I'm mHappy Because Everyone Loves Me
Released Oct 16, 2023. (55th OpenBSD release)

Copyright 1997-2023, Theo de Raadt.

Artwork by Jessica Scott.

  • See the information on the FTP page for
    a list of mirror machines.
  • Go to the pub/OpenBSD/7.4/ directory on
    one of the mirror sites.
  • Have a look at the 7.4 errata page for a list
    of bugs and workarounds.
  • See a detailed log of changes between the
    7.3 and 7.4 releases.
  • signify(1)
    pubkeys for this release:
    RWRoyQmAD08ajTqgzK3UcWaVlwaJMckH9/CshU8Md5pN1GoIrcBdTF+c RWTRA9KXRuZKunpXYK0ed5OxbE0K7rYWpDnTu+M8wZdqzRroFqed0U6I RWR/h7gubZ9M/O46RNy3PzLTPevOCK24LGCPca41IHMwSH4YuVA+jnWO RWQqty2voy8V8afR9/v2RzuNr7r4y9cKwljABN7Tytd7JcPdBjnXg0Ue

All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.

What’s New

This is a partial list of new features and systems included in OpenBSD 7.4.
For a comprehensive list, see the changelog leading
to 7.4.

  • Various kernel improvements:
    • On arm64, show BTI and SBSS features in
    • New kqueue1(2)
      system call supporting the O_CLOEXEC flag.
    • Map device tree read/write to unbreak root on
    • Correctly recognize umass(4)
      floppy disk devices as floppy disks.
    • In wscons(4),
      catch up with box drawing characters which have
      been standardized in unicode after the original wscons code was
      written and chose placeholder values.
    • In wscons(4),
      make sure we do not increase the escape sequence argument count beyond
      usable bounds.
    • Implement dt(4)
      support on amd64 and i386.
    • Correct undefined behavior when using MS-DOS filesystems, fixes imported from FreeBSD.
    • Make the softdep
      mount(8) option a no-op.
      Softdep was a significant impediment to improving the vfs layer.
    • Allow unveil(2)ed
      programs to dump core(5)
      into the current working directory.
    • Address incomplete validation of ELF program headers in execve(2).
    • On arm64, use the deep idle state available on Apple M1/M2 cores
      in the idle loop and for suspend, resulting in power savings.
    • Update AMD CPU microcode if a newer patch is available.
    • Enable a workaround for the ‘Zenbleed’ AMD CPU bug.
    • Report speculation control bits in
      dmesg(8) CPU lines.
    • To give the primary CPU an opportunity to perform clock interrupt
      preparation in a machine-independent manner we need to separate the
      “initialization” parts of cpu_initclocks() from the “start the clock
      interrupt” parts. Separate cpu_initclocks() from cpu_startclock().
    • Fix a problem where CPU time accounting and RLIMIT_CPU was
      unreliable on idle systems.
    • Improve the output of the “show proc” command of the kernel
      debugger ddb(4) and show
      both the PID and TID of the proc.
  • SMP Improvements
    • Rewrite pfsync(4),
      in particular to improve locking and to help with unlocking more
      of pf(4) and with
      parallelisation of the network stack in the future.
      The protocol remains compatible with the older version.
    • Remove kernel locks from the ARP input path.
    • Pull MP-safe arprequest() out of kernel lock.
    • Remove the kernel lock from IPv6 neighbor discovery.
    • Unlock more parts of ioctl(2) and the routing code in the network
  • Direct Rendering Manager and graphics drivers
    • Update drm(4)
      to Linux 6.1.55.
    • Don’t change end marker in sg_set_page(). Caused bad memory accesses
      when using page flipping on Alder Lake and Raptor Lake.
  • VMM/VMD improvements
    • Allowed vmm(4) guests to
      enable and use supervisor IBT.
    • Suppressed AMD hardware p-state visibility to
      vmm(4) guests.
    • Avoid use of uninitialised memory in
    • Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm
      object to be transmitted over an ipc channel.
    • Cleaned up file descriptor closing in
      vmd(8) vmm process.
    • Fixed vm send/receive, restoring device virtqueue addresses on
    • Introduced execvp(3)
      after fork for child vm processes.
    • No longer generate an error in
      vmd(8) if
      vm.conf(5) is absent.
    • Split vmm(4) into MI/MD
    • Introduced multi-process model for
      vmd(8) virtio block and
      network devices.
    • Allowed vm owners to override boot kernel when using
      vmctl(8) to start a
    • Changed staggered start of vms to number of online CPUs.
    • Fixed a segfault on vm creation.
    • Switched to anonymous shared memory mappings for
      vmd(8) vm processes,
      introducing a new vmm(4)
    • Relaxed absolute path requirements for
      vmd(8) configtest mode (-n).
    • Adjusted shutdown logic by vm id to function similarly as by name.
    • Moved validation of local network prefixes for the internal
      vmd(8) DHCP service into
      the config parser.
    • Fixed QCOW2 base images when used with the
      vmd(8) multi-process device
    • Fixed setting verbose logging in child processes.
    • Fixed a race condition related to the emulated i8259 interrupt controller
      by ignoring interrupt masks on assert.
    • Inlined pending interrupts in the
      ioctl(2) for running the
      vcpu, reducing vm latency.
    • Added zero-copy, vectored io to the
      vmd(8) virtio block device.
    • Changed to logging vmd(8)
      vm ids in the vcpu run loop on error and not the ids used by
    • Fixed a vm pause deadlock.
    • Changed vmd(8) logging format
      to disambiguate vm and device process by names and indices.
    • Fixed dynamically toggling verbose logging mode with
  • Various new userland features:
    • New ISO C11 header declaring the
      types char32_t and char16_t and the
      functions c32rtomb(3),
      c16rtomb(3), and
    • Introduce a new malloc(3)
      option D
      for memory leak detection with
      ktrace(1) and
    • Support ${.VARIABLES} in
      listing the names of all global variables that have been set.
    • New kdump(1)
      -u option to select
      tracepoints by label.
    • In openrsync(1),
      support the options --size-only and
    • Update zoneinfo
      to tzdata2023c.
    • Accept the ucom(4) fixed
      name format as a valid format for the
      cu(1) -l option.
    • In cron(8) and
      add support for random offsets when
      using ranges with a step value in cron. This extends the random range
      syntax to support step values. Instead of choosing a random number
      between the high and low values, the field is treated as a range with
      a random offset less than the step value. This can be used to avoid
      thundering herd problems where multiple machines contact a server all
      at the same time via cron jobs.
    • Extend and improve the
      ibuf API in libutil
      and add functions for more specific data types,
      for modifying data at specific
      offsets, for getting and setting the file descriptor stored on the ibuf
      and for efficient wrapping of ibufs into imsgs. The ibuf API is
      mostly used in network daemons.
    • In wsconsctl(8),
      add button mappings for two- and three-finger clicks on clickpads.
  • Various bugfixes and tweaks in userland:
    • In pax(1) and
      do not open files that will be skipped,
      speeding up archive creation when many files are skipped.
    • In pax(1),
      tar(1), and
      cpio(1) terminal
      output, escape non-printable characters in messages that may
      include file names, and truncate times to the correct maximum value.
    • Better diagnostics from
      when a makefile exists but cannot be opened.
    • Prevent a buffer underflow in
      that could occur with lines longer than 32kB.
    • Prevent a segmentation fault in
      that occurred when a patch specified a file name so long that
      basename(3) failed.
    • Prevent a read buffer overrun in
      that could occur when a patch specified a file name ending in a slash.
    • Let stat(1)
      correctly print mtimes after 2038.
    • Refactoring and documenting of
      fdisk(8) code,
      to make it easier to maintain.
    • fdisk(8)
      no longer adds extra blanks at the end of lines, eliminating
      spurious line wrapping.
    • In clang(1),
      allow out-of-class defaulting of comparison operators,
      by ways of backporting an upstream commit.

