77.html

<!doctype html>
<html lang="en" id="release">
<head>
<meta charset=utf-8>

<title>OpenBSD 7.7</title>
<meta name="description" content="OpenBSD 7.7">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/77.html">
</head><body>
<h2 id="OpenBSD">
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.7
</h2>

<table>
<tr>
<td>
<a href="images/XXX.jpg">
<img width="100" height="1000" src="images/xxx-s.gif" alt="XXXX"></a>
<td>
Released Apr XX, 2025. (58th OpenBSD release)<br>
Copyright 1997-2025, Theo de Raadt.<br>
<br>
Artwork by Tom&aacute;&scaron; Rodr.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
    a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.7/</code> directory on
    one of the mirror sites.
<li>Have a look at <a href="errata77.html">the 7.7 errata page</a> for a list
    of bugs and workarounds.
<li>See a <a href="plus77.html">detailed log of changes</a> between the
    7.6 and 7.7 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
    pubkeys for this release:<p>

<table class=signify>
<tr><td>
openbsd-77-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/openbsd-77-base.pub">
RWSbCCUoGpcxVRmNb/XFYBbthxWMK7G6fNbJhb993Ohuh29WFaT9vhe2
</a><tr><td>
openbsd-77-fw.pub:
<td>
RWSJsKh8CzZG93aXHWDPCNM04iMwt7wRzfWzs1nL/2K6OsUvmAEfQavY
<tr><td>
openbsd-77-pkg.pub:
<td>
RWQ0omJ8AdcUd41n7fqEccjc/VyLhJLKVJo7oFUg7epg6lUHRtgMgT52
<tr><td>
openbsd-77-syspatch.pub:
<td>
RWRtcHFMyeKCcG4TkoK/TbEvDd1vch0tq8VgRR5UBpvAQkUcgja3jtV9
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>

<hr>

<section id="new">
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.7.
For a comprehensive list, see the <a href="plus77.html">changelog</a> leading to 7.7.
<p>
<ul>

<li>Platforms specific improvements:
  <ul>
  <li><a href="arm64.html">arm64</a>:
    <ul>
    <li>Set AP power state, fixing the SMC initialization on the M1 MacBook with the latest system firmware.
    <li>Implemented a new pmap_populate() interface on arm64 and riscv64
	to help <a
	href="https://man.openbsd.org/pmap_enter.9">pmap_enter(9)</a> succeed
	when there's enough free physical memory but we can't allocate KVA to
	map that memory.
    <li>Optimized pmap teardown by skipping TLB flushes, giving ~5%
	performance boost for kernel build.
    <li>Enabled PAC on hardware that uses the new QARMA3 cipher.
    <li>Implemented support for SVE (Scalable Vector Extension).

    </ul>
  <li><a href="amd64.html">amd64</a>:
    <ul>
    <li>Added the ability for <a
	href="https://man.openbsd.org/bus_dmamem_alloc.9">bus_dmamem_alloc(9)</a>
	to recognize the BUS_DMA_64BIT flag and allocate memory for DMA
	without any 4GB restrictions on amd64.
    <li>Allowed boot loader to run as AMD SEV guest on QEMU with EFI.
    <li>Allowed kernel boot on QEMU with AMD SEV.
    <li>Allowed use of MSI with the QEMU default pc-i440fx machine.
    <li>Stopped amd64 leak of kernel stack guard pages.
    <li>Implemented the AMD SEV <a
	href="https://man.openbsd.org/psp.4">psp(4)</a> download firmware
	command to load new firmware onto the chip and made the AMD SEV
	automatically load psp(4) firmware during <a
	href="https://man.openbsd.org/vmd.8">vmd(8)</a> startup.
    </ul>
  <li>Other <a href="plat.html">architectures</a>:
    <ul>
    <li>Fixed <a href="riscv64.html">riscv64</a> sigcode copying and put riscv64 sigcode in the .rodata memory section.
    <li>Implemented an interrupt depth counter on <a href="sparc64.html">sparc64</a>.
    <li>Moved the <a href="hppa.html">hppa</a> stack 1GB higher.
    <li>On <a href="i386.html">i386</a>, improved the stability in low-memory situations, especially for MP.
    <li>Fixed a <a href="powerpc64.html">powerpc64</a> bug where a pte could be put into an incorrect pteg, leading to a crash.
    <li>Changed <a href="luna88k.html">luna88k</a> disklabel labeloffset to 0.
    </ul>

  <li>More platform specific changes can be found in the <a href="#hardware_support">hardware support</a> section below.
  </ul>

<li>Various kernel improvements:
  <ul>
  <li>Improved responsiveness in OOM situations and made free target checks coherent.

  <li>Removed the ability to specify a root, dump or swap device on <a
	href="https://man.openbsd.org/st.4">st(4)</a>.

  <li>In uvm, prevent a race where a mapped object is being truncated
	while we are spinning to unwire it.
  <li>Optimized page daemon active and inactive list traversals when
	looking only for low pages.
  <li>Added a helper to check if memory has been freed for a given
	request to improve speed of the page daemon loop.
  <li>Started accounting for in-flight pages being written to disk when
	the page daemon is computing page shortage.

  <li>Adjusted the ptrace interface to properly support
	single-threaded continue and make it possible to use breakpoints in
	multi-threaded processes in gdb.
  <li>Add <a href="https://man.openbsd.org/ptrace.2">ptrace(2)</a>
	commands used to read/write the XSAVE area of a traced process.
  <li>Correctly honored the count optional argument of the <a
	href="https://man.openbsd.org/ddb.4">ddb(4)</a> break command,
	ensuring execution does not stop until the breakpoint is hit at least
	that many times.
  <li>Taught <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> how to
	disassemble endbr64.
  <li>Moved <a href="https://man.openbsd.org/dt.4">dt(4)</a> to using
	a ringbuffer per CPU.
  <li>Added 'socket' refcnt type to <a
	href="https://man.openbsd.org/dt.4">dt(4)</a>.
  <li>Made <a href="https://man.openbsd.org/btrace.8">btrace(8)</a>
	support additional interval/profile units (hz, us, ms, s).
  <li>Added multi-line strings support to the <a
	href="https://man.openbsd.org/bt.5">bt(5)</a> script parser.

  <li>Added kern.audio.kbdcontrol <a
	href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> variable,
	allowing the volume keys on multimedia keyboards to be handled as
	regular keys if set to 0.
  <li>Implement <a
	href="https://man.openbsd.org/bus_dma.9">bus_dma(9)</a> bounce buffering
	for raw memory.
  <li>Started ignoring sub-nodes of non-functional nodes in the ACPI
	tree walk to fix double and triple attachments of the same PCIe root
	bridges.

  <li>Suspend/Hibernate Support
  <ul>
  <li>Ensured all
    <a href="https://man.openbsd.org/apm.8">hibernate</a>
    data is written inside the allocated chunk of swap.
  <li>Removed unneeded zeroing of free pages during
    <a href="https://man.openbsd.org/apm.8">hibernate</a>.
  <li>Corrected
    <a href="https://man.openbsd.org/apm.8">hibernate</a>
    error detection during RLE writes.
  <li>Ensured
    <a href="https://man.openbsd.org/apm.8">hibernate</a>
    fails when I/O or memory allocation errors occur.
  </ul>

  <li>Bugfixes
  <ul>
  <li>Fixed a (mostly) hypothetical race in <a
	href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> by
	making it return an error if called in a multi-threaded process.
  <li>Fixed CPU idle percentage in <a
	href="https://man.openbsd.org/top.1">top(1)</a> on <a
	href="https://www.openbsd.org/macppc.html">macppc</a>.
  <li>Reworked how processes are stopped because of a signal. Now
	multithreaded processes can be reliably stopped and continued. This
	should fix problems seen in golang, mpv and in our regress tests.
  <li>Fix possible races of changes to the per-process unveil
	data structures by either pledge() [removing all path promises] or
	unveil() [adding new paths], against namei() inspecting in other
	thread system calls.
  </ul>
  </ul>

