1Release notes for FreeBSD 13.0. 2 3This file describes new user-visible features, changes and updates relevant to 4users of binary FreeBSD releases. Each entry should describe the change in no 5more than several sentences and should reference manual pages where an 6interested user can find more information. Entries should wrap after 80 7columns. Each entry should begin with one or more commit IDs on one line, 8specified as a comma separated list and/or range, followed by a colon and a 9newline. Entries should be separated by a newline. 10 11Changes to this file should not be MFCed. 12 132c76eebca71b, 59f6f5e23c1a: 14 Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide 15 support for NFS-over-TLS as described in the Internet Draft titled 16 "Towards Remote Procedure Call Encryption By Default". 17 These daemons are only built when WITH_OPENSSL_KTLS is specified 18 and are only tested on amd64 at this time. 19 They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus 20 optional verification of machine identity via X.509 certificates. 21 22f76393a6305b6: 23 Add AES-GCM support to armv8crypto(4) providing accelerated 24 support for KTLS, IPsec, and other crypto API consumers. 25 26074a91f746bd: 27 The aesni(4) and armv8crypto(4) devices are now included in 28 GENERIC on amd64, i386, and arm64. 29 302e1c94aa1fd5: 31 Add support for enforcing W^X mapping policy for user 32 processes. The policy is not enforced by default but can be 33 enabled by setting the kern.elf32.allow_wx and 34 kern.elf64.allow_wx sysctls to 0. Individual binaries can be 35 exempted from the policy by elfctl(1) via the wxneeded 36 feature. 37 384979620ece98: 39 Add AES-XTS support to armv8crypto(4) providing accelerated 40 software support for the default GELI cipher on arm64 systems. 41 42022ca2fc7fe0: 43 Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2) 44 and aio_read(2). 45 4692bbfe1f0d1f: 47 The fusefs(5) protocol has been updated to 7.28. Support for 48 FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added. 49 50r368667: 51 GDB 6.1.1 was removed. Users of crashinfo(8) should install the 52 gdb package or devel/gdb port. 53 54r368559: 55 The hme(4) driver was removed. 56 57r367660: 58 Fixes the case where gssd will not startup because /usr is a separate 59 local file system that is not yet mounted. It does not fix the case 60 where /usr is a separately mounted remote file system (such as NFS). 61 This latter case can be fixed by adding mountcritremote to the 62 REQUIRED line. Unfortunately doing so implies that all Kerberized 63 NFS mounts in /etc/fstab will need the "late" mount option. 64 This was not done, since the requirement for "late" would introduce 65 a POLA violation. 66 67r367423: 68 This commit added a new startup scripts variable called 69 nfsv4_server_only which uses the -R option on mountd added by r367026. 70 When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server 71 only handles NFSv4 and does not register with rpcbind. As such, rpcbind 72 does not need to be running. Useful for sites which consider rpcbind a 73 security issue. 74 75r366267: 76 Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem 77 was split out from amd64 DMAR support and is now generic, i.e., it can 78 be used by all architectures. 79 80r364896: 81 A series of commits ending with r364896 added NFS over TLS 82 to the kernel. This is believed to be compatible with 83 the Internet Draft titled "Towards Remote Procedure Call Encryption 84 By Default" (expected to soon become an RFC). 85 The mount_nfs(8) and exports(5) man pages describe the mount and 86 export option(s) related to NFS over TLS. 87 For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8) 88 { server } must be running on a kernel built with "options KERN_TLS" 89 on an architecture where PMAP_HAS_DMAP != 0. 90 91r364725: 92 Changes to one obscure devd event generated on resume need to 93 be documented. The old form will still be generated in 13, but not 94 in 14. 95 96r363679: 97 Applications using regex(3), e.g. sed/grep, will no longer accept 98 redundant escapes for most ordinary characters. 99 100r363253: 101 SCTP support has been removed from GENERIC kernel configurations. 102 The SCTP stack is now built as sctp.ko and can be dynamically loaded. 103 104r363233: 105 Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details. 106 107r363180: 108 The safexcel(4) crypto offload driver has been added. 