    • Many changes in mg(1):
      • New command
        to change the tabulator width on a per-buffer basis.
      • Let the space-to-tabstop command move to the right
        position even if the line contains tabs, control characters,
        or non-ASCII bytes.
      • Fall back to /bin/sh if $SHELL is undefined.
      • Fix parsing of tag
        with duplicate entries.
        Instead of erroring out, ignore duplicates. Fixes using
        /var/db/libc.tags again.
      • Change the visit-tags-table command to immediately
        load the tag file, and drop the lazy mechanics.
      • Do not leak memory in
        if it fails to switch buffers.
      • Fix a read buffer overrun caused by
        -u arguments
        longer than 1023 bytes.
      • Fix a write buffer overrun on the stack caused by
        blink-and-insert matching a very long line
        that is not currently visible in the window.
      • Skip checking permissions of conffile with
      • Resurrect
        and add it to the list of modes that can
        be set with
    • Fix a segfault when the
      simple editor encounters an incomplete partition line.
    • Fix disklabel(8)
      handling of templates with partitions after a “N-* 100” entry.
    • Enable disklabel(8)
      regress tests to work on sparc64.
    • Fix fdisk(8)
      initialization of CHS/LBA fields in an MBR, allowing machines with
      a BIOS that uses CHS to boot from disks >8G.
    • Retire disklabel(8)
      -E expert mode.
    • When displaying GPT partition attributes
      fdisk(8) prefixes
      Microsoft partition attribute names with ‘MS’.
    • In the absence of the ‘disktype’ command line parameter
      always uses the current media type provided by the kernel.
    • Ensure fdisk(8) handles
      the case where a GPT partition name is not a valid C string.

    • When creating new crypto volumes with
      by default use a hardware based number of KDF rounds for passphrases.
    • Let bioctl(8)
      gracefully prompt again during interactive creation and
      passphrase change on CRYPTO and 1C volumes.
    • Let bioctl(8)
      read passphrases without prompts or confirmation
      in -s mode, allowing non-interactive use.

