=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v retrieving revision 1.22 retrieving revision 1.23 diff -c -r1.22 -r1.23 *** www/73.html 2023/04/03 21:51:34 1.22 --- www/73.html 2023/04/03 22:14:15 1.23 *************** *** 83,89 ****

Various kernel improvements:

Added support for the Rockchip RK3568 processor.
Implemented the waitid(2) system call --- 83,88 ---- *************** *** 713,774 ****
Security improvements:
- Add Synthetic Memory Protections. These provide !
  - Immutable memory mappings whose permissions and size cannot be ! changed anymore. A new system call mimmutable(2) enables ! this feature. !
  - Execute-Only permission on memory mappings. This uses hardware ! support where possible and emulation where the hardware does not have ! separate execute only features. !
  - Stack permission on mappings: On every system call the stack ! pointer is checked. It must point to a mapping that has MAP_STACK ! permissions. !
  - Pinning of syscall entry to a unique specific memory regions from ! which system calls can be made. !
  ! The execute-only mappings are active on arm64, risc-v, hppa, ! aarch64, mips64, sparc64, amd64, mips, and power-pc platforms. ! ! !
- Implemented a --executable-only option in ld.bfd(1). ! !
- Changed ld.so(1) ! to map certain regions of memory as immutable when loading shared ! libraries. !
- Added execve(2) violations of pinsyscall(2) policy to the daily mail, available by setting rc.conf.local(5) accounting=YES. !
- Added retguard to amd64 syscalls. ! !
- Randomly relink and install sshd(8) on boot, resulting ! in a sshd with unknown address layout after every reboot. !
- Add another mitigation against classic BROP on systems without execute-only mmu hardware-enforcement. A range-checking wrapper in ! front of copyin() and copyinstr() ensures the userland source address ! doesn't overlap the main program text and other text segments, thereby ! making this address ranges unreadable to the kernel. No programs have ! been discovered which require reading their own text segments with a ! system call. !
- On arm64, introduce mitigation of the Spectre-BHB (Branch History Injection) CPU vulnerability by using core-specific trampoline vectors. ! !
- Tightened the pledge(2) after ssh(1) session establishment. ! !
- Enabled the Data Independent Timing (DIT) feature in both the kernel and ! userland on arm64 CPUs that support it to mitigate timing side-channel attacks. -
Changes in the network stack: --- 712,776 ----
Security improvements:
- Permissions (RWX, MAP_STACK, etc) on address space regions can ! be made immutable, ! so that mmap(2), mprotect(2) or munmap(2) fail with EPERM. ! Most of the program static address space is now automatically ! immutable (main program, ld.so, main stack, load-time shared ! libraries, and dlopen()'d libraries mapped without RTLD_NODELETE). ! Programmers can request non-immutable static data using the ! "openbsd.mutable" section, or manually bring immutability to (page ! aligned heap objects) using mimmutable(2). !
- Some architectures now have non-readable code ("xonly"), both from ! the perspective of userland reading its own memory, or the kernel ! trying to read memory in a system call. Many sloppy practices in ! userland code had to be repaired to allow this. The linker (ld.lld(1)) option ! --execute-only is enabled by default. In order of development: arm64, ! riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon. sparc64 ! (sun4u only, unfinished). !
- On all architectures which lack hardware-enforcement of xonly, ! system calls are now prevented from reading (via copyin(9)/copyinst) ! inside the program's main text, ld.so text, sigtramp text, or libc.so ! text. !
- can still benefit from switching to --execute-only binaries if the ! cpu generates different traps for instruction-fetch versus data-fetch. ! The VM system will not allow memory to be read before it was executed ! which is valuable together with library relinking. Architectures ! switched over include loongson. !
- ld.so(1) and crt0 ! register the location of the execve(2) stub with the ! kernel using pinsyscall(2), after which the kernel only accepts an ! execve call from that specific location.
- Added execve(2) violations of pinsyscall(2) policy to the daily mail, available by setting rc.conf.local(5) accounting=YES. !
- Added retguard (consistency-check the return address on the ! stack) to amd64 syscalls. !
- sshd random relinking at boot: Randomly relink and install sshd(8), resulting ! in a sshd binary with unknown address layout after every reboot.
- Add another mitigation against classic BROP on systems without execute-only mmu hardware-enforcement. A range-checking wrapper in ! front of copyin(9) and ! href="https://man.openbsd.org/copyinstr.9">copyinstr(9) ensures ! the userland source address doesn't overlap the main program text and ! other text segments, thereby making this address ranges unreadable to ! the kernel. No programs have been discovered which require reading ! their own text segments with a system call.
- On arm64, introduce mitigation of the Spectre-BHB (Branch History Injection) CPU vulnerability by using core-specific trampoline vectors. !
- Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and ! userland on CPUs that support it to mitigate timing side-channel attacks.
Changes in the network stack: *************** *** 783,796 **** configuring IPv6. This allows non-multicast interfaces such as point-to-point interfaces and the NBMA / point-to-multipoint interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6. -
Use the new getnsecruntime(9) timer to check the TCP_KEEPALIVE timer only against the system runtime, not the uptime. Prevents TCP connections to fail after wakeing up from suspend. - -
Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a hash/flowid for pf(4) state keys. With this change, pf will hash traffic the same way that --- 785,795 ---- *************** *** 800,810 **** queues too. using the same algorithm throughout the stack encourages affinity of packets to rings and softnet threads the whole way through. -
Prevented possible kernel crashes by dropping TCP packets with destination port 0 in pf(4) and the stack. -
Fixed a endian swap bug causing problems with vlans(4) on em(4) sparc64 systems. --- 799,807 ---- *************** *** 826,832 **** half second even if there is nothing to read. By default this buffer is infinite and must be filled to become readable.
Avoided enabling TSO on interfaces which are already attached to a bridge. -

Routing daemons and other userland network improvements: --- 823,828 ---- *************** *** 956,966 ****

When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the optional CMS signing-time, and non-optional X.509 notBefore, and X.509 notAfter timestamps. - - -

In snmpd(8), -

Switched tftpd(8) to --- 952,957 ----