MidnightBSD Release Notes
Late breaking information:
Previous Release Notes
(12/15/2025) MidnightBSD 4.0
I’m happy to announce the availability of MidnightBSD 4.0 for amd64 and i386.
This release included updates to third-party libraries, bug fixes from the 3.2 release, and security updates. Many third-party libraries were updated and this may cause some compatibility issues with old mports or packages.
The release also includes a large number of improvements from FreeBSD 13.x.
mports and Ravenports are both available on amd64 for packages.
Upgrade Process
Install git if you don’t have it already
mport install git
Fetch MidnightBSD from git via github.com/midnightbsd/src.git (assumes you don’t have /usr/src populated)
git clone -b stable/4.0 https://github.com/MidnightBSD/src.git
cd /usr/src; make -j4 clean buildworld buildkernel;
choose one of etcupdate or mergemaster -p
make installkernel
reboot
(if it works OK, login and go to /usr/src)
make installworld
choose one of etcupdate or mergemaster -iU
Update installed mports/packages
For mport package manager, run
mport index
mport clean
mport upgrade
Remove old libraries and programs from the base.
cd /usr/src/; make check-old; make delete-old; make delete-old-libs; make installworld;
Bug Fixes and new features
Mport package manager
Updated mport to 2.7.3
Improves handling of color on the terminal. Fix some bugs with the mport add command, which resulted in segmentation faults.
Migrate rc.d start/stop to posix_spawn rather than using system
Added new functionality to mport verify:
You can check a single port now with mport verify
You can repair checksums now on a port. mport verify -r This often indicates a security issue, modified files after installation by the user, or a problem with mport package manager where an install was damaged.
Fixed build issues with newer LLVM versions.
Change the behavior of mport_install to include dependencies. make a new function mport_install_single to keep the old behavior for users. switch upgrade over to it.
Attempt to detect packages that have the same origin for upgrades.
The last one needs more refinement in future releases. When you do mport list updates now, it may show you updates are available but if you run mport update it will fail for some. The reason is that it now figures out that we don't have a package for say py37-foo when there is for py311-foo. So it will suggest an update. It's not yet updating the package in this scenario. I need to rework some things for this to happen. My first implementation was reverted because of some other complications. Ideally, a user will need to be prompted to do this. There are cases it's wrong. (like if a packge was just not built on the last package build in magus)
I've also improved a lot of messages to the user, usage() output, and added more error handling in several places. There were a few small memory leaks fixed as well.
Miscellaneous Changes
Removed libdispatch from base.
rc.subr(8) now honors ${name}_env in all rc(8) scripts.
init(8), service(8), and cron(8) will now adopt user/class environment variables by default (excluding PATH). Notably, environment variables for all cron jobs and rc(8) services can now be set via login.conf(5)
The default config for newsyslog(8) will now only include files from the /etc/newsyslog.conf.d/ and /usr/local/etc/newsyslog.conf.d/ directories if the filename ends with ".conf" and does not begin with a "." character.
The kernel now supports enforcing a W^X memory mapping policy for user processes. The policy is not enforced by default but can be enabled by setting the kern.elf32.allow_wx and kern.elf64.allow_wx sysctls to 0. Individual binaries can be exempted from the policy by elfctl(1) via the wxneeded feature.
The calendar(1) utility supports nested C pre-processor conditionals and now supports the C++ comment syntax in addition to the C syntax.
The calendar(1) utility consistently prints dates according to the locale of the invoking user, not the possibly varying locales of included files.
The daemon(8) utility now supports the -H flag to close and re-open the output file when SIGHUP is received. This permits rotation of the output file via newsyslog(8).
The daemon(8) utility no longer blocks SIGTERM during the restart delay.
The devd(8) utility now reports a kernel system event when the system resumes from sleep rather than a kern system event.
The diskinfo(8) utility now reports the physical device name GEOM attribute when available.
Removed userland support for i386 a.out executables. Removed the elf2aout(1) utility.
