OpenBSD 7.7 supports Intel E810 up to 100 GBit/s and Radeon RX 9070 GPUs

Contents

Theo de Raadt releases OpenBSD 7.7, marking the 58th version of the security-focused open source operating system. OpenBSD is known for its minimal, verifiable code base and its uncompromisingly security-oriented design. The new features therefore mainly concern the security and network areas.

The Direct Rendering Manager (drm) in OpenBSD 7.7. is now up to date with Linux 6.12.21. Support for AMD GPUs and APUs (amdgpu(4)) has been extended to include kernel support for Ryzen AI 300 (Strix Point, Strix Halo, Krackan Point) and the new Radeon RX 9070 (Navi 48). For the integrated Intel GPUs (inteldrm(4)), OpenBSD 7.7 now also supports the Core Ultra Series 2 processors of the Intel Arrow Lake microarchitecture. OpenBSD and Nvidia have never been friends, so OpenBSD 7.7 does not support Nvidia's proprietary drivers. Unfortunately, this also applies to the free Nouveau drivers, so that Nvidia GPUs only run via generic drivers (vesa/wsfb) with massive performance losses.

Many fixes for ARM and x86, but also other architectures

The ARM64 platform (arm64) received improvements in OpenBSD 7.7 for SMC initialization on Apple M1 MacBooks. Armv9 CPUs support "Pointer Authentication Code" (PAC) as a security function. PAC is intended to prevent ROP attacks. ROP (Return-Oriented Programming) is an attack technique in which an attacker cleverly strings together existing short sections of code in the memory of a program, so-called gadgets, in order to execute arbitrary commands without using their own code. OpenBSD 7.7 supports the current QARMA3 algorithm (Qualcomm ARM Authenticator) for PAC as well as the Scalable Vector Extension (SVE) on Armv9 processors.

The OpenBSD 7.7 kernel for 64-bit x86 CPUs (amd64) can now also boot under QEMU with AMD Secure Encrypted Virtualization (SEV). The i386 platform has been further memory-optimized and should therefore run better on multiprocessor systems. By the way, i386 does not refer to Intel 80386 and unfortunately not to the many embedded 80486, but to systems from the Pentium processor upwards - it should actually be i586 or i686 (Pentium Pro).

The RISC-V, SPARC64, HPPA, PowerPC64 and even Luna88k platforms also received a few tiny improvements under OpenBSD 7.7.

Fine-tuning of the kernel and more SMP in the network stack

Among the many small changes in the kernel, various improvements for suspend and hibernate stand out. Making the network stack multiprocessor-proof is also making progress. Almost all parts of the TCP stack now run in parallel without any problems. Only the TCP input side still uses exclusive NetLocks in OpenBSD 7.7. For moderate use cases, the lack of SMP capability may have been sufficient for a long time – a dual-core machine for smooth multitasking was perfectly adequate for many router/firewall appliances.

However, if you look at network cards such as the Intel E810 series (ice(4), 1/10/25/50/100GBit/s), which is now also supported, it becomes clear that the data flow must be neatly distributed across several CPU cores. One sign of this is probably the increase in the receive buffers for the VirtIO network device (vio(4)) for OpenBSD 7.7 instances under a hypervisor. Unfortunately, there is little new in the way of WiFi cards, apart from support for QCA2066 in the Qualcomm Technologies QCNFA765 802.11ax driver (qwx(4)).

Optimized admin tools

Since OpenBSD developers seem to be allergic to fat frameworks and bloated software, the administration tools for administrative tasks are kept simple and easy to use. However, since OpenBSD users have nothing against simplifying their work, the corresponding tools are regularly refined and adapted in their handling. Important system parameters are read via sysctl(8) and set if possible. A "sysctl net.inet.ip.forwarding=1", for example, switches on IP forwarding on a router or firewall for the current session (without "=1", sysctl shows the status). Entered in /etc/sysctl.conf (without a leading "sysctl"), these values are automatically activated at every system start. In OpenBSD 7.7 it is now possible to pass a whole list of these system parameters to sysctl(8) in one go using the parameter "-f <filename>".

With sysupgrade(8), OpenBSD is upgraded to the next release or a new snapshot. The behavior of sysupgrade(8) has been defined a little more clearly, plus the option to upgrade to an explicitly specified version ("-R 7.7") instead of just the next one – According to the developer, skipping versions or even downgrading can be risky.

For offline systems, sysupgrade(8) can now also use upgrade files that are stored locally, and it works more closely with the firmware download tool fw_update(8). Previously, fw_update(8) recognized which firmware needed to be downloaded based on the current local system message buffer (/var/run/dmesg.boot). In order to be able to update OpenBSD installations without access to the Internet or for tests, fw_update(8) can now also be passed an arbitrary dmesg file.

Network focus on the latest version

The network focus area always receives a particularly large number of, sometimes very small, new features and improvements in new OpenBSD versions. In OpenBSD 7.7, the Border Gateway Protocol (BGP) routing daemon (bgpd(8)) has been expanded to include the specifications for RFC 8538 (Notification Message Support for BGP Graceful Restart) and RFC 8654 (Extended Message Support for BGP). The RPKI validator for supporting BGP routing (rpki-client(8)) has also received many adjustments. The OpenBSD project LibreSSL is now delivered as version 4.1.0, OpenSSH has reached 10.0.

Free of charge and available immediately

OpenBSD is released under the free MIT license and is available as open source software free of charge and in source code. OpenBSD 7.7 includes Xenocara based on Xorg 7.7, which runs various window managers and desktop environments such as cwm, dwm, MATE, Xfce 4.20, GNOME 47 and KDE Frameworks 6.12.0 with KDE Plasma 6.3.3. For the desktop there is Chromium 135 or Mozilla Firefox 137/ESR 128.9 and LibreOffice 25.2.1.2, plus Emacs 30.1 or Vim 9.1.1265/Neovim 0.10.4, depending on taste. LLVM/Clang 13.0.0, 16.0.6, 18.1.8 and 19.1.7 as well as GCC 8.4.0 and 11.2.0 can be installed as compilers. Around 12,500 packages can be installed on ARM64 and AMD64 machines, with significantly fewer on other platforms, because every OpenBSD version should be able to be compiled natively on every platform ("eat your own dogfood").

Free installation images and instructions for fourteen hardware platforms are available for download on the project page. The release notes for OpenBSD 7.7 with a detailed overview of all changes can also be found there.

(dmk)