeBSD Foundation)
The deprecated mly(4) driver has been removed. a9620045a5b9 (Sponsored by Netflix)
The deprecated nlmrsa(4) driver has been removed. 6a06b00a0d1f (Sponsored by Chelsio Communications)
The deprecated twa(4) driver has been removed. 8722e05ae149 (Sponsored by Netflix)
Storage
This section covers changes and additions to file systems and other storage subsystems, both local and networked.
General Storage
gconcat(8) and its kernel support now have the ability to append devices to the concatenated device that were not present when the gconcat device was created. d575e81fbcfa
A new gunion(8) utility tracks changes to a read-only disk on a writable disk. This can be useful for making tentative changes to the disk, such as file system repairs or software upgrades, and then either committing or reverting them. c7996ddf8000 (Sponsored by Netflix)
In the course of debugging and resolving a problem with vnode
recycling in the generic file system code, sysctls for
vnode-related statistics have been grouped under
vfs.vnode
for greater visibility. d3e647891243
NFS Changes
NFS now supports running an NFS server in a VNET jail, including
nfsd(8),
nfsuserd(8),
mountd(8),
gssd(8), and
rpc.tlsservd(8). The VNET jail must be on its own file system,
have the allow.nfsd
jail parameter set, and
enforce_statfs
cannot be set to 0
. Use of
UDP and pNFS server configurations is not permitted. 7344856e3a6d
and many others
For NFSv4 mounts, the NFS client now uses the highest minor
version of NFSv4 supported by the NFS server by default instead of
minor version 0. The minorversion
mount option may be
used to override this default. a145cf3f73c7
The FreeBSD NFS client can now be set to use a 1 Mbyte I/O size
via the vfs.maxbcachebuf
tunable; the Linux NFS client
can also do 1 Mbyte I/O. The value of
kern.ipc.maxsockbuf
will need to be increased to do
this. A console message will suggest a setting for it. Note that
the maximum I/O size for the FreeBSD NFS server can be increased to
any power of 2 up to 1 Mbyte using the sysctl
vfs.nfsd.srvmaxio
while
nfsd(8) is not running. ee29e6f31111
The NFSv4.1/4.2 client and server will now generate console messages if sessions are broken, suggesting that users check to ensure that the values in /etc/hostid strings are unique for all NFSv4.1/4.2 clients. b875d4f5ddcb 0685c73cfe88
NFSv4.1/4.2 mounts with the intr
mount option are
now fairly usable, although not 100% correct, so long as the
nolockd
mount option is used as well. See the
mount_nfs(8) manual page for more information. 981ef32230b2
33721eb991d8
A new syskrb5
mount option is availble for
Kerberized NFSv4.1/4.2 mounts. A feature of NFSv4.1/4.2 is used to
provide AUTH_SYS
authentication, and thus no Kerberos
credential is required at mount time. See
mount_nfs(8). 896516e54a8c
Support for SP4_MACH_CRED
has been added in NFS
mount protocol in the NFS server. That facility is used by the
Linux NFSv4.1/4.2 client for Kerberized mounts. It was handled by a
fallback in the past, but is now supported directly. 330aa8acdec7
ff2f1f691cdb
UFS Changes
It is now possible to perform background file system checks using a snapshot on UFS file systems running with journaled soft updates. (Sponsored by The FreeBSD Foundation)
Superblocks, cylinder group maps, and inodes have had check hashes added to detect corruption. Far more extensive checks are made of the superblock (120) and cylinder groups (20) than just the magic number check done previously. (Sponsored by The FreeBSD Foundation)
The libufs(3) library has been updated to include these checks so that they are now done by all the filesystem utilities. The checks are implemented in one kernel file that is also included by libufs. Another change to libufs is that the code to find alternate superblocks has been moved from fsck_ffs(8) into the shared file so it is now available in the kernel loader as well as all the filesystem utilities. (Sponsored by The FreeBSD Foundation)
ZFS Changes
OpenZFS has been upgraded to version 2.2. New features include:
-
block cloning, which allows shallow copies of blocks in file copies. This is optional, and disabled by default; it can be enabled with
sysctl vfs.zfs.bclone_enabled=1
. -
scrub error log (
zpool scrub -e
) -
BLAKE3 checksums, which are fast, and are now the recommended secure checksums
-
corrective
zfs receive
can heal corrupted data -
vdev and zpool user properties, similar to dataset user properties.
Performance improvements include:
-
fully adaptive ARC, a unified ARC that minimizes the need for manual tuning
-
zstd early abort, improving efficiency with uncompressible data
-
I/O prefetch improvements
-
general optimization.
ZFS has been enabled on 32-bit powerpc/powerpcspe. 63715498ac6b
Other Storage Changes
The msdosfs(5) file system now records available directory entries in the root directory of FAT12 and FAT16 file systems (e.g. EFI boot partitions) and reports them as inodes. c33db74b5323
The msdosfs(5) file system now correctly calculates the available and used blocks of FAT12 and FAT16 file systems, and no longer rejects mounting file systems created using valid but uncommon parameters. 0728695c63e
The synthetic file systems (devfs(5), procfs(5), etc.) now report 0 blocks used so that they are not reported as 100% full. 88a795e80c03
The tarfs(5) file system has been added, which is backed by POSIX tar archives optionally compressed with zstd(1). 69d94f4c7608 (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
Boot Changes
This section covers the boot loader, boot menu, and other boot-related changes.
Boot Loader Changes
The lua-flavored
loader(8) will now interpret .lua
files that appear in loader_conf_files
as lua, and
execute them in a sandbox. Existing loader environment variables
are available as globals in the sandbox, and any global variable
set, if not a table value, will be reflected in the loader
environment upon successful execution of the configuration file.
Environment variables with names that aren’t valid lua names may be
accessed as indices of _ENV
; e.g.,
_ENV['net.fibs']
. 3cb2f5f369ec
EC2 instances now boot using UEFI where available, substantially speeding the boot process. b43d7aa09b3c bcf9147144f3 (Sponsored by https://www.patreon.com/cperciva)
Networking
This section describes changes that affect networking in FreeBSD.
General Network
carp(4) now supports configuration of the address to which carp messages are sent, allowing the use of unicast addresses. This is useful in certain virtual configurations. See carp(4) and ifconfig(8). 137818006de5
Layer 3 filtering on
if_bridge(4) will do surprising things which aren’t fail-safe,
so net.link.bridge.pfil_member
and
net.link.bridge.pfil_bridge
now default to zero.
22893e584032
netlink(4) is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. It has been expanded, improved, and enabled by default. A number of network configuration utilities have been converted to use netlink. 3091d980f581
The deprecated NgATM
(netgraph ATM support) and
remaining ATM support have been removed.
The
pf(4) packet filter now supports scrubbing with OpenBSD syntax
and behavior. If there are no FreeBSD scrub rules, a global flag
set reassemble yes | no [no-df]
determines whether
packet reassembly is done. Scrubbing, like setting tos, ttl, etc,
can be done in match and pass rules, which also makes it stateful.
Match rules are now fully supported, as on OpenBSD, not only for
dummynet(4) queues. 39282ef356db
(Sponsored by InnoGames GmbH)
pfsync(4) can now use IPv6 transport. 6fc7fc2dbb2b (Sponsored by InnoGames GmbH) (Sponsored by The FreeBSD Foundation)
The
pfsync(4) packet format has been extended to improve support
for queuing, scrubbing and route-to rules. This format is
incompatible with older releases. The old format can be selected
using ifconfig pfsync0 version 1301
. This is
especially important if members of a pfsync cluster are not
upgraded simultaneously.
WiFi 6 support has been added to wpa (wpa_supplicant(8) and hostapd(8)). c1d255d3ffdb 3968b47cd974 bd452dcbede6
Internet Networking
The 6to4
interface for IPv6 over IPv4,
if_stf(4), now supports IPv6 Rapid Deployment (6rd) (RFC5969).
19dc64451179
(Sponsored by Rubicon Communications, LLC ("Netgate"))
The
rtsol(8) and
rtsold(8) programs now have a -i
option to disable
the random delay of up to a second that is used by default. The
default options for these programs in
rc.conf(5) include -i
. 231bac4ccc43
e29711da2352
(Sponsored by https://www.patreon.com/cperciva)
The handling of IPv6 nodeinfo
(RFC 4620) has been
disabled by default. b73183d1a243
(Sponsored by The FreeBSD Foundation)
The
sysctl(8) option net.inet.tcp.nolocaltimewait
is
now enabled by default. This prevents creation of timewait entries
for TCP connections that were terminated locally. 92b3e07229ba
The default congestion control mechanism for TCP is now CUBIC. For long duration data transfers, CUBIC allocates a slightly higher fraction of the available bandwidth, when competing against NewReno. bb1d472d79f7 (Sponsored by NetApp, Inc.)
IPv4 was changed not to broadcast the lowest address on a subnet (host 0) unless it is configured as the broadcast address. This allows the lowest address on a subnet to be used for a host. fd0765933c3c
Hardware Support
This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document.
Please see the list of hardware supported by 14.0-RELEASE, as well as the platforms page for the complete list of supported CPU architectures.
Hardware Architecture Support
The project no longer provides armv6 artifacts with 14.0-RELEASE.
Support for the MIPS architecture, and related hardware, has been removed. MIPS will remain supported on the 13-STABLE branch for the duration of its lifetime.
Support for the software floating point variant of the RISC-V architecture, riscv64sf, has been retired. All available hardware is supported by the regular riscv64 architecture.
Virtualization Support
Documentation
This section covers changes to manual (man(1)) pages and other documentation shipped with the base system.
Man Pages
Many tweaks and clean-ups have been made to improve the accuracy of the hier(7) page.
Many of the pages in section 9, kernel documentation, have been reviewed and updated for accuracy.
The introduction to the kernel documentation manual pages, intro(9), has been completely rewritten. 84f9f2c5cf78 (Sponsored by The FreeBSD Foundation)
The mi_switch(9) page has been rewritten and improved. 175db7b58270 (Sponsored by The FreeBSD Foundation)
A new kern_yield(9) page has been added. 30cd6fd75d46 (Sponsored by The FreeBSD Foundation)
Some obsolete section 9 pages have been removed. d1c7405ef68a 52f9a2823c64 b54391a1f831 (Sponsored by The FreeBSD Foundation)
Ports Collection and Package Infrastructure
This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools.
Packaging Changes
General Notes Regarding Future FreeBSD Releases
FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries.
We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release.
Support for executing 32-bit binaries on 64-bit platforms via
the COMPAT_FREEBSD32
option will continue for at least
the stable/15 and stable/16 branches. Support for compiling
individual 32-bit applications via cc -m32
will also
continue for at least the stable/15 branch, which includes suitable
headers in /usr/include and libraries
in /usr/lib32.
Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms.
The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms.
With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD 14.0-RELEASE. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of 14.0-RELEASE in November 2023, support for deprecated 32-bit platforms will end in November 2028.
The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD 14.0-RELEASE and following releases, or the stable/14 branch, to migrate off 32-bit platforms.
Last modified on: November 30, 2023 by Benedict Reuschling