Removed the obsolete version of the GNU debugger that was installed to /usr/libexec for use by crashinfo(8). Detailed kernel crash information can be obtained by installing modern GDB from mports or packages.
Removed the GPL-licensed version of dtc(1). The BSD-licensed version is now built and installed unconditionally.
The manual page for the gstat(8) utility now documents the use of interactive keyboard commands.
The manual page for the inetd(8) utility now includes an example of how to use netcat as an HTTP proxy.
Removed the ctm(1) utility. It is now provided by the misc/ctm port.
The BSD version of grep(1) is now installed by default. The obsolete GNU version that was the previous default has been removed.
Removed the amd(8) automount daemon. Its functionality is provided by autofs(5).
The new getlocalbase(3) function in libutil retrieves the LOCALBASE path in a standard way.
Removed the cap_random(3) function as it has been superseded by getrandom(2)
A new Linux-compatible copy_file_range(2) system call supports efficient file copies. In particular, this system call permits the kernel to request that an NFSv4.2 server perform a copy operation locally on the server.
The regex(3) function no longer accepts redundant escapes for most ordinary characters. This will cause applications such as sed(1) and grep(1) to reject regular expressions using these escapes.
New aio_readv(2) and aio_writev(2) system calls provide vectored analogues of aio_read(2) and aio_write(2).
Removed CU-SeeMe support from libalias(3)
Processes that attach to a jail(8) will now completely rebase their cpuset(1) onto the jail’s cpuset. Notably, if a process had been assigned a numbered cpuset then it will be assigned a new numbered set that is the combination of CPUs allowed to the attaching process and the jail. Processes belonging to the superuser will implicitly widen their CPU mask as needed if they share no CPUs in common with the jail.
Refactored the amd64 DMAR driver to provide a generic I/O MMU framework which can be used by other architectures. As part of this, renamed the amd64-specific ACPI_DMAR kernel option to IOMMU.
Added Safe Memory Reclamation (SMR) to the kernel, a lightweight variant of epoch reclamation closely coupled to uma(9). This has been applied in parts of the VM subsystem and VFS layer to improve scalability on high core count systems.
Removed support for procfs-based process debugging.
Added the netgdb(4) facility, allowing the gdb(4) kernel debugger to be used over the network.
Added backlight(9)
Added a CAM-Newbus SDIO support module.
The suite of VirtIO device drivers now support the VirtIO V1 spec.
Added the axp(4) driver, supporting the 10G ethernet controller found on AMD EPYC processors.
Added support for Intel Speed Shift to cpufreq(4)
For iscsi(4) and ctld(8), support for specifying network QoS in the form of DiffServ Codepoints (DSCP) and Ethernet Priority Code Point (PCP) was added.
The ctld(8) utility now supports the -t flag to test the validity of configuration files.
Removed the nand(4) device framework and nandfs(5) filesystem and associated utilities.
Removed the GEOM_SCHED class and accompanying gsched(8) tool.
gnop(8) can now apply configurable delays to read and write requests to simulate a slow disk.
The kernel now provides a default implementation for the SEEK_DATA and SEEK_HOLE ioctl(2)'s for filesystems which do not support sparse files.
The NFS client and server now support NFSv4.2 (RFC 7862) and Extended Attributes (RFC 8276).
Attempts to read a directory fail with EISDIR by default. The -d skip flags can be passed to grep(1) to suppress errors in stderr when non-recursively grepping a list that includes directories.
The NFS server now permits credentials specified via -maproot or -mapall in exports(5) to include more than 16 groups.
The NFS client and server now support NFS over TLS. The additional userland daemons are not built by default but can be enabled by building a new world that includes a KTLS-enabled OpenSSL via the WITH_OPENSSL_KTLS option.
A new nfsv4_server_only variable can be set to YES in /etc/rc.conf to only enable support for NFSv4. This avoids the need to run rpcbind(8) on an NFS server.
