1Release notes for FreeBSD 13.0. 2 3This file describes new user-visible features, changes and updates relevant to 4users of binary FreeBSD releases. Each entry should describe the change in no 5more than several sentences and should reference manual pages where an 6interested user can find more information. Entries should wrap after 80 7columns. Each entry should begin with one or more commit IDs on one line, 8specified as a comma separated list and/or range, followed by a colon and a 9newline. Entries should be separated by a newline. 10 11Changes to this file should not be MFCed. 12 13b7a2cf0d9102 - eae02d959363: 14 Upgrade bhyve's emulation to version 1.4 of the NVMe specification 15 160a6760a1de32, 3f3676a71266, 580c04df4db6: 17 Add WiFi 6 support. 18 19various: 20 Add support for the HiFive Unmatched RISC-V board. 21 229fb6e613373c: 23 Add a sysctl called vfs.nfsd.srvmaxio that can be used to 24 increase the NFS server's maximum I/O size from 128Kbytes 25 to any power of 2 up to 1Mbyte. It can only be set when 26 the nfsd threads are not running and will normally require 27 an increase in kern.ipc.maxsockbuf to at least the value 28 recommended by the console log message generated when 29 setting vfs.nfsd.srvmaxio is first attempted. 30 319ec7dbf46b0a: 32 Add a new NFSv4.1/4.2 mount option "nconnect" that can 33 be used to specify the number of TCP connections that 34 will be used for the mount, up to a maximum of 16. 35 The first (default) TCP connection will be used for 36 all RPCs that consist of small RPC messages. 37 The RPCs that can consist of large RPC messages 38 (Read/Readdir/ReaddirPlus/Write) will be sent on the 39 additional TCP connections in a round robin fashion. 40 If either the NFS client or NFS server have multiple 41 network interfaces aggregated together or a network 42 interface that uses multiple queues, this can increase 43 NFS performance for the mount. 44 45various: 46 One True Awk has been updated to the latest from upstream 47 (20210215). All the FreeBSD patches, but one, have now been 48 either up streamed or discarded. Notable changes include: 49 o Locale is no longer used for ranges 50 o Various bugs fixed 51 o Better compatibility with gawk and mawk 52 53 The one FreeBSD change, likely to be removed in FreeBSD 14, is that 54 we still allow hex numbers, prefixed with 0x, to be parsed and 55 interpreted as hex numbers while all other awks (including one 56 true awk now) interpret them as 0 in line with awk's historic 57 behavior. 58 598a04edfdcbd2: 60 Change the default minor version used for an NFSv4 mount 61 to the highest minor version supported by the NFSv4 server. 62 This default can be overridden by using the "minorversion" 63 mount option. 64 652c76eebca71b, 59f6f5e23c1a: 66 Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide 67 support for NFS-over-TLS as described in the Internet Draft titled 68 "Towards Remote Procedure Call Encryption By Default". 69 These daemons are only built when WITH_OPENSSL_KTLS is specified 70 and are only tested on amd64 at this time. 71 They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus 72 optional verification of machine identity via X.509 certificates. 73 74f76393a6305b6: 75 Add AES-GCM support to armv8crypto(4) providing accelerated 76 support for KTLS, IPsec, and other crypto API consumers. 77 78074a91f746bd: 79 The aesni(4) and armv8crypto(4) devices are now included in 80 GENERIC on amd64, i386, and arm64. 81 822e1c94aa1fd5: 83 Add support for enforcing W^X mapping policy for user 84 processes. The policy is not enforced by default but can be 85 enabled by setting the kern.elf32.allow_wx and 86 kern.elf64.allow_wx sysctls to 0. Individual binaries can be 87 exempted from the policy by elfctl(1) via the wxneeded 88 feature. 89 904979620ece98: 91 Add AES-XTS support to armv8crypto(4) providing accelerated 92 software support for the default GELI cipher on arm64 systems. 93 94022ca2fc7fe0: 95 Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2) 96 and aio_read(2). 97 9892bbfe1f0d1f: 99 The fusefs(5) protocol has been updated to 7.28. Support for 100 FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added. 101 102r368667: 103 GDB 6.1.1 was removed. Users of crashinfo(8) should install the 104 gdb package or devel/gdb port. 105 106r368559: 107 The hme(4) driver was removed. 108 109r367660: 110 Fixes the case where gssd will not startup because /usr is a separate 111 local file system that is not yet mounted. It does not fix the case 112 where /usr is a separately mounted remote file system (such as NFS). 113 This latter case can be fixed by adding mountcritremote to the 114 REQUIRED line. Unfortunately doing so implies that all Kerberized 115 NFS mounts in /etc/fstab will need the "late" mount option. 116 This was not done, since the requirement for "late" would introduce 117 a POLA violation. 118 119r367423: 120 This commit added a new startup scripts variable called 121 nfsv4_server_only which uses the -R option on mountd added by r367026. 