    • Allow the atactl(8)
      command readattr
      to succeed even for disks where ATA_SMART_READ and
      ATA_SMART_THRESHOLD revisions mismatch, as long as
      checksums are OK.
    • In, treat
      symlinks in $ORIGIN determination the same way as other OS linkers do.
    • In,
      avoid an overflow in the ELF SYSV ABI hash function.
    • Make sure modf(3) and
      return correct values for infinities.
    • Do not fail in
      ober_scanf_elements(3) when encountering empty sequences.
    • Remove broken special handling of test -t in
    • The caching mechanism used by
      to speed up pkg_add -u now also works if -stable packages
      are available.
    • Significantly increase the speed of pkg-config(1).
    • In seq(1),
      fix a check for rounding error and truncation.
    • In cron(8),
      introduce upstream fixes in the handling of @yearly, @monthly,
      @weekly, @daily and @hourly entries.
    • Fix a bug in cron(8) where whitespace
      after usernames would not be completely skipped while parsing the
      crontab(5) file.
    • Make rcctl(8)
      check if a daemon exists before trying to disable it, thereby avoiding
      parsing and printing of bogus characters.
    • Print to the console the fingerprint of a newly generated ssh(1) host key of the
      preferred type (currently ED25519), typically when booting for the
      first time. This simplifies a secure first ssh connection to a
      freshly installed machine.
  • Improved hardware support and driver bugfixes, including:
    • Add rkiovd(4),
      a driver for the I/O voltage domains on Rockchip SoCs.
    • Add support for TEMPerGold 3.4 temperature sensor to
    • Add qcrng(4),
      a driver for the Qualcomm RNG device found on the ThinkPad X13s.
    • Add rkusbphy(4),
      a driver for the usb2phy on Rockchip SoCs.
    • Support AP806/CP110 SoCs in
    • Add dwmshc(4)
      to support Designware Mobile Storage Host Controllers
      found on rk356x and rk3588 SoCs.
    • Add iosf(4),
      a driver for the Intel OnChip System Fabric.
    • Add support for the RTL8153D chipset in
    • Add support for the Peripheral Authentication Service SMC
      interface in qcscm(4).
    • Add qcmtx(4),
      a driver for the hardware spinlock on Qualcomm
      SoCs that is used to synchronize access to the shared memory table.
    • Add qcsmptp(4),
      a driver to share 32-bit values between (co-)processors.
    • Add qcaoss(4),
      a driver for the Always On Subsystem found on Qualcomm SoCs.
    • Add qcpas(4),
      a driver for the Peripheral Authentication Service
      found on Qualcomm SoCs. Enable AC detection.
    • Add qctsens(4),
      a driver for the Temperature Sensor found on Qualcomm SoCs.
    • Add driver qccpu(4)
      for QC CPU Power States.
    • Add qcsdam(4),
      a driver for the PMIC Shared Direct Access Memory found on
      Qualcomm SoCs.
    • Add stfrng(4), a
      driver for the random number generator on the StarFive JH7110 SoC.
    • Add support for the PCIe controller on the JH7110 SoC with stfpciephy(4)
    • New sysctl(2)
      nodes for battery management, hw.battery.charge*.
      Support them with
      and aplsmc(4).
    • Define fixed names for
      ucom(4) USB serial
      ports, display them in attach messages and via the new
    • Add support for the RK3568 32k RTC, RK3588, and other clocks in
    • In dwpcie(4),
      attach Baikal-M PCIe.
    • In openfirmware, implement regulator notifiers which get called
      when the voltage/current for a regulator is changed or when the
      regulator gets initialized when it attaches for the first time. The
      latter makes it possible to register a notifier for a regulator that
      hasn’t attached yet.
    • Ignore duplicate ACPI lid transitions as they can happen on Dell
      Precision 5510 systems.
    • Make RK3568 PCIe controllers run at the maximum possible speed
      by using dwpcie_link_config() when initializing.
    • In the Universal Flash Storage Host Controller Interface
      enable Force Unit Access (FUA) for write commands.
    • Make SATA (ahci(4))
      work on a Banana Pi BPI-R2 Pro.
    • In umcs(4), set
      parity bits correctly.
    • Enable the caps lock LED on modern Apple laptop keyboards.
    • Add support for Rockchip “cryptov2-rng” random number generator in
    • Fix cpuperf on the Apple M2 Pro/Max.
    • Add support for the PCIe controller found on Apple M2 Pro/Max SoCs.
    • Add support for enabling both the USB2 and USB3 PHYs in
      xhci(4) with device tree.
    • In the SCSI tape driver
      st(4), add support
      for I/O statistics so that tape speeds can be observed with
    • Fix use of MMC/SD/SDIO on RK3588 ARM SoC in
    • Support thermal sensors on Ryzen 9 79xx in
    • Add support for JH7110 to
      making eMMC and microSD mostly work on the Starfive VisionFive 2.
    • Add support for the RK3588 PCIe3 PHY to
      The PHY controls 4 lanes that can be routed to 4 of 5 PCIe controllers.
    • Add mute control to
      This makes the mute button work on laptops using this driver.
    • Add mute control to tascodec(4). This makes
      the mute button on laptops that use tascodec(4) work.
    • Improve the suspend/resume behavior of several drivers, reducing
      power consumption during suspend.
    • Add support for the Synopsys DesignWare I2C controller
      (dwiic(4)) and the
      X-Powers AXP Power Management IC
    • Enable the mbg(4)
      timedelta sensor on amd64 and match the Meinberg PZF180PEX.
  • New or improved network hardware support:
    • Fix dwqe(4)
      on several boards that use
      rgephy(4) by configuring
      the RGMII interface before taking the PHY out of reset.
    • Improve dwqe(4) and
      determine PHY mode and pass the appropriate flags down to the PHY when
    • Report in dmesg(8) on
      which gmac the dwqe(4)
      driver is attaching to.
    • Document that Intel i226 adapters are supported by
    • Add ngbe(4),
      a driver for WangXun WX1860 PCI Express 10/100/1Gb Ethernet devices.
      Also support it on amd64 install media.
    • Add support for the RTL8211F-VD PHY in
    • In openfirmware, add glue for network interfaces to be found by
      fdt/ofw node or phandle in order to support “switch chips” like the
      marvell link street.
    • Add support for RTL8153D devices to
    • Provide byte and packet counter statistics in some
      dwge(4) implementations.
    • On bge(4), make hardware
      counters available via kstats for BCM5705 and newer controller chips.
    • Make several improvements to vmx(4), the VMware VMXNET3
      Virtual Interface Controller.
    • In em(4), stop
      putting multicast addresses into the Receive Address Registers.
      Instead hash them all into the Multicast Table Array.
    • Support Mellanox ConnectX-6 Lx in mcx(4).
    • In mcx(4), add 100GB
      LR4 Ethernet capability and map it to IFM_100G_LR4.
    • Add initial support for Atlantic 2 hardware in
  • Added or improved wireless network drivers:
    • Improve how Quectel LTE&5G devices attach to
  • IEEE 802.11 wireless stack improvements and bugfixes:
    • Add support for RTL8188FTV devices to the
      urtwn(4) driver.
    • Attach Intel wireless devices with PCI product ID 0x51f1 to
    • Fix a bug where iwm(4) and
      iwx(4) background
      scan tasks were added to the wrong task queue.
    • Fix a firmware error that occurred when an
      iwx(4) interface
      was brought down.
    • Fix iwx(4) firmware errors
      triggered during background scans.
    • Fix a crash in the iwm(4)
      driver when userland attempts to inject frames via bpf in monitor mode.
  • Installer, upgrade and bootloader improvements:
    • In the arm64 ramdisk, simplify apple firmware copying to make it
      easier to add new firmware.
    • On armv7 and arm64, silence informational messages from
      when zeroing a disk’s first 1MB. Use character not block devices with
      dd(1) like on other architectures.
    • Refactor the code of md_installboot() on armv7 and arm64 to be
      more in line with other architectures.
    • Improve the dialogue of the installer without affecting
    • Enable ufshci(4)
      on arm64 install media.
    • On arm64 pine64 boards, stop writing pine64 firmware to disk.
    • When media has neither a GPT nor an MBR
      assume OpenBSD occupies the entire disk starting at sector 0.
    • Attempt to not overflow the ramdisk when extracting firmware on
      Apple arm64 systems.
    • Add support for loading files from the EFI System Partition.
    • Fix a bug in the handling of SCSI drives in the bootloader on the luna88k architecture.
    • On luna88k, implement the chmod() signaling mechanism for
      /bsd.upgrade to prevent re-upgrade, like other

    • Support for softraid(4) disks in the
      installer was improved:

      • Make root on
        installations boot out of the box on Raspberry Pis (arm64).
      • Support installations with root on
        on arm64, tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
      • On riscv64, enable softraid(4) in the ramdisk kernel and support
        installations with root on
      • When installing on encrypted
        softraid(4), determine
        the disk for placing the root device automatically and make it default
        as it is the only legit choice.
      • Add arm64 to the list of architectures with support for guided disk
      • Retain existing EFI System partitions on systems with APFSISC
        partitions (arm64 Apple M1/M2) during installation with root on
      • Enable softraid(4) in ramdisk
        on the powerpc64 architecture.
  • Security improvements:
    • Enable indirect branch tracking (IBT) on amd64 and branch target
      identification (BTI) on arm64 in both the kernel and in userland.
      On hardware that supports this feature, it helps enforcing
      control flow integrity by making sure malicious code
      cannot jump into the middle of a function.
    • On the arm64 architecture, enable pointer authentication (PAC)
      in userland on those machines where it works correctly.
      It helps enforcing control flow integrity by making sure
      malicious code cannot manipulate a function’s return address.
    • Together with retguard these two features protect against ROP attacks.
      Compiler defaults for base clang, ports clang and ports gcc (as well
      as some other non-C language family compilers in ports) have been
      changed to enable these features by default. As a result the vast
      majority of programs on OpenBSD (and all programs in the base system)
      run with these security features enabled.
    • Change malloc(3)
      chunk sizes to be fine grained: chunk sizes are closer to the
      requested allocation size.
    • In malloc(3),
      check all chunks in the delayed free list for write-after-free.
    • The shutdown(8)
      program can now only be executed by members of the new
      _shutdown group. The idea is that system
      administrators can now remove most users from the excessively
      powerful operator group, which in particular
      provides read access to disk device nodes.
    • Using unveil(2),
      restrict patch(1)
      filesystem access to the current directory including subdirectories,
      TMPDIR, and file names given on the command line.
    • In ksh(1), consistently
      escape control characters when displaying file name completions,
      even when there are multiple matches.
  • Changes in the network stack:
    • Sync the use of
      in the Neighbour Discovery (ND) code with ARP.
    • In the IPv6 forwarding code, call
      once for consistency with IPv4.
    • ARP has a queue of packets that should be sent after name
      resolution. Neighbor discovery (ND6) did only hold a single packet.
      Unified the code, added a queue to ND6 and made the code MP safe.
    • Implement a new sysctl(2)
      net.inet6.icmp6.nd6_queued to show the number of packets
      waiting for an ND6 response, analogous to ARP.
    • When configuring a new IPv6 address on an interface, an upstream router
      doesn’t know where to send traffic. Send an unsolicited
      neighbor advertisement, as described in RFC9131, to the all-routers
      multicast address so all routers on the same link will learn the path
      back to the address.
    • Implement the inbound portion of RFC9131. Let routers create new
      neighbor cache entries when receiving valid neighbor advertisements.

    • Initial support for TCP segmentation offload (TSO) and TCP large receive offload (LRO) was implemented:
      • If the driver of a network interface supports TSO,
        do not chop the packet in the network stack,
        but pass it down to the interface layer for TSO.
      • Provide a software TSO implementation, to be used as a fallback
        if network hardware does not support TSO.
      • Provide a new sysctl(2)
        node net.inet.tcp.tso such that TSO can be globally disabled.
        By default, it is enabled on all interfaces supporting it.
      • In ifconfig(8),
        display separate
        for TSOv4, TSOv6, and LRO and provide a
        parameter to disable LRO on a per-interface basis.
      • Enable TSO and forwarding of LRO packets via TSO in
      • In ix(4), allocate
        less memory for tx buffers.
      • Speed up TCP transfer on
        interfaces by using TSO and LRO.
      • Enable LRO per default in network
        drivers. LRO allows to receive aggregated packets larger than the MTU.
        Receiving TCP streams becomes much faster. Currently only ix(4) and lo(4) devices support LRO, and
        ix(4) is limited to IPv4 and hardware newer than the old 82598 model.
    • The following changes were made to the pf(4) firewall:
      • Speed up the
        ioctl(2) request
        such that pfctl(8)
        can retrieve all pf(4)
        rules from the kernel in linear rather than in quadratic time.
        To protect the kernel from memory exhaustion,
        userland processes now have to release tickets obtained with
        by issuing the new
        ioctl(2) request
        In particular, snmpd(8)
        and systat(1)
        now do that.
      • Relax the implementation of the pass all rule so all
        forms of neighbor advertisements are allowed in either direction.
      • When redirecting locally generated IP packets to userland with
        divert-packet rules, the packets may have no checksum
        due to hardware offloading. Calculate the checksum in that case.
      • Fix a bug where
        could fail to insert a state
        due to conflict on chosen source port number.
      • No longer ignore keep state and nat-to
        actions for unsolicited ICMP error responses.
        Tighten the rule matching logic so ICMP error responses
        no longer match keep state rule.
        In typical scenarios, ICMP errors (if solicited) should match
        existing state. The change is going to bite firewalls which deal
        with asymmetric routes. In those cases the keep state
        action should be relaxed to sloppy or new no state
        rule to explicitly match ICMP errors should be added.
    • Do not calculate IP, TCP, and UDP checksums on
      lo(4) interfaces.
    • Convert the tcp_now() time counter to 64 bits to avoid 32 bits
      wrap around after changing tcp_now() ticks to milliseconds.
    • Add initial support for route-based IPsec VPNs.

      Rather than use IPsec flows (aka, entries in the IPsec security
      policy database) to decide which traffic should be encapsulated in
      IPsec and sent to a peer, this changes security associations (SAs)
      so they can also refer to a tunnel interface. When traffic is routed
      over that tunnel interface, an IPsec SA is looked up and used to
      encapsulate traffic before being sent to the peer on the SA. When
      traffic is received from a peer using an interface SA, the specified
      interface is looked up and the packet is handed to it so it looks
      like packets come out of the tunnel.
    • Add sec(4) to support
      route-based IPsec VPNs.
    • Introduce reference counting for TCP syn cache entries.
    • Have wg(4) copy the
      priority from the inner packet to the outer encrypted packet, so that
      higher priority packets are picked from hfsc queues for earlier
  • Routing daemons and other userland network improvements:
    • IPsec support was improved:
      • In iked(8),
        support route-based
        sec(4) tunnels.
      • In iked(8),
        add support to verify X.509 chain from CERT payloads.
      • In iked(8),
        do not leak memory when receiving a CERT payload for pubkey auth
        or for an invalid CERT Encoding.
      • In iked(8),
        do not leak a file descriptor if
        open_memstream(3) fails while trying to enable a child SA.
      • While trying to verify an ECDSA signature in
        correctly detect failure of DER encoding with
      • In ipsecctl(8),
        support route-based IPsec VPN negotiation with
      • In isakmpd(8),
        support configuring interface SAs for route-based IPsec VPNs.
      • In isakmpd(8)
        quick mode, do not crash with a NULL pointer
        access when a group description is specified but it is invalid,
        unsupported, or memory allocation or key generation fails.
      • In isakmpd(8),
        avoid a double free in the unlikely event that
        EC_KEY_check_key(3) fails right after generating
        a new key pair.
      • Allow building
        with a libcrypto library that has
        binary field support (“GF2m”) removed.
    • In bgpd(8),
      • Add first version of flowspec support. Right now only announcement
        of flowspec rules is possible.
      • Update ASPA support to follow draft-ietf-sidrops-aspa-verification-16
        and draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
        tables AFI-agnostic.
      • Rework UPDATE message generation to use the new ibuf API instead
        of the hand-rolled solution before.
      • Fix ext-community * * matching which also affects
        filters removing all ext-communities.
      • Improve and extend the bgpctl parser to handle commands like
        bgpctl show rib detail.
        Also add various flowspec specific commands.
      • Introduce a semaphore to protect intermittent RTR session data
        from being published to the RDE.
      • Limit the socket buffer size to 64k for all sessions.
        Limiting the buffer size to a reasonable size ensures that not
        too many updates end up queued in the TCP stack.
      • Adjust example GRACEFUL_SHUTDOWN filter rule in
        the example config to only match on ebgp sessions.
    • rpki-client(8) saw some changes:
      • A 30%-50% performance improvement was achieved through libcrypto’s
        partial chains certificate validation feature. Already validated
        non-inheriting CA certificates are now marked as trusted roots. This
        way it can be ensured that a leaf’s delegated resources are properly
        covered, and at the same time most validation paths are
        significantly shortened.
      • Support for gzip and deflate HTTP Content-Encoding compression was
        added. This allows web servers to send RRDP XML in compressed form,
        saving around 50% of bandwidth.
      • ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
        As part of supporting AFI-agnostic ASPAs, the JSON syntax for
        Validated ASPA Payloads changed in both filemode and normal output.
      • In filemode (-f option) the applicable manifests are now shown as
        part of the signature path.
      • A new -P option was added to manually specify a moment in time
        to use when parsing the validity window of certificates. Useful
        for regression testing. Default is invocation time of rpki-client.
      • The -A option will now also exclude ASPA data from the JSON output.
      • The synchronisation protocol used to sync the repository is now
        included in the OpenMetrics output.
      • Improved accounting by tracking objects both by repo and tal.
      • Check whether products listed on a manifest were issued by the same
        authority as the manifest itself.
      • File modification timestamps of objects retrieved via RRDP are now
        deterministically set to prepare the on-disk cache for seamless
        failovers from RRDP to RSYNC.
      • Improved detection of RRDP session desynchronization: a check was
        added to compare whether the delta hashes associated to previously
        seen serials are different in newly fetched notification files.
      • Improved handling of RRDP deltas in which objects are published,
        withdrawn, and published again.
      • Disallow X.509 v2 issuer and subject unique identifiers in certs.
        RPKI CAs will never issue certificates with V2 unique identifiers.
      • A check to disallow duplicate X.509 certificate extensions was
      • A check to disallow empty sets of IP Addresses or AS numbers in RFC
        3779 extensions was added.
      • A warning is printed when the CMS signing-time attribute in a Signed
        Object is missing.
      • Warnings about unrecoverable message digest mismatches now include
        the manifestNumber to aid debugging the cause.
      • A check was added to disallow multiple RRDP publish elements for the
        same file in RRDP snapshots. If this error condition is encountered,
        the RRDP transfer is failed and the RP falls back to rsync.
      • A compliance check for the proper X.509 Certificate version and CRL
        version was added.
      • A compliance check was added to ensure CMS Signed Objects contain
        SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
      • Compliance checks were added for the version, KeyUsage, and
        ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
      • A CMS signing-time value being after the X.509 notAfter timestamp
        was downgraded from an error to a warning.
      • A bug was fixed in the handling of CA certificates which inherit IP
      • A compliance check was added to ensure the X.509 Subject only
        contains commonName and optionally serialNumber.
      • A compliance check was added to ensure the CMS SignedData and
        SignerInfo versions to be 3.
      • Fisher-Yates shuffle the order in which Manifest entries are
        processed. Previously, work items were enqueued in the order the CA
        intended them to appear on a Manifest. However, there is no obvious
        benefit to third parties deciding the order in which things are
    • In smtpd(8),
      • Swapped link-auth filter arguments to avoid ambiguities with user
        names containing a “|” character.
      • Bumped smtpd-filters(7)
        protocol version.
      • Fixed potential truncation of filtered data lines.
      • Allowed arguments on NOOP.
    • Many other changes in various network programs and libraries:
      • Let pcap_fopen_offline(3) correctly interpret some
        LINKTYPE_* values in pcap headers written
        on foreign operating systems.
      • Make dig(1)
        use less deprecated LibreSSL API.

      • Remove stylistic differences between
        arp(8) and
        ndp(8) delete()
        function. This makes it easier to spot real changes in behavior.
      • Make ndp(8)
        not remove cloning routes when no neighbor entry is
        found with ndp -d.

      • Improved error handling in the asr resolver.
      • In unwind(8),
        handle SERVFAIL results on name resolution better.
      • In unwind(8),
        fix a use-after-free bug triggered by fatal write errors
        while sending TCP responses.

      • In the router advertisement daemon
        rad(8), update the default
        timers for prefix preferred and valid lifetimes to use the values from
        RFC 9096.
      • In slaacd(8),
        remove artificial limit of 2 hours on a PIO lifetime.

      • In ypldap(8),
        reduce memory usage when updating larger directories.
      • Make ypldap(8)
        more resilient when some servers are
        misbehaving: keep trying LDAP servers until full results arrive
        rather than just until one accepts the TCP connection.

      • New wgdescription parameter to
        to set a string describing the
        wg(4) peer.

      • Let ifconfig(8)
        prefix the interface name to many error and warning messages.

      • Make the tlsv1.0 and tlsv1.1 options
        in relayd(8)
        do nothing, as one should use the default tlsv1.2
      • Fix IPv6 routes being changed by
        with Routers configuration.

      • In dhcrelay6(8), do not
        ignore the AF_LINK entries of carp(4) interfaces.

      • Improve the config parser of
        to better handle
        comments, improve error messages and plug a memory leak.
      • In radiusd(8),
        add request or response decoration feature which is used through the
        radiusd module interface. This makes additional modules can modify
        RADIUS request or response messages. Also add new “radius_standard”
        module which uses this new feature, provides some generic features
        like “strip-atmark-realm” which removes the realm part from the
        User-Name attribute.

      • Allow UDP for built-in inetd(8) services on This restriction was added in year 2000 due to IPv6 compatible and
        mapped addresses. Nowadays our kernel does not support these IPv6
        features and blocks localhost addresses on non-loopback interfaces.
        Make IPv4 and IPv6 ::1 behave identically and provide
        local services if configured.