Updated the fusefs(5) protocol to 7.28 along with adding support for FUSE_COPY_FILE_RANGE and FUSE_LSEEK.
The ZFS implementation is now provided by OpenZFS.
Added the pvscsi(4) driver, supporting the para-virtualized SCSI controller in VMWare products like ESXi
A new type of mbuf(9) (network data buffer) can represent multiple, unmapped physical pages as a single buffer. This improves the performance of sendfile(2) by reducing the length of mbuf linked lists in socket buffers.
tcp(4) now supports Proportional Rate Reduction (as described by RFC6937) to improve SACK loss recovery during burst loss and ACK thinning scenarios. This feature is enabled by default. A new sysctl(8), net.inet.tcp.do_prr, can be set to 0 to restore the prior behavior.
PRR should generally help improve loss recovery performance and prevent numerous preventable retransmit timeout (RTO) stalls. This surpasses the prior behavior, but a strictly packet conserving variant can be enabled. A misconfigured token bucket traffic policer can cause persistent loss even during loss recovery. In that case, activating the conservative PRR variant may prevent some retransmission timeouts (RTO) and associated session stalls for a few milliseconds while behaving less optimal in the general case. A new sysctl(8), net.inet.tcp.do_prr_conservative, can be set to 1 to enable strictly packet conserving behavior (at most 1 segment for each ACK received), while the normal variant may send up to 2 segments per received ACK - helping in cases of ACK thinning or significant burst loss events.
The cc_cubic(4) tcp(4) congestion control algorithm aligns more closely with the standard in RFC8312.
The amount of queued packets in for unresolved ARP/NDP entries has been increased to 16.
Stacked VLAN (802.1ad) support has been added.
The ping(8) utility now supports setting network QoS, with IP DSCP and Ethernet PCP
Merged the ping(8) and ping6(8) utilities. ping(8) supports both IPv4 and IPv6. A legacy ping6(8) is retained for backwards compatibility.
SCTP support is now available as a new sctp.ko kernel module and is no longer compiled into GENERIC by default.
Support for custom route lookup algorithms has been added.
DPDK librte-based IPv4/IPv6 route lookup algorithms has been added, optimising control-plane and data-plane for large routing tables.
Interface fib is now used for proxyarp checks.
Loopback route installation has been fixed for the interfaces in different fibs using the same prefix.
Number of fibs can now be changed at runtime by controlling net.fibs sysctl.
net.add_addr_allfibs sysctl default has been changed to 0.
Temporal routes (routes with -expire time set) expiration have been for both IPv4 and IPv6.
Duplicate routes installation issue for /32 or /128 interface aliases has been fixed.
IPv6 interface routes are now marked with RTF_PINNED like their IPv4 counterparts.
The route(8) network auto-guessing has been eliminated by removing remnants of classful behavior.
Sysctl net.inet6.ip6.deembed_scopeid , making it possible to disable IPv6 scope de-embedding, has been removed.
The -i flag is now added to rtsol(8) and rtsold(8) by default in /etc/defaults/rc.conf.
For 64-bit architectures, the base system is now built with Position Independent Executable (PIE) support enabled by default. It may be disabled using the WITHOUT_PIE knob. A clean build is required.
There is a new zfskeys rc(8) service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. See the rc.conf(5) manual page for more information.
The chroot facility now supports unprivileged operation, and the chroot(8) program now has a -n option to enable its use.
The CAM library has been modified to use realpath(3) on device names before parsing them, which allows tools such as camcontrol(8) and smartctl(8) to be friendlier when symlinks are in use.
md5sum(1) and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the -r option if the program name ends in sum.
mpsutil(8) has been extended to show adapter information and to control NCQ.
Problems after downloading firmware to a device using camcontrol(8) were fixed by forcing a rescan of the LUN after the firmware download.
A new mode has been added to the scripted partition editor for variant disk names in bsdinstall(8). If the disk parameter DEFAULT is set in place of an actual device name, or no disk is specified for the PARTITIONS parameter, the installer will follow the logic used in the automatic-partitioning mode, in which it will either provide a selection dialog for one of several disks if several are present or automatically select it if there is only one. This simplifies the creation of fully-automatic installation media for hardware or VMs with varying disk names.
Max I/O size has been reduced to avoid DMA issues in aacraid(4)
A bug preventing a virtual guest using virtio_random(8) from shutting down or rebooting has been fixed.
The mgb(4) network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface.
The iwlwifi(4) driver along with a LinuxKPI 802.11 compatibility layer was added to supplement iwm(4) for newer Intel Wireless chipsets.
Kernel crash dumps can now be saved on SD cards and eMMC modules using a dwmmc controller when the kernel is configured with the MMCCAM option
Kernel crash dumps can now be saved on SD cards using an sdhci controller when the kernel is configured with the MMCCAM option.
The default minor version used for an NFSv4 mount has been changed to the highest minor version supported by the NFSv4 server. This default can be overridden by using the minorversion mount option.
Two new daemons, rpc.tlsclntd(8) and rpc.tlsservd(8), are now built by default on amd64. They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates.
A new NFSv4.1/4.2 mount option nconnect has been added that can be used to specify the number of TCP connections that will be used for the mount, up to a maximum of 16. The first (default) TCP connection will be used for all RPCs that consist of small RPC messages. The RPCs that can consist of large RPC messages (Read/Readdir/ReaddirPlus/Write) will be sent on the additional TCP connections in a round-robin fashion. If either the NFS client or NFS server have multiple network interfaces aggregated together, or a network interface that uses multiple queues, this can increase NFS performance for the mount.
A sysctl called vfs.nfsd.srvmaxio has been added that can be used to increase the NFS server’s maximum I/O size from 128Kbytes to any power of 2 up to 1Mbyte. It can only be set when the nfsd threads are not running, and will normally require an increase in kern.ipc.maxsockbuf to at least the value recommended by the console log message generated when setting vfs.nfsd.srvmaxio is first attempted.
The kdump(1) utility has gained support for decoding Linux system calls.
The killall(1) utility now allows sending signals to processes with their controlling terminal on pts(4) using the syntax -t pts/N.
An nproc(1) utility has been added, compatible with the Linux program of the same name.
The timeout(1) utility has been moved from /usr/bin to /bin.
The pciconf(8) utility has added support for decoding ACS extended capability.
The procstat(1) utility can now print information about advisory locks on files with the newly added advlock command.
The pwd_mkdb(8) utility no longer copies comments from /etc/master.passwd to /etc/passwd.
MSS clamping has been improved for ppp(8).
Metric aliasing has been changed in prometheus_sysctl_exporter(8) to avoid confusing Prometheus server due to conflicting metric names. The tcp_log_bucket UMA zone has been renamed to tcp_log_id_bucket, and tcp_log_node was renamed to tcp_log_id_node for consistency. Sysctl variables with (LEGACY) in their descriptions are no longer being exported, these are used by ZFS sysctls that have been replaced by others, many of which alias to the same Prometheus metric name (like vfs.zfs.arc_max and vfs.zfs.arc.max).
The uuidgen(1) utility has a new option -r to generate a random UUID, version 4.
When invoked by inetd(8), ctlstat -P will now produce output suitable for ingestion into Prometheus; see ctlstat(8).
Support of SHA-512/224 has been added to libmd.
Linux-style system call tracing is now supported by sysdecode(3) and kdump(1).
The native pthread library functions can now support Linux semantics.
Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. To disable for a single invocation, use the proccontrol(1) command: proccontrol -m aslr -s disable command. To disable ASLR for all invocations of a binary, use the elfctl(1) command: elfctl -e +noaslr file.
A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround.
In order to facilitate ABI compatibility of stable branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. This will facilitate increases to the size of the kernel set, MAXCPU.
