===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- www/74.html	2023/10/14 19:47:37	1.78
+++ www/74.html	2023/10/14 19:53:05	1.79
@@ -594,6 +594,39 @@
 
 <li>Security improvements:
   <ul>
+  <li>We enabled support for branch target identification (BTI) in both
+	the kernel and userland.  On hardware that supports this feautre, it
+	helps enforcing control flow integrety by making sure malicious code
+	cannot jump into the middle of a function.
+  <li>We enabled support for pointer authentication (PAC) in userland.  On
+	hardware that supports this feature it helps enforcing control flow
+	integrety by making sure malicious code cannot manipulate a
+	function's return address.
+  <li>On the amd64 architecture, we enabled support for indirect
+	branch tracking (IBT) in both the kernel and userland.  On hardware
+	that supports this feature, it helps enforcing control flow integrety
+	by making sure malicious code cannot jump into the middle of a
+	function.
+  <li>On the arm64 architecture, we enabled support for branch target
+	identification (BTI) in both the kernel and userland.  On hardware
+	that supports this feature, it helps enforcing control flow integrety
+	by making sure malicious code cannot jump into the middle of a
+	function.
+  <li>On the arm64 architecture, we enabled support for pointer
+	authentication (PAC) in userland.  On hardware that supports this
+	feature it helps enforcing control flow integrety by making sure
+	malicious code cannot manipulate a function's return address.
+  </ul>
+
+Together with retguard these features protect against ROP attacks.
+
+Compiler defaults for base clang, ports clang and ports gcc (as well
+as some other non-C language family compilers in ports) have been
+changed to enable these features by default.  As a result the vast
+majority of programs on OpenBSD (and all programs in the base system)
+run with these security features enabled.
+
+  <ul>
   <li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
       chunk sizes to be fine grained: chunk sizes are closer to the
       requested allocation size.
@@ -618,23 +651,6 @@
       output, safely escape non-printable characters
       in messages that may include file names,
       and truncate times to the correct maximum value.
-
-
-
-
-  <li>On amd64, enable Indirect Branch Tracking (IBT) for the kernel.
-  <li>Enable branch target control flow enforcement on arm64.
-  <li>In clang on amd64, emit IBT endbr64 instructions by default (meaning,   
-	-fcf-protection=branch is the default).
-  <li>On arm64, implement support for pointer authentication (PAC) in userland.
-  <li>In <a href="https://man.openbsd.org/clang.1">clang(1)</a>,
-	turn on pointer-authentication on arm64 by default.
-  <li>Enable Indirect Branch Tracking (IBT) for amd64 userland.
-  <li>Prevent <a href="https://man.openbsd.org/patch.1">patch(1)</a>
-	from modifying files outside of the current working directory and
-	subdirectories using <a
-	href="https://man.openbsd.org/unveil.2">unveil(2)</a>.
-
   </ul>
 
 <li>Changes in the network stack:
