1Release notes for FreeBSD 13.0.
2
3This file describes new user-visible features, changes and updates relevant to
4users of binary FreeBSD releases.  Each entry should describe the change in no
5more than several sentences and should reference manual pages where an
6interested user can find more information.  Entries should wrap after 80
7columns.  Each entry should begin with one or more commit IDs on one line,
8specified as a comma separated list and/or range, followed by a colon and a
9newline.  Entries should be separated by a newline.
10
11Changes to this file should not be MFCed.
12
132c76eebca71b, 59f6f5e23c1a:
14	Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide
15	support for NFS-over-TLS as described in the Internet Draft titled
16	"Towards Remote Procedure Call Encryption By Default".
17	These daemons are only built when WITH_OPENSSL_KTLS is specified
18	and are only tested on amd64 at this time.
19	They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus
20	optional verification of machine identity via X.509 certificates.
21
22f76393a6305b6:
23	Add AES-GCM support to armv8crypto(4) providing accelerated
24	support for KTLS, IPsec, and other crypto API consumers.
25
26074a91f746bd:
27	The aesni(4) and armv8crypto(4) devices are now included in
28	GENERIC on amd64, i386, and arm64.
29
302e1c94aa1fd5:
31	Add support for enforcing W^X mapping policy for user
32	processes.  The policy is not enforced by default but can be
33	enabled by setting the kern.elf32.allow_wx and
34	kern.elf64.allow_wx sysctls to 0.  Individual binaries can be
35	exempted from the policy by elfctl(1) via the wxneeded
36	feature.
37
384979620ece98:
39	Add AES-XTS support to armv8crypto(4) providing accelerated
40	software support for the default GELI cipher on arm64 systems.
41
42022ca2fc7fe0:
43	Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2)
44	and aio_read(2).
45
4692bbfe1f0d1f:
47	The fusefs(5) protocol has been updated to 7.28.  Support for
48	FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added.
49
50r368667:
51	GDB 6.1.1 was removed.  Users of crashinfo(8) should install the
52	gdb package or devel/gdb port.
53
54r368559:
55	The hme(4) driver was removed.
56
57r367660:
58	Fixes the case where gssd will not startup because /usr is a separate
59	local file system that is not yet mounted.  It does not fix the case
60	where /usr is a separately mounted remote file system (such as NFS).
61	This latter case can be fixed by adding mountcritremote to the
62	REQUIRED line.  Unfortunately doing so implies that all Kerberized
63	NFS mounts in /etc/fstab will need the "late" mount option.
64	This was not done, since the requirement for "late" would introduce
65	a POLA violation.
66
67r367423:
68	This commit added a new startup scripts variable called
69	nfsv4_server_only which uses the -R option on mountd added by r367026.
70	When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
71	only handles NFSv4 and does not register with rpcbind.  As such, rpcbind
72	does not need to be running.  Useful for sites which consider rpcbind a
73	security issue.
74
75r366267:
76        Kernel option ACPI_DMAR was renamed to IOMMU.  amd64's IOMMU subsystem
77        was split out from amd64 DMAR support and is now generic, i.e., it can
78        be used by all architectures.
79
80r364896:
81	A series of commits ending with r364896 added NFS over TLS
82	to the kernel.  This is believed to be compatible with
83	the Internet Draft titled "Towards Remote Procedure Call Encryption
84	By Default" (expected to soon become an RFC).
85	The mount_nfs(8) and exports(5) man pages describe the mount and
86	export option(s) related to NFS over TLS.
87	For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
88	{ server } must be running on a kernel built with "options KERN_TLS"
89	on an architecture where PMAP_HAS_DMAP != 0.
90
91r364725:
92	Changes to one obscure devd event generated on resume need to
93	be documented. The old form will still be generated in 13, but not
94	in 14.
95
96r363679:
97	Applications using regex(3), e.g. sed/grep, will no longer accept
98	redundant escapes for most ordinary characters.