64-bit linux(4) ABI support was added for saving CPU floating point state across signal delivery.
vDSO (virtual dynamic shared object) support has been nearly completed in the linux(4) ABI
The netlink(4) network configuration protocol is now available. It is a communication protocol defined in RFC 3549, and uses a raw socket to exchange configuration information between user space and kernel. It is used by third-party routing programs and by the linux(4) ABI.
Radix tables and lookups are now supported for MAC addresses in ipfw(4). This allows MAC address tables to be constructed and used for filtering.
OPIE has been deprecated
The ce(4) and cp(4) synchronous serial drivers have been deprecated
Drivers for ISA sound cards have been deprecated
The mergemaster(8) utility has been deprecated
The minigzip(1) utility has been deprecated
The remaining components of ATM in netgraph (NgATM) have been deprecated
The VINUM class in geom(8) has been deprecated
The libtacplus(3) library has been improved so that tacplus.conf(5) now follows POSIX shell syntax rules. This may cause TACACS+ authentication to fail if the shared secret contains a single quote, double quote, or backslash character which isn’t already properly quoted or escaped. The library allows additional AV pairs to be configured, up to 255.
Programs such as login(1) that utilize setusercontext(3) will now allow the process priority to be set from the ~/.login_conf file if the credentials permit setting it. Also, the priority may be specified in login.conf(5) as inherit, indicating that the process priority is inherited from the parent process. Similarly, the umask value may now be specified as inherit.
The configuration file and security output changes reported by periodic(8) that are emailed to system administrators now use reduced context to minimize unrelated content. The options passed to diff(1) to produce the daily output can be controlled by a daily_diff_flags variable in rc.conf(5); the options passed to diff(1) for the security scripts are controlled by security_status_diff_flags
The umask for a service may now be specified in rc.conf(5) using the variable <service>_umask, where the service is named <service>.
The head(1) and tail(1) programs now support the -q (quiet) and -v (verbose) options consistently. Numeric arguments may now use SI suffixes supported by expand_number(3).
The objdump(1) utility from LLVM is now available. Some LLVM objdump options have a different output format than GNU objdump; readelf(1) is available for inspecting ELF files, and GNU objdump is available from the devel/binutils port or package.
The tftpd(8) server can be configured to allow writes to files in a chrooted environment that are not world-writable using the new -S option.
The NFS server (nfsd(8), nfsuserd(8), mountd(8), gssd(8), and rpc.tlsservd(8)) can be run in an appropriately configured vnet jail. The vnet jail must be on its own file system, have the allow.nfsd jail parameter set on it, and enforce_statfs cannot be set to 0. Use of UDP and pNFS server configurations are not permitted. See jail(8), nfsd(8), and mountd(8).
A new syskrb5 mount option is available that allows a Kerberized NFSv4.1/4.2 mount to be done without any Kerberos credential (TGT or keytab) at mount time. See mount_nfs(8).
The zfsd(8) daemon will now fault disks that generate too many I/O delay events.
The logging priority of syslog messages due to overflow of a socket listen queue can now be set using the sysctl kern.ipc.sooverprio. The default is 7, corresponding to LOG_DEBUG. A value of -1 suppresses logging.
The netgraph ng_ipfw(4) module no longer truncates cookies to 16 bits, allowing a full 32 bits.
Support for IPv6 RFC 4620 nodeinfo is now disabled by default.
pf filter rules can be optionally enabled for packets delivered locally to enable pf rdr rules for connections initiated from the host. This can change the behavior of rules which match packets delivered to lo0. To enable this feature, use the commands sysctl net.pf.filter_local=1; service pf restart. When enabled, it is best to ensure that packets delivered locally are not filtered, e.g. by adding a set skip on lo rule.
libcapsicum has been improved to cache more time zone information. This change reduces the number of calls to tzset(3) and improves performance.
Bhyve
The bhyve(8) utility supports additional COM3 and COM4 serial ports.
Removed the deprecated bvmconsole and bvmdebug device models from bhyve(8) and the associated kernel device drivers for MidnightBSD and FreeBSD guests.
