git: ecc754a01c - main - 14.0 relnotes: higlights of work that was MFC'd to 13.1/13.2

From: Ed Maste <>
Date: Mon, 13 Nov 2023 17:58:33 UTC
The branch main has been updated by emaste:


commit ecc754a01ca3281c8b6add29b465345babb9e71c
Author:     Ed Maste <>
AuthorDate: 2023-11-10 15:07:28 +0000
Commit:     Ed Maste <>
CommitDate: 2023-11-13 17:56:15 +0000

    14.0 relnotes: higlights of work that was MFC'd to 13.1/13.2
    Reviewed by:    karels, jhb
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:
 website/content/en/releases/14.0R/relnotes.adoc | 131 +++++++++++++++++++++++-
 1 file changed, 129 insertions(+), 2 deletions(-)

diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc
index c9e3e0c3ff..534f45fa7f 100644
--- a/website/content/en/releases/14.0R/relnotes.adoc
+++ b/website/content/en/releases/14.0R/relnotes.adoc
@@ -127,6 +127,131 @@ This section lists the various Security Advisories and Errata Notices since {rel
+== Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2
+FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0.
+Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases.
+For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default.
+It may be disabled using the `WITHOUT_PIE` knob.
+There is a new `zfskeys` man:rc[8] service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot.
+The `zfskeys` startup script supports autoloading of keys stored on ZFS.
+See the man:rc.conf[5] manual page for more information.
+gitref:33ff39796ffe[repository=src], gitref:8719e8a951b7[repository=src], gitref:97aeda224356[repository=src]
+(Sponsored by Modirum and Klara Inc.)
+The `chroot` facility supports unprivileged operation, and the man:chroot[8] program has a `-n` option to enable its use.
+(Sponsored by EPSRC)
+man:md5sum[1] and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the `-r` option if the program name ends in `sum`.
+(Sponsored by Netflix)
+The use of FIDO/U2F hardware authenticators has been enabled in `ssh`, using the new public key types `ecdsa-sk` and `ed25519-sk`, along with corresponding certificate types.
+FIDO/U2F support is described in[].
+(Sponsored by The FreeBSD Foundation)
+The man:mgb[4] network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface.
+The driver has a number of caveats and limitations, but is functional.
+(Sponsored by The FreeBSD Foundation)
+Two new daemons, man:rpc.tlsclntd[8] and man:rpc.tlsservd[8], are now built by default on amd64 and arm64.
+They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default".
+These daemons are built when WITH_OPENSSL_KTLS is specified.
+They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates.
+gitref:2b9cbc85d727[repository=src] gitref:59f6f5e23c1a[repository=src]
+UEFI firmware boot compatibility is improved for amd64.
+See the man:loader.efi[8] `amd64 Nocopy` section for more detailed information.
+gitref:f75caed644a5[repository=src](Sponsored by[The FreeBSD Foundation])
+Boot time performance improvements have been made to many kernel subsystems.
+(Sponsored by[])
+man:nvme[4] error handling has been significantly improved.
+The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address.
+This makes the lowest address usable for a host.
+The old behavior can be restored with the `net.inet.ip.broadcast_lowest` sysctl.
+See[] for background information.
+The man:growfs[7] startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist.
+This is primarily useful when installing on an SD card using a raw image.
+A new man:rc.conf[5] variable has been added, `growfs_swap_size`, which can control the addition if necessary.
+See man:growfs[7] for details.
+A new RC script, `zpoolreguid` has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets.
+The `hostid` startup script will now generate a random (version 4) UUID if there is no [.filename]#/etc/hostid# file and no valid UUID from hardware.
+Also, if there is no [.filename]#/etc/machine-id# file, the `hostid_save` script will store a compact version of the hostid (one without hyphens) in [.filename]#/etc/machine-id#.
+This file is used by libraries such as GLib.
+gitref:62a149bf6219[repository=src] gitref:862aab6281a5[repository=src] gitref:baf1e9713969[repository=src] gitref:ecad3f5c4d92[repository=src] gitref:d6852eed98ed[repository=src]
+It is now possible to add default routes for FIBs other than the primary by using the `defaultrouter_fibN` and `ipv6_defaultrouter_fibN` man:rc.conf[5] variables.
+(Sponsored by ScaleEngine Inc.)
+The man:bhyve[8] utility has gained virtio-input device emulation support.
+This can be used to inject keyboard/mouse input events into a guest.
+The command line syntax is: `-s <slot>,virtio-input,/dev/input/eventX`.
+The man:kdump[1] utility has gained support for decoding Linux system calls.
+An man:nproc[1] utility has been added, compatible with the Linux program of the same name.
+The man:uuidgen[1] utility has a new option `-r` to generate a random UUID, version 4.
+The man:bhyve[8] hypervisor and kernel module man:vmm[4] now support more than 16 vCPUs in a guest.
+By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host.
+This limit can be adjusted via the loader tunable `hw.vmm.maxcpu`.
+Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default.
+It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults.
+To disable for a single invocation, use the man:proccontrol[1] command: `proccontrol -m aslr -s disable command`.
+To disable ASLR for all invocations of a binary, use the man:elfctl[1] command: `elfctl -e +noaslr file`.
+Problems should be reported via the problem reporting system,[], or posting to the `` mailing list.
+(Sponsored by Stormshield)
+A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs.
+The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption.
+The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround.
+gitref:cde70e312c3f[repository=src] (Sponsored by The FreeBSD Foundation)
+The state of the arm64 man:linux[4] ABI was brought to parity with the amd64 man:linux[4] ABI.
+gitref:ccc510b46340[repository=src], gitref:9931033bbfbe[repository=src]
+In order to facilitate ABI compatibility of `stable` branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel.
+This will facilitate increases to the size of the kernel set, `MAXCPU`.
+gitref:47a57144af25[repository=src] gitref:f35093f8d6d8[repository=src]
+(Sponsored by Juniper Networks, Inc.)
+It is now possible to take snapshots on UFS filesystems when running with journaled soft updates.
+Thus it is now possible to do background dumps on live filesystems running with journaled soft updates.
+Background dumps are requested by using the `-L` flag to man:dump[8].
+(In previous releases UFS snapshots were incompatible with journaled soft updates.)
+gitref:78f412987605[repository=src] (Sponsored by The FreeBSD Foundation)
+The kernel man:wg[4] WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol.
+gitref:744bfb213144[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation)
+KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3.
+Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3.
+gitref:05a1d0f5d7ac[repository=src] (Sponsored by Netflix)
+Radix tables and lookups are now supported for MAC addresses in man:ipfw[4].
+This allows MAC address tables to be constructed and used for filtering.
 // Sample release notes entry.
 The man:fsck_msdosfs[8] utility includes a variety of enhancements, including reducing the memory footprint, a new flag, `-M`, which disables the use of man:mmap[2], and others.
@@ -703,8 +828,10 @@ gitref:137818006de5[repository=src]
 Layer 3 filtering on man:if_bridge[4] will do surprising things which aren't fail-safe, so `` and `` now default to zero.
-man:netlink[4] is a user/kernel communication protocol used primarily for network configuration.
-It has been expanded and improved, and a number of network configuration utilities have been converted to use netlink.
+man:netlink[4] is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration.
+It has been expanded, improved, and enabled by default.
+A number of network configuration utilities have been converted to use netlink.
 The deprecated `NgATM` (netgraph ATM support) and remaining ATM support have been removed.