99
100r363253:
101	SCTP support has been removed from GENERIC kernel configurations.
102	The SCTP stack is now built as sctp.ko and can be dynamically loaded.
103
104r363233:
105	Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
106
107r363180:
108	The safexcel(4) crypto offload driver has been added.
109
110r363084:
111	nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
112
113r362681:
114	A new implementation of bc and dc has been imported. It offers
115	better standards compliance, performance, localization and comes
116	with extensive test cases that are optionally installed.
117	Use WITHOUT_GH_BC=yes to build and install the world with the
118	previous version instead of the new one, if required.
119
120r362158, r362163:
121	struct export_args has changed so that the "user" specified for
122	the -maproot and -mapall exports(5) options may be in more than
123	16 groups.
124
125r361884:
126	sed(1) has learned about hex escapes (e.g. \x27) and will now do the
127	right thing with them, removing the need for printf magic or obnoxious
128	escaping in many scenarios.
129
130r361238, r361798, r361799:
131	ZFS will now unconditionally reject read(2) of a directory with EISDIR.
132	Additionally, read(2) of a directory is now rejected with EISDIR by
133	default and may be re-enabled for non-ZFS filesystems that allow it with
134	the sysctl(8) MIB 'security.bsd.allow_read_dir'.
135
136	Aliases for grep to default to '-d skip' may be desired if commonly
137	non-recursively grepping a list that includes directories and the
138	possibility of EISDIR errors in stderr is not tolerable.  Example
139	aliases, commented out, have been installed in /root/.cshrc and
140	/root/.shrc.
141
142r361066:
143	Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
144	exec.prepare runs before mounts, so can be used to populate new jails.
145	exec.release runs after unmounts, so can be used to remove ephemeral
146	jails.
147
148r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
149	Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
150	MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
151	the kernel open cryptographic framework (OCF).
152
153r360562:
154	Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
155	MD5-HMAC, and Skipjack algorithms from /dev/crypto.
156
157r360557:
158	Remove support for DES, Triple DES, Blowfish, Cast, and
159	Camellia ciphers from IPsec(4).  Remove support for MD5-HMAC,
160	Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
161
162r359945:
163	Remove support for Triple DES, Blowfish, and MD5 HMAC from
164	geli(4).
165
166r359786-r359787:
167	Remove support for DES, Triple DES, and RC4 from in-kernel GSS
168	authentication.
169
170r357627:
171	remove elf2aout.
172
173r357560-r357565:
174	init(8), service(8), and cron(8) will now adopt user/class environment
175	variables (excluding PATH, by default, which will be overwritten) by
176	default.  Notably, environment variables for all cron jobs and rc
177	services can now be set via login.conf(5).
178
179r357455:
180	sparc64 has been removed from FreeBSD.
181
182r355677:
183	Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
184	(RFC-8276) to the NFS client and server.
185	NFSv4.2 is comprised of several optional features that can be supported
186	in addition to NFSv4.1. This patch adds the following optional features:
187	- posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
188	- posix_fallocate()
189	- intra server file range copying via the copy_file_range(2) syscall
190	--> Avoiding data tranfer over the wire to/from the NFS client.
191	- lseek(SEEK_DATA/SEEK_HOLE)
192	- Extended attribute syscalls for "user" namespace attributes as defined
193	  by RFC-8276.
194	
195	For the client, NFSv4.2 is only used if the mount command line option
196	minorversion=2 is specified.
197	For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
198 	and vfs.nfsd.server_max_minorversion4 have been added that allow
199	sysadmins to limit the minor versions of NFSv4 supported by the nfsd
200	server.
201	Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
202	on the server.
203
204r356263:
205	armv5 support has been removed from FreeBSD.
206
207r354517:
208	iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
209
210r354269:
211	sqlite3 is updated to sqlite3-3.30.1.
212
213r352668:
214	cron(8) now supports the -n (suppress mail on succesful run) and -q
215	(suppress logging of command execution) options in the crontab format.
216	See the crontab(5) manpage for details.
217
218r352304:
219	ntpd is no longer by default locked in memory. rlimit memlock 32
220	or rlimit memlock 0 can be used to restore this behaviour.