The bhyve(8) utility works reliably with more VNC clients including the macOS "Screen Sharing" application.
The bhyve(8) utility now supports VirtIO-9p (aka VirtFS) filesystem sharing.
The bhyve(8) utility now supports virtual machine snapshots. This feature is still in active development and is not yet enabled by default.
The bhyve(8) utility now supports a VM Generation Counter ACPI device.
The bhyve(8) utility now supports PCI HDAudio devices.
The NVMe emulation in bhyve(8) has been upgraded to version 1.4 of the NVMe specification.
NVMe iovec construction for large IOs in bhyve(8) has been fixed. The problem was exposed by the UEFI driver included with Rocky Linux 8.4
The bhyve(8) utility has gained virtio-input device emulation support. This will be used to inject keyboard/mouse input events into a guest. The command line syntax is: -s The bhyve(8) hypervisor and kernel module vmm(4) now support more than 16 vCPUs in a guest. By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. This limit can be adjusted via the loader tunable hw.vmm.maxcpu
Allow to pass {NGROUPS_MAX} + 1 groups in mountd(8). 927d7d57793a. NGROUPS_MAX is just the minimum maximum of the number of allowed supplementary groups. The actual runtime value may be greater. Allow more groups to be specified accordingly. nmount(2) has been changed similarly. Defer the January 19, 2038 date limit in UFS1 filesystems to February 7, 2106. Add microsecond precision for disk latency for gstat(8). The efibootmgr(8) utility now supports the -b flag to specify an index of a specific boot entry to create or modify.
The efibootmgr(8) utility now supports the -E flag to query which EFI System Partition was used to boot the system.
The efibootmgr(8) utility now supports the -f and -F flags to set or clear a request to boot to the UEFI user interface on the next boot.
Prior releases had a complete MS-DOS formatted filesystem packaged into /boot/boot1.efifat. Older versions of MidnightBSD installed this filesystem image into a raw partition.
However, uses of the ESP have proliferated, making this inflexible approach no longer desirable. Users have varied needs for the size of this partition,
and multiple booting setups require more detailed access. To update old ESP partitions, users should stop using the gpart(8) utility. Instead,
ESP partitions should be mounted as MS-DOS filesystems as /boot/efi, and /boot/loader.efi should be copied to /boot/efi/efi/boot/bootx64.efi if the default setup is used.
If the efibootmgr(8) utility is used to customize the boot environment, this file should be copied to the location set with the -l flag.
UEFI boot is improved for amd64. The loader detects whether the loaded kernel can handle the in-place staging area (non-copying mode). The default is copy_staging auto. Auto-detection can be overridden, for example: with copy_staging enable, the loader will unconditionally copy the staging area to 2M, regardless of kernel capabilities. Also, the code to grow the staging area is more robust; for growth to occur, it’s no longer necessary to hand-tune and recompile the loader.
Performance improvements have been made to loader(8), nvme(4), random(4), rtsold(8), and x86 clock calibration, which collectively yield a significant speedup in system boot time.
The teken.fg_color and teken.bg_color loader.conf(5) variables now accept a bright or light prefix (and color numbers 8 through 15) to select bright colors.
Several bugs have been fixed in loader(8) that caused the video console output to disappear. These appeared to be hangs after the boot loader starts the kernel.
Overhauled the in-kernel cryptographic framework to better support modern cryptographic algorithms as well as simplify the interface for both device drivers and framework consumers.
Removed support for Kerberos GSS algorithms deprecated by RFCs 6649 and 8429.
Removed support for previously-deprecated algorithms in geli(8).
Removed support for IPsec algorithms deprecated by RFC 8221 as well as Triple DES.
The GENERIC kernels for amd64 and i386 now include aesni(4) to support accelerated software cryptography for geli(8)
Removed the ubsec(4) driver for obsolete Broadcom BCM58xx crypto accelerators.