<li id="SMP_Improvements">SMP Improvements
  <ul>
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.timeout_stats</a>.
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.allowkmem</a>.
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.video.record</a>.
  <li>Unlocked sysctl <a
	href="https://man.openbsd.org/sysctl.2">net.inet.gre.allow</a> and
	net.inet.gre.wccp.
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.global_ptrace</a>.
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.wxabort</a>.
  <li>Unlocked sysctl <a href="https://man.openbsd.org/sysctl.2">kern.malloc.kmemstat</a>.
  <li>Reduced kernel lock contention when tearing down file-backed regions.
  <li>Unlocked ptsignal, psignal and prsignal by using the ps_mtx <a
	href="https://man.openbsd.org/mutex.9">mutex(9)</a>.
  <li>Used a mutex to make <a
	href="https://man.openbsd.org/psp.4">psp(4)</a> MP safe.
  <li>Locked send socket buffer for <a
	href="https://man.openbsd.org/fstat.2">fstat(2)</a> syscall.
  <li>Made lock changes to reduce lock contention in __thrsleep and
	__thrwakeup syscalls. go performance particularly benefits from this.
  <li>Unlocked <a href="https://man.openbsd.org/virtio.4">virtio(4)</a>.
  <li>Made `video_filtops' MP-safe.
  <li>Run TCP output and TCP timers in parallel.
    <ul>
    <li>TCP <a href="https://man.openbsd.org/send.2">send(2)</a>
	and <a href="https://man.openbsd.org/recv.2">recv(2)</a>
	system calls use shared netlock.
	Multiple userland threads can work on different sockets in
	parallel.
    <li>TCP output no longer blocks IP processing.
    <li>TCP timer also use locks that are specific to the socket they
	are working on, other network traffic can be processed by
	different CPUs.
    <li>Socket splicing is MP-safe for TCP.
    <li>Some of the sysctl syscalls affecting TCP no longer block
	network operations on other CPUs.
    <li>Only TCP input still uses exclusive netlock and prevents
	other parts of the network stack from running in parallel.
    </ul>
  <li>Unlocked <a
	href="https://man.openbsd.org/accept.2">accept(2)</a> for TCP sockets.
  <li>Started using shared net lock when calling <a
	href="https://man.openbsd.org/shutdown.2">shutdown(2)</a> on internet
	socket.
  <li>Reworked rwlocks to reduce pressure on the scheduler and SCHED_LOCK.
  <li>Pushed the KERNEL_LOCK() down to <a
	href="https://man.openbsd.org/namei.9">namei(9)</a> in <a
	href="https://man.openbsd.org/stat.2">stat(2)</a>, lstat(2) &
	fstatat(2) and Unlocked <a href="https://man.openbsd.org/fstat.2">fstat(2)</a>.
  <li>Unlocked <a href="https://man.openbsd.org/wskbd.4">wskbd(4)</a>
	kqueue filterops.
  <li>Used `ws_mtx' <a
	href="https://man.openbsd.org/mutex.9">mutex(9)</a> to make <a
	href="https://man.openbsd.org/wsmux.4">wsmux(4)</a> filterops MP-safe.
  <li>Unlocked <a href="https://man.openbsd.org/open.2">open(2)</a>
	and <a href="https://man.openbsd.org/openat.2">openat(2)</a>.
  <li>Made <a href="https://man.openbsd.org/wsmouse.4">wsmouse(4)</a>
	and wstpad filterops MP-safe.
  <li>Pushed KERNEL_LOCK() inside __realpath(2).
  <li>Made wakeup of parent process in dowait6 reliable even without kernel lock.
  <li>Used ps_mtx <a
	href="https://man.openbsd.org/mutex.9">mutex(9)</a> to lock the child
	process that is being checked by dowait6.
  </ul>

<li>Direct Rendering Manager and graphics drivers
  <ul>
  <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
      to Linux 6.12.21.
  <li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: Added kernel
      support for Ryzen AI 300 (Strix Point, Strix Halo, Krackan Point),
      Radeon RX 9070 (Navi 48).
  <li><a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>: Added
      support for Arrow Lake.
  </ul>

<li>VMM/VMD improvements
  <ul>
  <li>Added an IPI for executing INVEPT to flush EPT on remote CPUs, a
	first step toward allowing guest memory not to be wired by UVM.
  <li>Implemented <a href="https://man.openbsd.org/psp.4">psp(4)</a>
	shutdown command and <a
	href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> PSP_IOC_SHUTDOWN,
	which will be used by <a
	href="https://man.openbsd.org/vmd.8">vmd(8)</a> to reset <a
	href="https://man.openbsd.org/psp.4">psp(4)</a> on startup.
  <li>Started using <a
	href="https://man.openbsd.org/acpipci.4">acpipci(4)</a> on
	hypervisors. If the hypervisor cpuid bit is set, use acpipci to attach
	PCI busses. As virtualization is not that old, we can assume that in
	VMs we don't need the quirk for old, broken ACPI.  This solves
	problems with PCI BAR access and recent SeaBIOS versions on QEMU.
  </ul>

<li>Various new userland features:
  <ul>
  <li>Numerous changes to make the
	<a href="https://man.openbsd.org/imsg_init.3">imsg</a> API
	stricter and better, which were followed
	by adapting all applications across the tree.
  <li>Allow the user to provide an alternative perfpolicy when on
	battery, extending the semantics of hw.perfpolicy to provide two
	buttons to specify desired behavior. This gives users more flexibility
	in setting the performance when AC-powered vs. battery powered.
  <li>Made <a
	href="https://man.openbsd.org/calendar.1">calendar(1)</a> use the
	environment variable RECIPIENT_EMAIL for sending mails to.
  <li>Made <a href="https://man.openbsd.org/security.8">security(8)</a>
	use GMT rather than the local timezone when checking for changes in
	device nodes and setuid files. Avoids false positives when changing
	timezones.
  <li>Added a new variable PASSWDSKIP that can be set in
	/etc/daily.local to prevent <a
	href="https://man.openbsd.org/security.8">security(8)</a> from
	complaining about specific accounts that have no password. This is
	typically used for services like anoncvs and gotd.
  <li>Added [-f file] to <a
	href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> to apply
	<a href="https://man.openbsd.org/sysctl.conf.5">sysctl.conf(5)</a>
	in one go, and started using it in <a
	href="https://man.openbsd.org/rc.8">rc(8)</a> instead of a parser implemented in ksh.
  <li>Added support for read/write of xmm/ymm registers to
        <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
  </ul>

<li>Various bugfixes and tweaks in userland:
  <ul>
  <li>Added <a
	href="https://man.openbsd.org/wsconscfg.8">wsconscfg(8)</a> -g option
	to get the index of the current virtual terminal.
  <li>Made <a
	href="https://man.openbsd.org/getgrouplist.3">getgrouplist(3)</a>
	always return the total number of groups found.
  <li>Ignore extra groups that don't fit in the buffer passed to <a
	href="https://man.openbsd.org/getgrouplist.3">getgrouplist(3)</a>,
	providing only the kernel maximum of sixteen groups.
  <li>Prevent <a
	href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a> from running
	through time checks when an entry needs to be rotated based on size.
  <li>Changed <a href="https://man.openbsd.org/ps.1">ps(1)</a> to print
	the session id (PID of the session leader) instead of a pointer with
	display argument 'sess'.
  <li>In <a href="https://man.openbsd.org/cu.1">cu(1)</a>, map ucom
	unit number to cuaU number using the same scheme MAKEDEV uses, fixing
	problems with ucom units > 10.
  <li>Made CPU frequencies human-readable with <a
	href="https://man.openbsd.org/systat.1">systat(1)</a> sensors -h.
  <li>Fixed a bug where <a
	href="https://man.openbsd.org/getty.8">getty(8)</a> dx flag was
	supposed to set decctlq, but was setting ixany instead.
  <li>Made <a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> run <a
	href="https://man.openbsd.org/ldconfig.8">ldconfig(8)</a> after each
	updateset if the list of shared libraries was changed.
  <li>Corrected behavior of <a
	href="https://man.openbsd.org/sed.1">sed(1)</a> c command to match
	POSIX.
  <li>Make <a href="https://man.openbsd.org/clang.1">clang(1)</a>
	-fzero-call-used-regs aware of the register used by
	retguard. QEMU is using -fzero-call-used-regs, causing a crash.
  <li>Disk partition information is now saved by
	  <a href="https://man.openbsd.org/security.8">security(8).</a>
  <li>Made <a href="https://man.openbsd.org/security.8">security(8)</a>
	ignore <a href="https://man.openbsd.org/quota.1">quota(1)</a> files
	and all subdirectories of /var/mail when checking the ownership and
	mode of mailboxes.
  <li>Added <a
	href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a> support
	for relocatable .pc files.
  <li>Made <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> "-T html"
	and "-T markdown" output translate ".%R RFC &lt;number>" to a
	hyperlink to rfc-editor.org.
  <li>Support decimal fractions like "0.25i" in
	<a href="https://man.openbsd.org/roff.7">roff(7)</a> scaled widths
	and arithmetic operations in
	<a href="https://man.openbsd.org/tbl.7">tbl(7)</a> column widths,
	as needed for some manual pages written with DocBook.
  <li>When <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
	acting as logserver with TLS (-S) and
	client-certificates are used for authentication (-K), use the CN from
	the client's certificate as hostname.
  <li>Adjusted the alignment when
	<a href="https://man.openbsd.org/df.1">df(1)</a> prints inode columns.
	This makes
	'df -hi' on systems with large partitions easier on the eyes.
  <li>Made <a href="https://man.openbsd.org/test.1">test(1)</a> use
	timespeccmp() and st_mtim instead of comparing st_mtime to fix
	comparison of files with modification times that differ by less than a
	second.
  <li>Made <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> use
	timespeccmp() and st_mtim instead of comparing st_mtime to fix
	comparison of files with modification times that differ by less than a
	second.
  <li>In <a href="https://man.openbsd.org/ps.1">ps(1)</a> added a
	digit to vsz and rss to accommodate processes using more memory.
  <li>Updated <a href="https://man.openbsd.org/tzfile.5">tzfile(5)</a>
	to 2025bgtz from https://github.com/JodaOrg/global-tz.
  <li>Updated libc/locale support including
	e.g. <a href="https://man.openbsd.org/wcwidth.3">wcwidth(3)</a>
	and the <a href="https://man.openbsd.org/iswalnum.3">iswalnum(3)</a>
        family of functions to Unicode Version 15.0.0.
  </ul>

<li id="hardware_support">Improved hardware support and driver bugfixes, including:
  <ul>
  <li>Increased <a href="https://man.openbsd.org/psp.4">psp(4)</a> timeouts, allowing the EPYC 9124 time to attach.
  <li>Added PercentLoad sensor to <a href="https://man.openbsd.org/upd.4">upd(4)</a>, reporting the % of the available UPS power drawn by output outlets.
  <li>Fixed RunTimeToEmpty on some EATON models in <a href="https://man.openbsd.org/upd.4">upd(4)</a>.
  <li>Improved the heuristic for detecting I2C devices (making type-A ports on the Vivobook work in ACPI mode).
  <li>Added support for CSI b control sequence (repeat last printed character) to the <a href="https://man.openbsd.org/wscons.4">wscons(4)</a> vt100 emulation.
  <li>Fixed <a href="https://man.openbsd.org/simplefb.4">simplefb(4)</a> colours for BPP16 and BPP24.
  <li>Added support for BPP16 16-bit color EFI framebuffer format as offered by U-Boot.
  <li>Implemented CSI s and CSI u to save and restore cursor position in <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>.
  <li>Made scaling available for normal <a href="https://man.openbsd.org/wsmouse.4">wsmouse.4</a> mice, not just touchpads.
  <li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a> mailbox transport and perf protocol for CPU frequency management on Snapdragon X Elite.
  <li>Moved to send only a single reset during attach for <a href="https://man.openbsd.org/ihidev.4">ihidev(4)</a> devices, preventing issues with some devices like the built-in keyboard on the ThinkPad T14s Gen 6.
  <li>Changed the <a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> bus power behavior to no longer perform a power-off voltage switch request when the card is already operating at the requested voltage.
  <li>Implemented <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> support for the new CHLS key used to control the battery charge level in newer SMC firmware.
  <li>Added <a href="https://man.openbsd.org/pinctrl.4">pinctrl(4)</a> support to the <a href="https://man.openbsd.org/qciic.4">qciic(4)</a> driver for Qualcomm Snapdragon SoCs.
  <li>Made <a href="https://man.openbsd.org/qcpas.4">qcpas(4)</a> send APM_POWER_CHANGE events on AC/battery life changes, allowing upowerd to react.
  <li>Added <a href="https://man.openbsd.org/qccpucp.4">qccpucp(4)</a>, a driver for the Qualcomm CPUSS Control Processor (CPUCP) mailbox controller.
  <li>Made <a href="https://man.openbsd.org/qcpon.4">qcpon(4)</a> query hardware for the button state to detect release even if the press event is missed, and to signal wakeup when the button is pressed.
  <li>Made qcscm(4) attach at acpi(4). This lets Qualcomm machines which use qcscm(4) access EFI variables in ACPI mode. Some arm64 machines, like the Samsung Galaxy Book4 Edge can be successfully installed with this change.
  <li>Fixed support for AMD 600 series <a href="https://man.openbsd.org/ahci.4">ahci(4)</a> controller.
  <li>Introduce a pckbc@acpi driver attachment that is use instead of pckbc@isa when an interrupt configuration is incompatible with legacy ISA. This unbreaks, among other things, the keyboards in various Chromebooks.
  <li>Implemented <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a> power down if the PMIC is marked as the system power controller in the device tree.
  <li>Added RK3399 support to <a href="https://man.openbsd.org/rkusbphy.4">rkusbphy(4)</a>.
  <li>Added <a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a> support for the "post-power-on-delay-ms" in the MMC power sequencing.
  <li>Implemented regulator-based signal voltage switch support in <a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a>, fixing bootup on the MNT Reform2 with the RK3588 module.
  <li>Added <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> support for Jabra PanaCast 20.
  <li>Ensure <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> fills v4l2_capability correctly (allowing some V4L consumers to use bus_info to identify the desired webcam when attempting to switch devices).
  <li>Added <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> support for devices which report bulk and isochronous endpoints.
  <li>Made <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> bypass unknown pixelformat to consumer rather than rejecting unknown driver formats.
  <li>Support colorformat from <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> device.
  <li>Fixed a <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> crash on close of isochronous endpoint's webcam.
  <li>Ensure <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> forwards frames with error bit to V4L consumers, which adds support of the integrated camera on ThinkPad T14 Gen 5, ThinkPad X1 Nano Gen 2, ThinkPad X13 and many other devices.
  <li>Forced 32-bit accesses when reading 8-bit or 16-bit registers, allowing use of <a href="https://man.openbsd.org/xhci.4">xhci(4)</a> on a Cadence xHCI controller as seen on the Radxa Orion O6.
  <li>Added USB 3.0 speed support to <a href="https://man.openbsd.org/xhci.4">xhci(4)</a> and <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a>.
  <li>Fixed <a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> devices that don't support sample rate changes.
  <li>Added LED support for <a href="https://man.openbsd.org/ikbd.4">ikbd(4)</a> keyboards.
  <li>Added <a href="https://man.openbsd.org/mtintc.4">mtintc(4)</a> a driver supporting interrupt controllers found on MediaTek SoCs.
  <li>Added <a href="https://man.openbsd.org/mtrng.4">mtrng(4)</a>, a driver supporting the 32-bit random number generator on MediaTek SoCs.
  <li>Added <a href="https://man.openbsd.org/mtxhci.4">mtxhci(4)</a>, a driver for the xHCI USB controller found on MediaTek SoCs, and enable it on armv7 and arm64.
  </ul>

<li>New or improved network hardware support:
  <ul>
  <li>Added <a href="https://man.openbsd.org/ice.4">ice(4)</a>, a driver for Intel E810 Ethernet devices.
  <li>Increased receive mbuf size with LRO in <a href="https://man.openbsd.org/vio.4">vio(4)</a>, helping TCP splice performance.
  <li>Fixed <a href="https://man.openbsd.org/xbf.4">xbf(4)</a> and <a href="https://man.openbsd.org/xnf.4">xnf(4)</a> not attaching on XCP-ng 8.3/Xen 4.17.
  <li>Added printing of number of queues and interrupt and Ethernet address details to <a href="https://man.openbsd.org/mcx.4">mcx(4)</a>.
  <li>Fixed the <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> receive refill timeout to only refill rings that are currently empty, preventing possible corruption and crashes.
  <li>Added support for AX88772D to <a href="https://man.openbsd.org/axen.4">axen(4)</a>.
  <li>Added <a href="https://man.openbsd.org/ixv.4">ixv(4)</a>, a driver for virtual functions of Intel 82598EB, 82559 and X540.
  <li>Enabled rx/tx checksum offloading on <a href="https://man.openbsd.org/iavf.4">iavf(4)</a>.
  <li>Added RSS/multiqueue support for AQC11x models ("aq2") in <a href="https://man.openbsd.org/aq.4">aq(4)</a>.
  <li>Added support for reading EEPROM pages for <a href="https://man.openbsd.org/aq.4">aq(4)</a> cards with SFP slots.
  <li>Started clearing the OACTIVE flag on transmit queues when <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> is reset.
  </ul>

<li>Added or improved wireless network drivers:
  <ul>
  <li>Added support for MA devices to <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
  <li>Restricted scanned channels appropriately when <a href="https://man.openbsd.org/qwx.4">qwx(4)</a> runs in a fixed PHY mode.
  <li>Add support for QCA2066 to <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>.
  <li>Changed <a href="https://man.openbsd.org/mtw.4">mtw(4)</a> to only open bulk <a href="https://man.openbsd.org/usb.4">usb(4)</a> pipes once for the lifetime of the device.
  </ul>

<li>Installer, upgrade and bootloader improvements:
  <ul>
  <li>On the <a href="https://www.openbsd.org/macppc.html">macppc</a>
	architecture, make ofwboot sync instruction cache before entering
	kernel, preventing a potential boot failure.
<!-- installboot -->
  <li>Made <a
	href="https://man.openbsd.org/installboot.8">installboot(8)</a>
	install a copy of the UEFI bootloader in /efi/openbsd on the EFI
	system partition, allowing creation of boot options for the firmware
	boot manager other OSes will leave alone.
  <li>Only install a second copy of the bootloader if the EFI
	System Partition is at least 1MB to avoid filling up the tiny ESPs we
	used to create a few releases ago.
  <li>Made <a
	href="https://man.openbsd.org/installboot.8">installboot(8)</a> only
	set BootOrder if our boot option isn't already part of it. This means
	sysupgrade (or reinstalls) will no longer set OpenBSD as the default
	OS if users change the boot order by some other means.  Fresh installs
	will still make OpenBSD the default OS.
  <li>Added a -c option <a
	href="https://man.openbsd.org/installboot.8">installboot(8)</a> that
	sets up the machine to boot from the specified disk, used on arm64 and
	amd64 with UEFI and GPT.
<!-- sysupgrade -->
  <li>Added <a
	href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> -R #.#
	to try to use a specific release version rather than the immediate
	+0.1.
  <li>Provided a mechanism for getting required keys to <a
	href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> older
	machines, providing a new set of keybundles signed by older keys to
	allow sysupgrade to securely and automatically download the required
	key.
  <li>Added firmware keys to the signify key bundles. <a
	href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> will now
	extract the firmware key also, allowing fw_update fetch the most
	up-to-date firmware before upgrading.
  <li>Added support to <a
	href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> to
	perform a sysupgrade from a fileset stored on a filesystem. This is
	convenient for offline machines.
<!-- fw_update -->
  <li>Made <a
	href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> -a mean
	all when downloading or installing, not just deleting.
  <li>Allowed <a
	href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> to
	download firmware without root.
  <li>Added <a
	href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> -l flag to
	list drivers or files.
  <li>Added -D option to <a
	href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> for using
	a different dmesg for driver detection.
<!-- installer proper -->
  <li>Reworked the "Default IPv6 router?" question in the installer to
	behave like the other questions.
  <li>On amd64 with ACPI >= 5, assume that the installer booted in
	UEFI mode and default to using a GUID Partition Table (GPT).
  <li>Make IPv6 link-local scope identifiers in "HTTP Server?" answers work in the installer.
<!-- updates/sysmerge -->
  <li>On updates using <a
	href="https://man.openbsd.org/sysmerge.8">sysmerge(8)</a>, added
	options to interactive <a
	href="https://man.openbsd.org/sdiff.1">sdiff(1)</a> merge for choosing
	both sides of a diff.
  </ul>

<li>Security improvements:
  <ul>
  <li>Added sshd-auth to the binaries that relink at boot.
  <li>Split the user authentication code from the sshd-session binary
	into a separate sshd-auth binary. This will be executed by
	sshd-session to complete the user authentication phase of the protocol
	only.  Splitting this code into a separate binary ensures that the
	crucial pre-authentication attack surface has an entirely disjoint
	address space from the code used for the rest of the connection.
  <li>Unveiled <a href="https://man.openbsd.org/mountd.8">mountd(8)</a>
	privileged child's write to/create of
	mountdtab file, and drop exec permission.
  </ul>

<li>New features in the network stack:
  <ul>
  <li>Added an AF_FRAME socket domain and an IFT_ETHER protocol family
	under it, allowing userland to use sockets to send and receive
	Ethernet frames.
  <li>Added tunneldf support to <a href="https://man.openbsd.org/sec.4">sec(4)</a>.
  <li>Added use of Toeplitz hash for UDP and IPv6 TCP output, giving an
	improvement in traffic distribution over the queues and 20%
	performance increase with UDP send on v4/v6 and TCP send on v6 without
	pf.
  <li>Implemented <a href="https://man.openbsd.org/tun.4">tun(4)</a>
	network offloads between the kernel and userland and introduced a new
	TUNSCAP ioctl .
  <li>Implement a per-thread route cache by implementing a thread
	local memory (struct netstack) that gets passed down the network
	stack. For consecutive packets it can reuse the route to the same
	destination.
  </ul>

  <li>Further changes and bugfixes in the network stack:
  <ul>
  <li>Replaced rwlock with iterator in UDP input multicast loop, preventing a potential kernel crash.
  <li>Ensure that the correct address family is used in ip_deliver()
	for enqueuing a packet, fixing a problem with tunneling of different
	address families.
  <li>Let LLDP packets fall through to being handled on the port
	interfaces for <a href="https://man.openbsd.org/aggr.4">aggr(4)</a> as mandated by the standard.
  <li>Enabled multiqueue for <a href="https://man.openbsd.org/vio.4">vio(4)</a>.
  <li>Let <a href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> data
	packets go through if_vinput instead of the pppoeinq, improving
	throughput and possibly reducing packet loss.
  <li>Fixed out-of-band data in <a
        href="https://man.openbsd.org/somove.9">somove(9)</a> socket splicing.
  <li>Added <a href="https://man.openbsd.org/wg.4">wg(4)</a> logging of IP addresses of remote endpoints.
  <li>Limited receive queue of loopback interfaces with 8192 packets,
	preventing unlimited queues from reaching mbuf limits and making
	network unusable on some architectures.
  <li>Fixed TCP checksum for IPv6 packets with extension headers.
  <li>Fixed incorrect ICMP error translation in af-to NAT, making
	traceroute6 behind af-to to provide meaningful information.
  <li>Fixed a 24-year old bug where various checks for broadcast
	packets were mistakenly skipped, allowing one to send broadcast
	packets without the SO_BROADCAST option.
  <li>Prevented installation of path MTU routes for IPsec transport mode SAs.
  </ul>