122 When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server 123 only handles NFSv4 and does not register with rpcbind. As such, rpcbind 124 does not need to be running. Useful for sites which consider rpcbind a 125 security issue. 126 127r366267: 128 Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem 129 was split out from amd64 DMAR support and is now generic, i.e., it can 130 be used by all architectures. 131 132r364896: 133 A series of commits ending with r364896 added NFS over TLS 134 to the kernel. This is believed to be compatible with 135 the Internet Draft titled "Towards Remote Procedure Call Encryption 136 By Default" (expected to soon become an RFC). 137 The mount_nfs(8) and exports(5) man pages describe the mount and 138 export option(s) related to NFS over TLS. 139 For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8) 140 { server } must be running on a kernel built with "options KERN_TLS" 141 on an architecture where PMAP_HAS_DMAP != 0. 142 143r364725: 144 Changes to one obscure devd event generated on resume need to 145 be documented. The old form will still be generated in 13, but not 146 in 14. 147 148r363679: 149 Applications using regex(3), e.g. sed/grep, will no longer accept 150 redundant escapes for most ordinary characters. 151 152r363253: 153 SCTP support has been removed from GENERIC kernel configurations. 154 The SCTP stack is now built as sctp.ko and can be dynamically loaded. 155 156r363233: 157 Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details. 158 159r363180: 160 The safexcel(4) crypto offload driver has been added. 161 162r363084: 163 nc(1) now implements SCTP mode, enabled by specifying the --sctp option. 164 165r362681: 166 A new implementation of bc and dc has been imported. It offers 167 better standards compliance, performance, localization and comes 168 with extensive test cases that are optionally installed. 169 Use WITHOUT_GH_BC=yes to build and install the world with the 170 previous version instead of the new one, if required. 171 172r362158, r362163: 173 struct export_args has changed so that the "user" specified for 174 the -maproot and -mapall exports(5) options may be in more than 175 16 groups. 176 177r361884: 178 sed(1) has learned about hex escapes (e.g. \x27) and will now do the 179 right thing with them, removing the need for printf magic or obnoxious 180 escaping in many scenarios. 181 182r361238, r361798, r361799: 183 ZFS will now unconditionally reject read(2) of a directory with EISDIR. 184 Additionally, read(2) of a directory is now rejected with EISDIR by 185 default and may be re-enabled for non-ZFS filesystems that allow it with 186 the sysctl(8) MIB 'security.bsd.allow_read_dir'. 187 188 Aliases for grep to default to '-d skip' may be desired if commonly 189 non-recursively grepping a list that includes directories and the 190 possibility of EISDIR errors in stderr is not tolerable. Example 191 aliases, commented out, have been installed in /root/.cshrc and 192 /root/.shrc. 193 194r361066: 195 Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5). 196 exec.prepare runs before mounts, so can be used to populate new jails. 197 exec.release runs after unmounts, so can be used to remove ephemeral 198 jails. 199 200r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936: 201 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5, 202 MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from 203 the kernel open cryptographic framework (OCF). 204 205r360562: 206 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, 207 MD5-HMAC, and Skipjack algorithms from /dev/crypto. 208 209r360557: 210 Remove support for DES, Triple DES, Blowfish, Cast, and 211 Camellia ciphers from IPsec(4). Remove support for MD5-HMAC, 212 Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4). 213 214r359945: 215 Remove support for Triple DES, Blowfish, and MD5 HMAC from 216 geli(4). 217 218r359786-r359787: 219 Remove support for DES, Triple DES, and RC4 from in-kernel GSS 220 authentication. 221 222r357627: 223 remove elf2aout. 224 225r357560-r357565: 226 init(8), service(8), and cron(8) will now adopt user/class environment 227 variables (excluding PATH, by default, which will be overwritten) by 228 default. Notably, environment variables for all cron jobs and rc 229 services can now be set via login.conf(5). 230 231r357455: 232 sparc64 has been removed from FreeBSD. 233 234r355677: 235 Adds support for NFSv4.2 (RFC-7862) and Extended Attributes 236 (RFC-8276) to the NFS client and server. 237 NFSv4.2 is comprised of several optional features that can be supported 238 in addition to NFSv4.1. This patch adds the following optional features: 239 - posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED) 240 - posix_fallocate() 241 - intra server file range copying via the copy_file_range(2) syscall 242 --> Avoiding data tranfer over the wire to/from the NFS client. 243 - lseek(SEEK_DATA/SEEK_HOLE) 244 - Extended attribute syscalls for "user" namespace attributes as defined 245 by RFC-8276. 246 247 For the client, NFSv4.2 is only used if the mount command line option 248 minorversion=2 is specified. 249 For the server, two new sysctls called vfs.nfsd.server_min_minorversion4 250 and vfs.nfsd.server_max_minorversion4 have been added that allow 251 sysadmins to limit the minor versions of NFSv4 supported by the nfsd 252 server. 253 Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2 254 on the server. 255 256r356263: 257 armv5 support has been removed from FreeBSD. 258 259r354517: 260 iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices. 261 262r354269: 263 sqlite3 is updated to sqlite3-3.30.1. 264 265r352668: 266 cron(8) now supports the -n (suppress mail on succesful run) and -q 267 (suppress logging of command execution) options in the crontab format. 268 See the crontab(5) manpage for details. 269 270r352304: 271 ntpd is no longer by default locked in memory. rlimit memlock 32 272 or rlimit memlock 0 can be used to restore this behaviour. 273 274r351863: 275 rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously, 276 environment variables set by a user via ${name}_env were ignored 277 if the service defined a custom *_cmd variable to control the behavior 278 of the run_rc_command function, e.g., start_cmd, instead of relying on 279 the variables like command and command_args, 280 281r351770,r352920,r352922,r352923: 282 dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync, 283 and iflag=fullblock flags, compatible with illumos and GNU. 284 285r351522: 286 Add kernel-side support for in-kernel Transport Layer Security 287 (KTLS). KTLS permits using sendfile(2) over sockets using 288 TLS. 289 290r351397: 291 WPA is updated from 2.8 to 2.9. 292 293r351361: 294 Add probes for lockmgr(9) to the lockstat DTrace provider, add 295 corresponding lockstat(1) events, and document the new probes in 296 dtrace_lockstat.4. 297 298r351356: 299 Intel RST is a new 'feature' that remaps NVMe devices from 300 their normal location to part of the AHCI bar space. This 301 will eliminate the need to set the BIOS SATA setting from RST 302 to AHCI causing the nvme drive to be erased before FreeBSD 303 will see the nvme drive. FreeBSD will now be able to see the 304 nvme drive now in the default config. 305 306r351201, r351372: 307 Add a vop_stdioctl() call, so that file systems that do not support 308 holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE). 309 The algorithm appears to be compatible with the POSIX draft and 310 the implementation in Linux for the case of a file system that 311 does not support holes. Prior to this patch, lseek(2) would reply 312 -1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in 313 file systems that do not support holes. 314 r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for 315 any other cases, such as a ENOTTY return from vn_bmap_seekhole(). 316 317r350665: 318 The fuse driver has been renamed to fusefs(5) and been substantially 319 rewritten. The new driver includes many bug fixes and performance 320 enhancements, as well as the following user-visible features: 321 * Optional kernel-side permissions checks (-o default_permissions) 322 * mknod(2), socket(2), and pipe(2) support 323 * server side locking with fcntl(2) 324 * FUSE operations are now interruptible when mounted with -o intr 325 * server side handling of UTIME_NOW during utimensat(2) 326 * mount options may be updated with "mount -u" 327 * fusefs file system may now be exported over NFS 328 * RLIMIT_FSIZE support 329 * support for fuse file systems using protocols as old as 7.4 330 331 FUSE file system developers should also take note of the following new 332 features: 333 * The protocol level has been raised from 7.8 to 7.23 334 * kqueue support on /dev/fuse 335 * server-initiated cache invalidation via FUSE_NOTIFY_REPLY 336 337r350471: 338 gnop(8) can now configure a delay to be applied to read and write 339 request delays. See the -d, -q and -x parameters. 340 341r350315, r350316: 342 Adds a Linux compatible copy_file_range(2) syscall. 343 344r350307: 345 libcap_random(3) has been removed. Applications can use native 346 APIs to get random data in capability mode. 347 348r349529,r349530: 349 Add support for using unmapped mbufs with sendfile(2). 350 351r349352: 352 nand(4) and related components have been removed. 353 354r349349: 355 The UEFI loader now supports HTTP boot. 356 357r349335: 358 bhyve(8) now implements a High Definition Audio (HDA) driver, allowing 359 guests to play to and record audio data from the host. 360 361r349286: 362 swapon(8) can now erase a swap device immediately before enabling it, 363 similar to newfs(8)'s -E option. This behaviour can be specified by 364 adding -E to swapon(8)'s command-line parameters, or by adding the 365 "trimonce" option to a swap device's /etc/fstab entry. 366 367r347908-r347923: 368 The following network drivers have been removed: bm(4), cs(4), de(4), 369 ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), 370 vx(4), wb(4), xe(4). 371 372r347532: 373 Wired page accounting has been split into kernel wirings and user 374 wirings (e.g., by mlock(2)). Kernel wirings no long count towards 375 the global limit, which is renamed to vm.max_user_wired. bhyve -S 376 allocates user-wired memory and is now subject to that limit. 377 378$FreeBSD$ 379