221
222r351863:
223	rc.subr(8) now honors ${name}_env in all rc(8) scripts.  Previously,
224	environment variables set by a user via ${name}_env were ignored
225	if the service defined a custom *_cmd variable to control the behavior
226	of the run_rc_command function, e.g., start_cmd, instead of relying on
227	the variables like command and command_args,
228
229r351770,r352920,r352922,r352923:
230	dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
231	and iflag=fullblock flags, compatible with illumos and GNU.
232
233r351522:
234	Add kernel-side support for in-kernel Transport Layer Security
235	(KTLS).  KTLS permits using sendfile(2) over sockets using
236	TLS.
237
238r351397:
239	WPA is updated from 2.8 to 2.9.
240
241r351361:
242	Add probes for lockmgr(9) to the lockstat DTrace provider, add
243	corresponding lockstat(1) events, and document the new probes in
244	dtrace_lockstat.4.
245
246r351356:
247	Intel RST is a new 'feature' that remaps NVMe devices from
248	their normal location to part of the AHCI bar space.  This
249	will eliminate the need to set the BIOS SATA setting from RST
250	to AHCI causing the nvme drive to be erased before FreeBSD
251	will see the nvme drive. FreeBSD will now be able to see the
252	nvme drive now in the default config.
253
254r351201, r351372:
255	Add a vop_stdioctl() call, so that file systems that do not support
256	holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
257	The algorithm appears to be compatible with the POSIX draft and
258	the implementation in Linux for the case of a file system that
259	does not support holes.  Prior to this patch, lseek(2) would reply
260	-1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
261	file systems that do not support holes.
262	r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
263	any other cases, such as a ENOTTY return from vn_bmap_seekhole().
264
265r350665:
266	The fuse driver has been renamed to fusefs(5) and been substantially
267	rewritten.  The new driver includes many bug fixes and performance
268	enhancements, as well as the following user-visible features:
269	* Optional kernel-side permissions checks (-o default_permissions)
270	* mknod(2), socket(2), and pipe(2) support
271	* server side locking with fcntl(2)
272	* FUSE operations are now interruptible when mounted with -o intr
273	* server side handling of UTIME_NOW during utimensat(2)
274	* mount options may be updated with "mount -u"
275	* fusefs file system may now be exported over NFS
276	* RLIMIT_FSIZE support
277	* support for fuse file systems using protocols as old as 7.4
278	
279	FUSE file system developers should also take note of the following new
280	features:
281	* The protocol level has been raised from 7.8 to 7.23
282	* kqueue support on /dev/fuse
283	* server-initiated cache invalidation via FUSE_NOTIFY_REPLY
284
285r350471:
286	gnop(8) can now configure a delay to be applied to read and write
287	request delays.  See the -d, -q and -x parameters.
288
289r350315, r350316:
290	Adds a Linux compatible copy_file_range(2) syscall.
291
292r350307:
293	libcap_random(3) has been removed.  Applications can use native
294	APIs to get random data in capability mode.
295
296r349529,r349530:
297	Add support for using unmapped mbufs with sendfile(2).
298
299r349352:
300	nand(4) and related components have been removed.
301
302r349349:
303	The UEFI loader now supports HTTP boot.
304
305r349335:
306	bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
307	guests to play to and record audio data from the host.
308
309r349286:
310	swapon(8) can now erase a swap device immediately before enabling it,
311	similar to newfs(8)'s -E option.  This behaviour can be specified by
312	adding -E to swapon(8)'s command-line parameters, or by adding the
313	"trimonce" option to a swap device's /etc/fstab entry.
314
315r347908-r347923:
316	The following network drivers have been removed: bm(4), cs(4), de(4),
317	ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
318	vx(4), wb(4), xe(4).
319
320r347532:
321	Wired page accounting has been split into kernel wirings and user
322	wirings (e.g., by mlock(2)).  Kernel wirings no long count towards
323	the global limit, which is renamed to vm.max_user_wired.  bhyve -S
324	allocates user-wired memory and is now subject to that limit.
325
326$FreeBSD$
327