109 110r363084: 111 nc(1) now implements SCTP mode, enabled by specifying the --sctp option. 112 113r362681: 114 A new implementation of bc and dc has been imported. It offers 115 better standards compliance, performance, localization and comes 116 with extensive test cases that are optionally installed. 117 Use WITHOUT_GH_BC=yes to build and install the world with the 118 previous version instead of the new one, if required. 119 120r362158, r362163: 121 struct export_args has changed so that the "user" specified for 122 the -maproot and -mapall exports(5) options may be in more than 123 16 groups. 124 125r361884: 126 sed(1) has learned about hex escapes (e.g. \x27) and will now do the 127 right thing with them, removing the need for printf magic or obnoxious 128 escaping in many scenarios. 129 130r361238, r361798, r361799: 131 ZFS will now unconditionally reject read(2) of a directory with EISDIR. 132 Additionally, read(2) of a directory is now rejected with EISDIR by 133 default and may be re-enabled for non-ZFS filesystems that allow it with 134 the sysctl(8) MIB 'security.bsd.allow_read_dir'. 135 136 Aliases for grep to default to '-d skip' may be desired if commonly 137 non-recursively grepping a list that includes directories and the 138 possibility of EISDIR errors in stderr is not tolerable. Example 139 aliases, commented out, have been installed in /root/.cshrc and 140 /root/.shrc. 141 142r361066: 143 Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5). 144 exec.prepare runs before mounts, so can be used to populate new jails. 145 exec.release runs after unmounts, so can be used to remove ephemeral 146 jails. 147 148r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936: 149 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5, 150 MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from 151 the kernel open cryptographic framework (OCF). 152 153r360562: 154 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, 155 MD5-HMAC, and Skipjack algorithms from /dev/crypto. 156 157r360557: 158 Remove support for DES, Triple DES, Blowfish, Cast, and 159 Camellia ciphers from IPsec(4). Remove support for MD5-HMAC, 160 Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4). 161 162r359945: 163 Remove support for Triple DES, Blowfish, and MD5 HMAC from 164 geli(4). 165 166r359786-r359787: 167 Remove support for DES, Triple DES, and RC4 from in-kernel GSS 168 authentication. 169 170r357627: 171 remove elf2aout. 172 173r357560-r357565: 174 init(8), service(8), and cron(8) will now adopt user/class environment 175 variables (excluding PATH, by default, which will be overwritten) by 176 default. Notably, environment variables for all cron jobs and rc 177 services can now be set via login.conf(5). 178 179r357455: 180 sparc64 has been removed from FreeBSD. 181 182r355677: 183 Adds support for NFSv4.2 (RFC-7862) and Extended Attributes 184 (RFC-8276) to the NFS client and server. 185 NFSv4.2 is comprised of several optional features that can be supported 186 in addition to NFSv4.1. This patch adds the following optional features: 187 - posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED) 188 - posix_fallocate() 189 - intra server file range copying via the copy_file_range(2) syscall 190 --> Avoiding data tranfer over the wire to/from the NFS client. 191 - lseek(SEEK_DATA/SEEK_HOLE) 192 - Extended attribute syscalls for "user" namespace attributes as defined 193 by RFC-8276. 194 195 For the client, NFSv4.2 is only used if the mount command line option 196 minorversion=2 is specified. 197 For the server, two new sysctls called vfs.nfsd.server_min_minorversion4 198 and vfs.nfsd.server_max_minorversion4 have been added that allow 199 sysadmins to limit the minor versions of NFSv4 supported by the nfsd 200 server. 201 Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2 202 on the server. 203 204r356263: 205 armv5 support has been removed from FreeBSD. 206 207r354517: 208 iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices. 209 210r354269: 211 sqlite3 is updated to sqlite3-3.30.1. 212 213r352668: 214 cron(8) now supports the -n (suppress mail on succesful run) and -q 215 (suppress logging of command execution) options in the crontab format. 216 See the crontab(5) manpage for details. 217 218r352304: 219 ntpd is no longer by default locked in memory. rlimit memlock 32 220 or rlimit memlock 0 can be used to restore this behaviour. 221 222r351863: 223 rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously, 224 environment variables set by a user via ${name}_env were ignored 225 if the service defined a custom *_cmd variable to control the behavior 226 of the run_rc_command function, e.g., start_cmd, instead of relying on 227 the variables like command and command_args, 228 229r351770,r352920,r352922,r352923: 230 dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync, 231 and iflag=fullblock flags, compatible with illumos and GNU. 232 233r351522: 234 Add kernel-side support for in-kernel Transport Layer Security 235 (KTLS). KTLS permits using sendfile(2) over sockets using 236 TLS. 237 238r351397: 239 WPA is updated from 2.8 to 2.9. 240 241r351361: 242 Add probes for lockmgr(9) to the lockstat DTrace provider, add 243 corresponding lockstat(1) events, and document the new probes in 244 dtrace_lockstat.4. 245 246r351356: 247 Intel RST is a new 'feature' that remaps NVMe devices from 248 their normal location to part of the AHCI bar space. This 249 will eliminate the need to set the BIOS SATA setting from RST 250 to AHCI causing the nvme drive to be erased before FreeBSD 251 will see the nvme drive. FreeBSD will now be able to see the 252 nvme drive now in the default config. 253 254r351201, r351372: 255 Add a vop_stdioctl() call, so that file systems that do not support 256 holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE). 257 The algorithm appears to be compatible with the POSIX draft and 258 the implementation in Linux for the case of a file system that 259 does not support holes. Prior to this patch, lseek(2) would reply 260 -1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in 261 file systems that do not support holes. 262 r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for 263 any other cases, such as a ENOTTY return from vn_bmap_seekhole(). 264 265r350665: 266 The fuse driver has been renamed to fusefs(5) and been substantially 267 rewritten. The new driver includes many bug fixes and performance 268 enhancements, as well as the following user-visible features: 269 * Optional kernel-side permissions checks (-o default_permissions) 270 * mknod(2), socket(2), and pipe(2) support 271 * server side locking with fcntl(2) 272 * FUSE operations are now interruptible when mounted with -o intr 273 * server side handling of UTIME_NOW during utimensat(2) 274 * mount options may be updated with "mount -u" 275 * fusefs file system may now be exported over NFS 276 * RLIMIT_FSIZE support 277 * support for fuse file systems using protocols as old as 7.4 278 279 FUSE file system developers should also take note of the following new 280 features: 281 * The protocol level has been raised from 7.8 to 7.23 282 * kqueue support on /dev/fuse 283 * server-initiated cache invalidation via FUSE_NOTIFY_REPLY 284 285r350471: 286 gnop(8) can now configure a delay to be applied to read and write 287 request delays. See the -d, -q and -x parameters. 288 289r350315, r350316: 290 Adds a Linux compatible copy_file_range(2) syscall. 291 292r350307: 293 libcap_random(3) has been removed. Applications can use native 294 APIs to get random data in capability mode. 295 296r349529,r349530: 297 Add support for using unmapped mbufs with sendfile(2). 298 299r349352: 300 nand(4) and related components have been removed. 301 302r349349: 303 The UEFI loader now supports HTTP boot. 304 305r349335: 306 bhyve(8) now implements a High Definition Audio (HDA) driver, allowing 307 guests to play to and record audio data from the host. 308 309r349286: 310 swapon(8) can now erase a swap device immediately before enabling it, 311 similar to newfs(8)'s -E option. This behaviour can be specified by 312 adding -E to swapon(8)'s command-line parameters, or by adding the 313 "trimonce" option to a swap device's /etc/fstab entry. 314 315r347908-r347923: 316 The following network drivers have been removed: bm(4), cs(4), de(4), 317 ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), 318 vx(4), wb(4), xe(4). 319 320r347532: 321 Wired page accounting has been split into kernel wirings and user 322 wirings (e.g., by mlock(2)). Kernel wirings no long count towards 323 the global limit, which is renamed to vm.max_user_wired. bhyve -S 324 allocates user-wired memory and is now subject to that limit. 325 326$FreeBSD$ 327