OpenBSD 7.4 has already been released and these are its new features

Darkcrizt

5 minutes

OpenBSD 7.4

OpenBSD 7.4 banner

The release of the new version of OpenBSD 7.4, This being the fourth installment of the development of this 7.x branch in which great improvements have been presented in the support part, as well as in security, ports and more.

For those who do not know about OpenBSD, you should know that It is a free and open source Unix-like operating system. security-focused software that belongs to the BSD family of operating systems and is known for its components that have become widespread in other systems and have proven to be one of the safest and highest quality solutions.

Major New Features in OpenBSD 7.4

In this new version that is presented Support improvements for new hardware stand out, Since new drivers were included, the installer has improved support for software RAID, as well as the ability to place the root partition in softraid on riscv64 and arm64 systems, in addition to arm64, support for Guided Disk Encryption.

Also stands out initial support for TSO and LRO for segment processing and packet aggregation on the NIC side, accelerated loading of pf packet filtering rules from the kernel using the pfctl utility, and enabled processing of “keep state” and “nat-to” actions for messages error messages returned via ICMP.

For architectures AMD64 and i386, components added to update the microcode for AMD processors. New versions of microcode They are installed automatically when downloaded. The port "ports/sysutils/firmware/amd" has been prepared to distribute binary files with microcode. Installation of the new microcode is done using the standard fw_update utility. Also for AMD64 and i386, support for the dt pseudo device was implemented to organize dynamic monitoring of the system and applications. Added the utrace system call to insert user entries into the ktrace log.

On the kernel and user space side, in this new version of OpenBSD 7.4, the implementation of the framework drm is synchronized with Linux kernel 6.1.55, with improved performance on systems with Intel processors based on Alder Lake and Raptor Lake microarchitectures. lThe IBT and BTI protection mechanisms are enabled to block control flow violations resulting from the use of exploits that modify function pointers stored in memory (the protection implemented does not allow malicious code to jump to the center of the function).

Improvements have been made to the VMM hypervisor. vmd implements support for a multithreaded model for network and block virtio devices, and support for vector input/output in zero-copy mode has been added to the block virtio device. Guest systems' access to p-state modes of AMD processors is limited. Virtual machine owners can override the boot kernel using vmctl.

In the systems arm64, pointer authentication is enabled to protect user space. The technology allows specialized ARM64 instructions to be used to verify return addresses using digital signatures that are stored in the upper unused bits of the pointer.

In addition to this, it is also highlighted that the clang system compiler settings, as well as clang and gcc ports, have been changed to apply the previous protection mechanisms, which has significantly strengthened the protection of all base applications and most port applications against exploits that use return-oriented programming methods.

It is also noted that a new system call kqueue1, which differs from kqueue in the flag passing. Currently, kqueue1 only supports the O_CLOEXEC flag to automatically close file descriptors in a child process after calling exec().

Of the other changes that stand out:

  • The wsconsctl utility has added the ability to assign buttons to be pressed with two or three fingers on a control panel.
  • Added initial support for route-based IPsec VPNs.
  • Performance of rpki-client has been increased by 30-50%.
  • Added support for gzip and deflate compression.
  • Improved installation on systems with armv7 and arm64 processors.
  • Added support for loading files from the EFI system partition.
  • Added malloc function to check all blocks in the lazy memory deallocation list to identify write situations to the freed memory area.
  • The shutdown command now requires the user to be added to the "_shutdown" group, allowing separation of shutdown and direct read permissions from disk devices.
  • When using the reveal system call, the patch utility is limited to accessing only the current directory, the directory containing temporary files, and the files listed on the command line.
  • When you configure an IPv6 address on a network interface, an advertisement is sent to neighboring routers using a multicast address.
  • Fixes have been ported from FreeBSD to address undefined behavior when using MS-DOS file systems.
  • The softdep mount option used for writeback of bundled metadata has been disabled.
  • Programs protected with the unveil system call can save core dumps to the current working directory.
  • The ARM64 architecture uses the ability to enter deep idle states, available on Apple M1/M2 chips, to save power and implement standby mode.
  • Added alternative protection against the Zenbleed vulnerability on AMD processors.
  • IP, TCP, and UDP checksum calculations are disabled for loopback interfaces.

Finally, if you are interested in being able to know more about it, you can consult the details in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.