The kernel now supports in-kernel framing and encryption of Transport Layer Security (TLS) data on TCP sockets for TLS versions 1.0 through 1.3. Transmit offload via in-kernel crypto drivers is supported for MtE cipher suites using AES-CBC as well as AEAD cipher suites using AES-GCM. Receive offload via in-kernel crypto drivers is supported for AES-GCM cipher suites for TLS 1.2. Using KTLS requires the use of a KTLS-aware userland SSL library. The OpenSSL library included in the base system does not enable KTLS support by default, but support can be enabled by building with the WITH_OPENSSL_KTLS option.
KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3.
Updated CA certificates Several Heimdal security fixes have been applied to mitigate vulnerabilities in the Kerberos Key Distribution Center. igc(4) fix for some z790 motherboards Fix two CVEs in the intel iwlwifi driver: Fix CVE-2024-27434 and CVE-2024-35912 The amd64 architecture now supports Hygon Dhyana Family 18h processors.
Removed the deprecated ufm(4) driver for USB FM tuners.
Removed the deprecated ctau(4) and cx(4) drivers.
Removed the vpo(4) driver for parallel port SCSI adapters.
A new usbhid(4) driver uses drivers from the hid(4) framework for USB HID devices instead of ukbd(4), ums(4), and uhid(4). usbhid(4) is enabled by adding hw.usb.usbhid.enable=1 to /boot/loader.conf and adding usbhid to kld_list="" in /etc/rc.conf.
Removed several deprecated network drivers:
The qat(4) driver has been added, supporting some of the cryptographic acceleration functions of the Intel QuickAssist (QAT) device. The qat(4) driver supports the QAT devices integrated with Atom C2000 and C3000 and Xeon C620 and D-1500 platforms, and the Intel QAT Adapter 8950.
The amd64 architecture now supports 57-bit virtual addresses (LA57) on supported CPUs. This permits user processes to use up to 56 bits of virtual address space. This also includes support for five layer nested page tables used by bhyve.
The em(4) driver now correctly supports the full range of receive buffer sizes available on newer chips 82580 and i350.
Basic support for Intel Alder Lake CPUs has been implemented for hwpmc(4)
The irdma(4) RDMA driver was introduced for the Intel E810 Ethernet Controller, supporting both RoCEv2 and iWARP protocols in per-PF manner, RoCEv2 being the default
The rtw88(4) driver was added to support several Realtek wireless PCI interfaces. It is currently limited to 802.11 a/b/g operation
Multiple PCI MCFG regions are now supported on x86 systems, enabling support for PCI config access for domains (segments) other than 0. A problem with the graid implementation of Promise RAID1 created with 4 or more disks has been fixed. The array worked only until reboot. iwlwifi(4) driver supports BE200 There have been many stability fixes to native and LinuxKPI-based wireless drivers. The Google Virtual NIC (gve(4)) is now supported. Support for SIM7600G has been added to u3g(4). Added support for AMD Ryzen 7 "Phoenix" processors (family 0x19, model 0x70-0x7f) to the amdsmn(4) and amdtemp(4) drivers. This enables temperature readings of these CPUs via sysctl. The sensors function identically to those for the "Raphael" processors (model 0x60-0x6f); only the PCI device ID differs. agp(4) is deprecated. Improve SFP support igb(4) driver. The compiler update caused a lot of breakage with mports. As we fix ports for 4.0+, it will likely break 3.2.x compatibility. This
is particularly true with ports depending on Rust. You should run mport delete rust if you have it installed and instead mport install rust186 Final packages are not yet available for i386 or amd64. For the former, we don't have any published yet. Ravenports install is not in the path, but we also don’t tell you that during bootstrap.
On VirtualBox 7, Xorg needs over 1GB of RAM allocated to run without swapping or crashing. Occasional VM hangs have also been seen. It works fine on bare metal, bhyve, or VMware products.
diff3 was not connected to the build system. It was fixed shortly after release and will be included in the 4.0.1 update.
Boot loader
Security Fixes
3rd Party Software
Hardware
Known Issues