<li>The following changes were made to the <a
	href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
  <ul>
  <li>Allowed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
	specification of interface and queue bandwidths greater than ~4Gbit.
  <li>Fixed inpcb leak in <a href="https://man.openbsd.org/divert.4">divert(4)</a> attach.
  </ul>

<li>Routing daemons and other userland network programs saw the following improvements:
<ul>
  <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
	"natt" option that forces negotiation of nat-t (and udpencap).
  <li>Made <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a> log the username when rejecting by ipcp.
  <li>Added <a
	href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> vxlan
	"[-]endpoint" command, to remove a tunnel endpoint of a MAC address.
  <li>Made <a
	href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> scan display
	wpa3.
  <li>Made <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> print PPPoE tags as hex dumps.
  <li>Improved lldp output of <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
  <li>Added support for client certificates to <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>.
  <li>Made <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> -v show the account URI from the Location header sent by the server in response to the newAccount API call.
  <li>Made <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> always print account URI on first creation of an account key.
  <li>Added TLS support to <a href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>.
  <li>Started taking into account how long the <a
	href="https://man.openbsd.org/ntpd.8">ntpd(8)</a> DNS probe takes
	before deciding to punt.
  <li>Added <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
	block list wildcard support using block list entries starting with '.'.
  <li>Implemented zoneversion EDNS option (RFC 9660) in <a
	href="https://man.openbsd.org/dig.1">dig(1)</a>.
  <li>Adjusted rDNS lifetime to RFC 8106 default (minimum) value in <a
	href="https://man.openbsd.org/rad.8">rad(8)</a>.
  <li>Made <a href="https://man.openbsd.org/nfsd.8">nfsd(8)</a> default to UDP when using only -n.
  <li>Implemented <a
	href="https://man.openbsd.org/iscsid.8">iscsid(8)</a> handling of
	HeaderDigest and DataDigest params.
  <li>Made iscsid send out all the values for session and connection
	params for each login stage, keeping control of what is selected,
	making it possible to connect to a lio target.
  <li>Respect checksum offloading in <a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> and <a href="https://man.openbsd.org/dhcrelay6.8">dhcrelay6(8)</a>.
  <li>Respect checksum offloading for incoming UDP in <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>.

  <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
  <ul>
	<li>Fixed few imprecisions in
	    <a href="https://man.openbsd.org/forward.5">forward(5)</a>
	    with regard to where and when <code>|</code> and
	    <code>:include:</code> are disallowed.
	<li>Fixed the connect filter request documentation in
	    <a href="https://man.openbsd.org/smtpd-filters.7">smtpd-filters(7)</a>.
	<li>Proper handling of permanent failures in
	    <a href="https://man.openbsd.org/mail.lmtp.8">mail.lmtp(8)</a>,
	    previously all failures were considered temporary and so delivery
	    was attempted again.
  </ul>
  <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
  <ul>
  <li>Cache the Adj-RIB-Out for sessions that have not been down for
      more than 1h. This significantly improves synchronisation time
      of peers that flap.
  <li>Implement RFC 8538: Notification Message Support for
      BGP Graceful Restart.
  <li>Add support for RFC 8654, extended messages.
  <li>In bgplgd add additional endpoints to query the Adj-RIB-In and
      Adj-RIB-Out.
  <li>Bump internal message size limit to 128k and handle up to 10 000
      ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile.
  <li>Various improvements to the ibuf API including a new reader API
      which is used to make all message parsing in bgpd memory safe.
  <li>Added support for IPsec and TCP MD5 to RTR sessions.
  <li>Improve default multiproto capability announcement selection.
      The default MP capability is only set if no other capability is
      configured on the neighbor.
  <li>The `reject as-set` configuration option now defaults to yes.
      Route announcements with AS_SET segments in the AS_PATH Attribute
      will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set
      for more information.
  <li>The RFC 8654 Extended Message configuration changed from
      "announce extended (yes|no|enforce)" to
      "announce extended message (yes|no|enforce)"
  <li>RFC 8950 - Extended nexthop encoding support in the RIB.
  <li>Preliminary support for EVPN in the RIB.
  <li>When "transparent-as yes" is set, well-known BGP communities are
      passed on according to RFC 7947. This means that IX Route Servers
      transparently pass through NO_EXPORT, NO_ADVERTISE, etc.
  <li>Make the example bgpd.conf work out of the box with 4byte ASN.
  </ul>

  <li>In <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>,
  <ul>
  <li>The generated BIRD config file was reworked. BIRD versions 1.x are no
  longer supported and the -T option to customize the ROA table name was
  removed. The config file now includes the ASPA-set by default and is
  therefore only compatible with BIRD 2.16 and later. If compatibility
  with older BIRD versions is required, the ASPA-set can be excluded
  with the -A flag. Operators should delete any remaining bird1v4 and
  bird1v6 output files.
  <li>Validated ROA payloads from AS0 TALs are by default excluded from the
  output files as they are not recommended for automatic filtering of
  BGP routes. This precaution can be overridden with the new -0 flag.
  <li>Various improvements to the ibuf API, including a new reader API
  which is used to make all message parsing in rpki-client memory safe.
  <li>Warn about gaps in manifest issuance. Such gaps can appear for example
  if rpki-client isn't run frequently enough, if there are issues with
  an RFC 8181 publication server or if there is an operational error on
  the side of the CA.
  <li>Work around a backward compatibility break accidentally introduced
  in OpenSSL 3.4.0, which resulted in all RPKI signed objects being
  rejected. Earlier and later versions of OpenSSL are not affected.
  <li>Improved validity period checking in file mode. The product's lifetime
  and the expiration time of the signature path are now taken into
  account.
  <li>Better cleanup in case of a fallback from RRDP to RSYNC. In rare
  circumstances, files were moved to the wrong place in the cache.
  <li>rpki-client now includes arin.tal which is no longer
  <a href="https://www.arin.net/announcements/20250116-tal/">legally encumbered</a>.
  <li>rpki-client reports Certification Authorities that do not meaningfully
  participate in the RPKI as non-functional CAs. By definition, a CA is
  non-functional if there is no currently valid Manifest. The number of
  such CAs is printed at the end of each run and more detailed information
  is available in the JSON (-j) and ometrics (-m) output.
  <li>Fix a problem where incorrect internal RRDP state handling in
  rpki-client could lead to a denial of service.
  <li>Termination of rsync child processes with SIGTERM is no longer treated as
  an error if rpki-client has sent this signal. This only affects openrsync.
  <li>Do not exit filemode with an error if a .gbr or a .tak object contains
  control characters in its UTF-8 strings. Instead, only warn and emit a
  sanitized version in JSON output.
  </ul>
</ul><!-- Routing daemons and other userland network improvements -->

<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
  <ul>
  <li>Fixed grey color in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
  <li>Added a way to make the preview larger in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tree mode.
  <li>Fixed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> problems with pasted text being interpreted as extended keys.
  <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> only use default-shell for popups, returning to /bin/sh for run-shell, if-shell and #().
  <li>Added MSYSTEM to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> default update-environment.
  <li>Added copy-mode-position-format to configure the <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> position indicator.
  <li>Added -y flag to disable <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> confirmation prompts in modes.
  <li>Reworked <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode commands ("send-keys -X") to parse the arguments so that flags may be detected properly rather than just looking for strings ("-O" and so on). Also added -C and -P flags to the copy commands. -C prevents the commands from sending the text to the clipboard and -P prevents them from adding the text as a paste buffer.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> prompt-cursor-colour and prompt-cursor-style to set the style of the cursor in the command prompt and remove the emulated cursor.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> initial-repeat-time option to allow the first repeat time to be increased and later reduced.
  <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> sixel_support format variable which is 1 if SIXEL is supported (always 0 on OpenBSD).
  <li>Allow control characters prefixed with C-v to be entered at the tmux.1 command prompt.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for a scrollbar at the side of each pane using new options pane-scrollbars, pane-scrollbars-positions and pane-scrollbars-styles.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option to control the input buffer size.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> scrollbar mouse support.
  <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> no-detach-on-destroy client option, useful for control mode clients.
  <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> scrollbar style parameters width and pad.
  <li>Added copy-mode-position-style and copy-mode-selection-style options to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
  <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option allowing users to override the width of individual Unicode codepoints.
  <li>Fixed mouse_hyperlink format in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode.
  <li>Added S-Up and S-Down to move windows in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tree mode.
  <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> correctly skip wide characters in hyperlinks.
  <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> only align panes and windows, not sessions.
</ul>

<li>LibreSSL version 4.1.0
  <ul>
  <li>Portable changes
    <ul>
    <li>Added initial experimental support for loongarch64.
    <li>Fixed compilation for mips32 and reenable CI.
    <li>Fixed CMake builds on FreeBSD.
    <li>Fixed the --prefix option for cmake --install.
    <li>Fixed tests for MinGW due to missing sh(1).
    </ul>
  <li>Internal improvements
    <ul>
    <li>Cleaned up the error implementation.
    <li>Many bug fixes and simplifications in the EC ASN.1 code.
    <li>Corrected DER encoding for EC keys and parameters.
    <li>Polished
      <a href="https://man.openbsd.org/EC_POINT_oct2point.3"
      >EC_POINT_{oct2point,point2oct}(3)</a> internals.
    <li>Rewrote the wNAF code for fast ECDSA verification.
    <li>Improved the code setting compressed coordinates for EC points.
    <li>Reworked CPU capabilities detection for amd64 and aarch64.
    <li>New SHA-1, SHA-256 and SHA-512 assembly implementations for amd64.
      These make use of the SHA-NI instruction if it is available and
      replace the perl-generated assembly optimized for museum pieces.
      These are not yet enabled in libressl-portable.
    <li>New SHA-256 and SHA-512 assembly implementations for aarch64
      making use of the ARM Cryptographic Extension (CE). Not yet
      enabled in libressl-portable.
    <li>New simplified, readable MD5 implementation for amd64.
    <li>Rewrote
      <a href="https://man.openbsd.org/BN_bn2binpad.3">BN_bn2binpad(3)</a>
      and its lebin siblings.
    <li>The BIGNUMs in EC_GROUP and EC_POINT are now heap allocated.
    <li>Rewrote TS_ASN1_INTEGER_print_bio().
    <li>Improved bit counter handling in MD5.
    <li>Simplified and cleaned up the BN_RECP_CTX internals.
    <li>Improved SM4 to match other symmetric ciphers more closely.
    <li>Rewrote <a href="https://man.openbsd.org/X509_NAME_oneline.3"
      >X509_NAME_oneline(3)</a> and X509_NAME_print() using CBS/CBB.
    <li>CRLs are now cached in the issuer cache like certificates.
    <li>Replaced combinations of
      <a href="https://man.openbsd.org/BN_MONT_CTX_new.3"
      >BN_MONT_CTX_new(3)</a>/set with an internal BN_MONT_CTX_create().
    <li>Replaced <a href="https://man.openbsd.org/BN_bn2hex.3">BN_bn2hex(3)</a>
      reimplementation in
      <a href="https://man.openbsd.org/openssl.1#ca">openssl(1) ca</a> with
      a proper API call.
    <li>Fixed integer overflows due to signed shift in obj_dat.c.
    <li>Improved some X509_VERIFY_PARAM internals and avoid an out of
      bounds read from public API.
    <li>Imported ML-KEM 768 and 1024 from BoringSSL (not yet public API).
    </ul>
  <li>Compatibility changes
    <ul>
    <li>Added an OPENSSL_INIT_NO_ATEXIT flag for
      <a href="https://man.openbsd.org/OPENSSL_init_crypto.3"
      >OPENSSL_init_crypto(3)</a>.
      It has no effect since LibreSSL doesn't call
      <a href="https://man.openbsd.org/atexit.3">atexit(3)</a>.
    <li>Elliptic curve parameters are only accepted if they encode a
      built-in curve.
    <li>EC_METHOD is no longer public and the API exposing it has been
      removed.  This includes
      <a href="https://man.openbsd.org/OpenBSD-7.6/EC_GROUP_new.3"
      >EC_GROUP_new(3)</a>,
      <a href="https://man.openbsd.org/OpenBSD-7.6/EC_GFp_mont_method.3"
      >EC_GFp_mont_method(3)</a>,
      <a href="https://man.openbsd.org/OpenBSD-7.6/EC_GROUP_method_of.3"
      >EC_GROUP_method_of(3)</a>, and EC_METHOD_get_field_type().
    <li>The precomputation stubs for EC_GROUP were removed.
    <li>The API setting Jacobian projective coordinates for a point was
      removed as were
      <a href="https://man.openbsd.org/OpenBSD-7.6/EC_POINTs_mul.3"
      >EC_POINTs_{mul,make_affine}(3)</a>.
    <li>All elliptic curves over fields with less than 224 bits and a
      few more were removed from the built-in curves. This includes
      all WTLS curves and P-192.
    <li>It is no longer necessary to set RSA_FLAG_SIGN_VER to use the
      sign and verify handlers set with
      <a href="https://man.openbsd.org/RSA_meth_set_sign.3"
      >RSA_meth_set_{sign,verify}</a>.
    <li>Removed the -C option to generate "C code" from the
      <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
      dh, dhparam, dsaparam, ecparam, and x509 subcommands.
    <li>Removed #error in headers when OPENSSL_NO_* is defined.
    <li><a href="https://man.openbsd.org/CRYPTO_set_mem_functions.3"
      >CRYPTO_set_mem_functions(3)</a> now matches OpenSSL 1.1 and
      CRYPTO_set_mem_ex_functions() was removed.
    <li>The tls_session_secret_cb_fn type now matches OpenSSL 1.1.
    <li>Unexport
      <a href="https://man.openbsd.org/OpenBSD-7.6/X509_NAME_print.3"
      >X509_NAME_print(3)</a> and
      <a href="https://man.openbsd.org/OpenBSD-7.6/X509_OBJECT_up_ref_count.3"
      >X509_OBJECT_up_ref_count(3)</a>.
    <li>const corrected
      <a href="https://man.openbsd.org/UI_OpenSSL.3">UI_OpenSSL(3)</a> and
      <a href="https://man.openbsd.org/BN_MONT_CTX_copy.3"
      >BN_MONT_CTX_copy(3)</a>.
    <li>Support OPENSSL_NO_FILENAMES.
    <li>Support SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
    <li>Export PKCS12_key_gen_uni() again.
    </ul>
  <li>New features
    <ul>
    <li>libtls has a new
      <a href="https://man.openbsd.org/tls_peer_cert_common_name.3"
      >tls_peer_cert_common_name(3)</a> API call to retrieve
      the peer's common name without having to inspect the PEM.
    </ul>
  <li>Bug fixes
    <ul>
    <li>Plugged a leak in eckey_compute_pubkey().
    <li>Again allow the magic values -1, -2 and -3 for the salt length
      of an RSA-PSS key in the
      <a href="https://man.openbsd.org/EVP_PKEY_CTX_ctrl_str.3"
      >EVP_PKEY_CTX_ctrl_str(3)</a> interface.
    <li>Fixed a few memory leaks in legacy code.
    </ul>
  <li>Documentation
    <ul>
    <li>The remaining undocumented public
      <a href="https://man.openbsd.org/evp.3">EVP</a> API is now documented.
    <li>Reorganization of existing documentation for clarity and accuracy.
    </ul>
  <li>Testing and proactive security
    <ul>
    <li>Improved regress coverage of the EC code.
    </ul>
  </ul>

<li>OpenSSH 10.0
  <ul>
  <li>Security fixes
    <ul>

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
      fix the DisableForwarding directive, which was failing
      to disable X11 forwarding and agent forwarding as documented.
      X11 forwarding is disabled by default in the server and agent
      forwarding is off by default in the client.
    </ul>
  <li>Potentially incompatible changes
    <ul>
    <li>This release removes support for the weak DSA signature
    algorithm, completing the deprecation process that began in
    2015 (when DSA was disabled by default) and repeatedly warned
    over the last 12 months.

    <li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>, <a
    href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: pass "ControlMaster
    no" to ssh when invoked by scp &amp; sftp. This disables implicit
    session creation by these tools when ControlMaster was set to yes/auto
    by configuration, which some users found surprising. This change will
    not prevent scp/sftp from using an existing multiplexing session if
    one had already been created.

    <li>This release has the version number 10.0 and announces itself as
    "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
    patterns like "OpenSSH_1*" may be confused by this.

     <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: this
     release removes the code responsible for the user authentication
     phase of the protocol from the per- connection sshd-session binary to
     a new sshd-auth binary.  Splitting this code into a separate binary
     ensures that the crucial pre-authentication attack surface has an
     entirely disjoint address space from the code used for the rest
     of the connection. It also yields a small runtime memory saving as
     the authentication code will be unloaded after the authentication
     phase completes. This change should be largely invisible to users,
     though some log messages may now come from "sshd-auth" instead of
     "sshd-session". Downstream distributors of OpenSSH will need to
     package the sshd-auth binary.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: this
      release disables finite field (a.k.a modp) Diffie-Hellman key
      exchange in sshd by default. Specifically, this removes the
      "diffie-hellman-group*" and "diffie-hellman-group-exchange-*"
      methods from the default KEXAlgorithms list. The client is unchanged
      and continues to support these methods by default. Finite field
      Diffie Hellman is slow and computationally expensive for the same
      security level as Elliptic Curve DH or PQ key agreement while
      offering no redeeming advantages. ECDH has been specified for
      the SSH protocol for 15 years and some form of ECDH has been the
      default key exchange in OpenSSH for the last 14 years.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: this
      release removes the implicit fallback to compiled- in groups for
      Diffie-Hellman Group Exchange KEX when the moduli file exists
      but does not contain moduli within the client- requested range.
      The fallback behaviour remains for the case where the moduli file
      does not exist at all. This allows administrators more explicit
      control over which DH groups will be selected, but can lead to
      connection failures if the moduli file is edited incorrectly.

    </ul>

  <li>New features
    <ul>

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: the hybrid
     post-quantum algorithm mlkem768x25519-sha256
     is now used by default for key agreement. This algorithm is considered
     to be safe against attack by quantum computers, is guaranteed to
     be no less strong than the popular curve25519-sha256 algorithm,
     has been standardised by NIST and is considerably faster than the
     previous default.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: prefer AES-GCM
     to AES-CTR mode when selecting a cipher for the connection. The
     default cipher preference list is now ChaCha20/Poly1305, AES-GCM
     (128/256) followed by AES-CTR (128/192/256).

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add %-token
     and environment variable expansion to the ssh_config SetEnv directive.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow %-token
     and environment variable expansion in the ssh_config User directive,
     with the exception of %r and %C which would be self-referential.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
     href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add "Match version"
     support to ssh_config and sshd_config. Allows matching on the local
     version of OpenSSH, e.g. "Match version OpenSSH_10.*".

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add support
     for "Match sessiontype" to ssh_config.  Allows matching on the type of
     session initially requested, either "shell" for interactive sessions,
     "exec" for command execution sessions, "subsystem" for subsystem
     requests, such as sftp, or "none" for transport/forwarding-only
     sessions.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add support
     for "Match command ..." support to ssh_config, allowing matching on
     the remote command as specified on the command-line.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow 'Match
     tagged ""' and 'Match command ""' to match empty tag and command
     values respectively.

     <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: allow
     glob(3) patterns to be used in sshd_config AuthorizedKeysFile and
     AuthorizedPrincipalsFile directives.

     <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: support the
     VersionAddendum in the client, mirroring the option of the same name
     in the server.

     <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: the
     agent will now delete all loaded keys when signaled with SIGUSR1. This
     allows deletion of keys without having access to $SSH_AUTH_SOCK.

     <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
     support FIDO tokens that return no attestation data, e.g. recent
     WinHello.

     <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: add
     a "-Owebsafe-allow=..." option to allow the default FIDO application
     ID allow-list to be overridden.

     <li>Add a work-in-progress tool to verify FIDO attestation blobs
     that ssh-keygen can optionally write when enrolling FIDO keys.
     This tool is available under regress/misc/ssh-verify-attestation
     for experimentation but is not installed by "make install".

     <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
     allow "-" as output file for moduli screening.

    </ul>
  <li>Bugfixes
    <ul>
      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: remove
      assumption that the sshd_config and any configs
      it includes can fit in a (possibly enlarged) socket buffer.  Previously
      it was possible to create a sufficiently large configuration
      that could cause sshd to fail to accept any connection. <a
      href='https://man.openbsd.org/sshd.8'>sshd(8)</a> will now actively
      manage sending its config to the sshd-session sub-process.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: don't start
      the ObscureKeystrokeTiming mitigations if there has been traffic
      on a X11 forwarding channel recently.  Should fix X11 forwarding
      performance problems when this setting is enabled.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: prohibit the
      comma character in hostnames accepted, but allow an underscore as
      the first character in a hostname.

      <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: set
      high-water when resuming a "put". Prevents bogus "server reordered
      acks" debug message.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
      href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix regression in
      openssh-9.8, which would fail to accept "Match criteria=argument" as
      well as the documented "Match criteria argument" syntax in ssh_config
      and sshd_config.

      <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>, <a
      href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix a number possible
      NULL dereference bugs, including Coverity CIDs 405019 and 477813.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix
      PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime
      was exceeded.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix "Match
      invalid-user" from incorrectly being activated in initial configuration
      pass when no other predicates were present on the match line

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix debug
      logging of user specific delay.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: improve
      debug logging across sub-process boundaries.
      Previously some log messages were lost early in the sshd-auth and
      sshd-session processes' life.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: require
      control-escape character sequences passed via the '-e ^x' command-line
      to be exactly two characters long. Avoids one byte out-of-bounds read
      if ssh is invoked as "ssh -e^ ..."

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
      href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: prevent integer
      overflow in X11 port handling.  These are theoretically possible if
      the admin misconfigured X11DisplayOffset or the user misconfigures
      their own $DISPLAY, but don't happen in normal operation.

      <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
      don't mess up ssh-keygen -l output when the file contains CR
      characters.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
      add rate limits to logging of connections dropped by
      PerSourcePenalties. Previously these could be noisy in logs.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix argument
      of "Compression" directive in ssh -G config dump, which regressed
      in openssh-9.8.

      <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix a
      corner-case triggered by UpdateHostKeys when sshd refuses to accept
      the signature returned by an agent holding host keys during the hostkey
      rotation sub-protocol. This situation could occur in situations where
      a PKCS#11 smartcard that lacked support for particular signature
      algorithms was used to store host keys.

      <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
      when using RSA keys to sign messages with "ssh-keygen -Y", select
      the signature algorithm based on the requested hash algorithm
      ("-Ohashalg=xxx"). This allows using something other than the default
      of rsa-sha2-512, which may not be supported on all signing backends,
      e.g. some smartcards only support SHA256.

      <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>,
      <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>, <a
      href='https://man.openbsd.org/ssh-keyscan.1'>ssh-keyscan(1)</a>:
      fix ML-KEM768x25519 KEX on big-endian systems.

      <li>Many regression and interop test improvements.
    </ul>
  </ul>

<li>Ports and packages:
  <p>Many pre-built packages for each architecture:
  <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
  <ul style="column-count: 3">
    <li>aarch64:    12446
    <li>amd64:      12593
    <li>arm:        xxx
    <li>i386:       10429
    <li>mips64:     8635
    <li>powerpc:    xxx
    <li>powerpc64:  7501
    <li>riscv64:    xxx
    <li>sparc64:    9080
  </ul>

  <p>Some highlights:
  <ul style="column-count: 3"><!-- checked 2025-04-12 -->
    <li>Asterisk 16.30.1, 18.26.1, 20.13.0 and 22.3.0
    <li>Audacity 3.7.3
    <li>CMake 3.31.6
    <li>Chromium 135.0.7049.52
    <li>Emacs 30.1
    <li>FFmpeg 6.1.2
    <li>GCC 8.4.0 and 11.2.0
    <li>GHC 9.8.3
    <li>GNOME 47
    <li>Go 1.24.1
    <li>JDK 8u442, 11.0.26, 17.0.14 and 21.0.6
    <li>KDE Applications 24.12.3
    <li>KDE Frameworks 6.12.0
    <li>KDE Plasma 6.3.3
    <li>Krita 5.2.9
    <li>LLVM/Clang 13.0.0, 16.0.6, 18.1.8 and 19.1.7
    <li>LibreOffice 25.2.1.2
    <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.7
    <li>MariaDB 11.4.5
    <li>Mono 6.12.0.199
    <li>Mozilla Firefox 137.0 and ESR 128.9.0
    <li>Mozilla Thunderbird 128.9.0
    <li>Mutt 2.2.14 and NeoMutt 20250113
    <li>Node.js 22.14.0
    <li>OCaml 4.14.2
    <li>OpenLDAP 2.6.9
    <li>PHP 8.2.28, 8.3.19 and 8.4.5
    <li>Postfix 3.10.1
    <li>PostgreSQL 17.4
    <li>Python 2.7.18 and 3.12.9
    <li>Qt 5.15.16 (+ kde patches) and 6.8.2
    <li>R 4.4.2
    <li>Ruby 3.2.8, 3.3.7 and 3.4.2
    <li>Rust 1.86.0
    <li>SQLite 3.49.1
    <li>Shotcut 25.01.25
    <li>Sudo 1.9.16p1
    <li>Suricata 7.0.7
    <li>Tcl/Tk 8.5.19 and 8.6.16
    <li>TeX Live 2024
    <li>Vim 9.1.1265 and Neovim 0.10.4
    <li>Xfce 4.20.0
  </ul>
  <p>

<li>As usual, steady improvements in manual pages and other documentation.

<li>The system includes the following major components from outside suppliers:
  <ul><!-- updated 2025-04-12 -->
    <li>Xenocara (based on X.Org 7.7 with xserver 21.1.16 + patches,
        freetype 2.13.3, fontconfig 2.15.0, Mesa 23.3.6, xterm 395,
        xkeyboard-config 2.20, fonttosfnt 1.2.4 and more)
    <li>LLVM/Clang 16.0.6 (+ patches)
    <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    <li>Perl 5.40.1 (+ patches)
    <li>NSD 4.9.1
    <li>Unbound 1.22.0
    <li>Ncurses 6.4
    <li>Binutils 2.17 (+ patches)
    <li>Gdb 6.3 (+ patches)
    <li>Awk 20250116
    <li>Expat 2.7.1
    <li>zlib 1.3.1 (+ patches)
  </ul>
</ul>
</section>

<hr>

<section id="install">
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.7 on your machine:

<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/alpha/INSTALL.alpha">
	.../OpenBSD/7.7/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/amd64/INSTALL.amd64">
	.../OpenBSD/7.7/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/arm64/INSTALL.arm64">
	.../OpenBSD/7.7/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/armv7/INSTALL.armv7">
	.../OpenBSD/7.7/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/hppa/INSTALL.hppa">
	.../OpenBSD/7.7/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/i386/INSTALL.i386">
	.../OpenBSD/7.7/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/landisk/INSTALL.landisk">
	.../OpenBSD/7.7/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/loongson/INSTALL.loongson">
	.../OpenBSD/7.7/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/luna88k/INSTALL.luna88k">
	.../OpenBSD/7.7/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/macppc/INSTALL.macppc">
	.../OpenBSD/7.7/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/octeon/INSTALL.octeon">
	.../OpenBSD/7.7/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/powerpc64/INSTALL.powerpc64">
	.../OpenBSD/7.7/powerpc64/INSTALL.powerpc64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/riscv64/INSTALL.riscv64">
	.../OpenBSD/7.7/riscv64/INSTALL.riscv64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.7/sparc64/INSTALL.sparc64">
	.../OpenBSD/7.7/sparc64/INSTALL.sparc64</a>
</ul>
</section>

<hr>

<section id="quickinstall">
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

<h3>OpenBSD/alpha:</h3>

<p>
If your machine can boot from CD, you can write <i>install77.iso</i> or
<i>cd77.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.

<h3>OpenBSD/amd64:</h3>

<p>
If your machine can boot from CD, you can write <i>install77.iso</i> or
<i>cd77.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install77.img</i> or
<i>miniroot77.img</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

<h3>OpenBSD/arm64:</h3>

<p>
If your machine can boot from CD, you can write <i>install77.iso</i> or
<i>cd77.iso</i> to a CD and boot from it.

<p>
To boot from disk, write <i>install77.img</i> or <i>miniroot77.img</i> to a
disk and boot from it after connecting to the serial console.  Refer to
INSTALL.arm64 for more details.

<h3>OpenBSD/armv7:</h3>

<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console.  Refer to INSTALL.armv7 for more details.

<h3>OpenBSD/hppa:</h3>

<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.

<h3>OpenBSD/i386:</h3>

<p>
If your machine can boot from CD, you can write <i>install77.iso</i> or
<i>cd77.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install77.img</i> or
<i>miniroot77.img</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

<h3>OpenBSD/landisk:</h3>

<p>
Write <i>miniroot77.img</i> to the start of the CF
or disk, and boot normally.

<h3>OpenBSD/loongson:</h3>

<p>
Write <i>miniroot77.img</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.

<h3>OpenBSD/luna88k:</h3>

<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

<h3>OpenBSD/macppc:</h3>

<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.

<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/7.7/macppc/bsd.rd</i>

<h3>OpenBSD/octeon:</h3>

<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

<h3>OpenBSD/powerpc64:</h3>

<p>
To install, write <i>install77.img</i> or <i>miniroot77.img</i> to a
USB stick, plug it into the machine and choose the <i>OpenBSD
install</i> menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.

<h3>OpenBSD/riscv64:</h3>

<p>
To install, write <i>install77.img</i> or <i>miniroot77.img</i> to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.

<h3>OpenBSD/sparc64:</h3>

<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.

<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy77.img</i> or <i>floppyB77.img</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.

<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

<p>
You can also write <i>miniroot77.img</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.

<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>

<hr>

<section id="upgrade">
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 7.6 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade77.html">Upgrade Guide</a>.
</section>

<hr>

<section id="sourcecode">
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout.  Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>

<hr>

<section id="ports">
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided.  To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point.  This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_7</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 7.7 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
</body>
</html>