      • In spamd(8), log a
        dummy “” IP address in the unlikely event that getnameinfo(3)
  • tmux(1) improvements and bug fixes:
    • For passthrough, don’t write to clients attached to different sessions.
    • Add a format to show if there are unseen changes while in a mode.
    • Discard mouse sequences that have the right form but actually
      are invalid.
    • Invalidate cached tty state after changing features since they may
      change what the terminal can do and need mouse sequences or similar to
      be sent again.
    • Add options to change the confirm key and default behaviour of
    • Add an option menu-selected-style to configure the currently
      selected menu item.
    • Add -c to run-shell to set working directory.
    • Add detach-on-destroy previous and next,
    • Set visited flag on last windows when linking session.
  • LibreSSL version 3.8.2
    • Security fixes
      • Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
        be selected for use.
      • BN_is_prime_ex(3)
        and BN_is_prime_fasttest_ex(3) refuse to check numbers larger than
        32 kbits for primality. This mitigates various DoS vectors.
      • Restricted the RFC 3779 code to IPv4 and IPv6. It was not written
        to be able to deal with anything else.
    • Portable changes
      • Extended the endian.h compat header with hto* and *toh macros.
      • Adapted more tests to the portable framework.
      • Internal tools are now statically linked.
      • Applications bundled as part of the LibreSSL package internally,
        nc(1) and
        now are linked statically if static libraries are built.
      • Internal compatibility function symbols are no longer exported from
        libcrypto. Instead, the libcompat library is linked to libcrypto,
        libssl, and libtls separately. This increases size a little, but
        ensures that the libraries are not exporting symbols to programs
      • Selective removal of CET implementation on platforms where it is
        not supported (macOS).
      • Integrated four more tests.
      • Added Windows ARM64 architecture to tested platforms.
      • Removed Solaris 10 support, fixed Solaris 11.
      • libtls no longer links statically to libcrypto / libssl unless
        --enable-libtls-only is specified at configure time.
      • Improved Windows compatibility library, namely handling of files vs
        sockets, correcting an exception when operating on a closed socket.
      • CMake builds no longer hardcode -O2 into the compiler flags,
        instead using flags from the CMake build type instead.
      • Set the CMake default build type to Release. This can be overridden
        during configuration.
      • Fixed broken ASM support with MinGW builds.
    • New features
      • Added support for
        truncated SHA-2
        and for SHA-3.
      • The BPSW primality test performs additional Miller-Rabin rounds
        with random bases to reduce the likelihood of composites passing.
      • Allow testing of ciphers and digests using badly aligned buffers
        in openssl speed using -unalign.
      • Ed25519 certificates are now supported in openssl(1)
        ca and
        Prepared Ed25519 support in libssl.
      • Add branch target information (BTI) support to amd64 and arm64
    • Compatibility changes
      • Added a workaround for a poorly thought-out change in OpenSSL 3 that
        broke privilege separation support in libtls.
      • Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
      • Removed GF2m support: BIGNUM no longer supports binary extension
        field arithmetic and all binary elliptic builtin curves were removed.
      • Removed dangerous, “fast” NIST prime and elliptic curve implementations.
        In particular, EC_GFp_nist_method() is no longer available.
      • Removed most public symbols that were deprecated in OpenSSL 0.9.8.
      • Removed the public X9.31 API (RSA_X931_PADDING is still available).
      • Removed Cipher Text Stealing mode.
      • Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD.
      • Removed COMP, DSO, dynamic loading of conf modules and support for
        custom ex_data and error stacks.
      • Removed proxy certificate (RFC 3820) support.
      • Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
        openssl(1) nseq command.
      • ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
        of this, some stub functions are provided to avoid patching some
        applications that do not honor OPENSSL_NO_ENGINE.
      • The POLICY_TREE and its related structures and API were removed.
      • In X509_VERIFY_PARAM_inherit(3), copy hostflags independently of the
        host list.
      • Made CRYPTO_get_ex_new_index(3) not return 0 to allow applications
        to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
        each other.
      • X509_NAME_get_text_by_NID(3) and
        X509_NAME_get_text_by_OBJ(3) now only succeed if they contain
        valid UTF-8 without embedded NUL.
      • The explicitText user notice uses UTF8String instead of VisibleString
        to reduce the risk of emitting certificates with invalid DER-encoding.
      • Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
        compliant with RFC 8446.
      • Fixed EVP_CIPHER_CTX_iv_length(3) to return what was set with
        EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
    • Internal improvements
      • Improved sieve of Eratosthenes script used for generating a table
        of small primes.
      • Removed incomplete and dangerous BN_RECURSION code.
      • Imported RFC 5280 policy checking code from BoringSSL and used it
        to replace the old exponential time code.
      • Converted more of libcrypto to use CBB/CBS.
      • Started cleaning up and rewriting SHA internals.
      • Reduced the dependency of hash implementations on many layers of
        macros. This results in significant speedups since modern compilers
        are now less confused.
      • Improved BIGNUM internals and performance.
      • Significantly simplified the BN_BLINDING internals used in RSA.
      • Made BN_num_bits(3)
        independent of bn->top.
      • Rewrote and simplified bn_sqr().
      • Significantly improved Montgomery multiplication performance.
      • Rewrote and improved
        BN_exp(3) and
      • Changed ASN1_item_sign_ctx(3) and
        ASN1_item_verify(3) to work with
        Ed25519 and fixed a few bugs in there.
      • Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous
        memory leaks, fixed logic errors and inconsistencies.
      • Cleaned up and simplified various ECDH and ECDSA internals.
      • Removed EC_GROUP precomp machinery.
      • Fixed various issues with
        EVP_PKEY_CTX_new(3) and EVP_PKEY_CTX_dup(3).
      • Rewrote OBJ_find_sigid_algs(3) and OBJ_find_sigid_by_algs(3).
      • Improved X.509 certificate version checks.
      • Ensure no X.509v3 extensions appear more than once in certificates.
      • Replaced ASN1_bn_print with a cleaner internal implementation.
      • Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
      • Improved checks for commonName in libtls.
      • Fixed error check for
        X509_get_ext_d2i(3) failure in libtls.
      • Removed code guarded by #ifdef ZLIB.
      • Plug a potential memory leak in
      • Fixed a use of uninitialized in i2r_IPAddrBlocks().
      • Rewrote CMS_SignerInfo_sign(3) and CMS_SignerInfo_verify(3).
    • Bug fixes
      • Correctly handle negative input to various BIGNUM functions.
      • Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
      • Fix error checking of
        in ossl_ecdsa_sign().
      • Fixed aliasing issue in
        BN_mod_inverse(3). Disallowed aliasing of result
        and modulus in various BN_mod_* functions.
      • Fixed detection of extended operations (XOP) on AMD hardware.
      • Ensure Montgomery exponentiation is used for the initial RSA blinding.
      • Policy is always checked in X509 validation. Critical policy extensions
        are no longer silently ignored.
      • Fixed error handling in tls_check_common_name().
      • Add missing pointer invalidation in
      • Fixed X509err() and X509V3err() and their internal versions.
      • Ensure that
        always returns a C string again.
      • Made EVP_PKEY_CTX_set1_hkdf_key(3) fail on a NULL key.
      • On socket errors in the poll loop, netcat could issue system calls
        on invalidated file descriptors.
      • Allow IP addresses to be specified in a URI.
      • Fixed a copy-paste error in
        ASN1_TIME_compare(3) that could lead to two UTCTimes
        or two GeneralizedTimes incorrectly being compared as equal.
    • Documentation improvements
      • Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
        BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
      • Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
      • Made it very explicit that the verify callback should not be used.
      • Called out that the CRL lastUpdate is standardized as thisUpdate.
      • Documented the RFC 3779 API and its shortcomings.
    • Testing and Proactive Security
      • Significantly improved test coverage of
        and GCD.
      • As always, new test coverage is added as bugs are fixed and subsystems
        are cleaned up.
  • OpenSSH 9.5 and OpenSSH 9.4
    • Potentially incompatible changes
      • ssh-keygen(1):
        generate Ed25519 keys by default. Ed25519 public keys
        are very convenient due to their small size. Ed25519 keys are
        specified in RFC 8709 and OpenSSH has supported them since version 6.5
        (January 2014).
      • sshd(8):
        the Subsystem directive now accurately preserves quoting of
        subsystem commands and arguments. This may change behaviour for exotic
        configurations, but the most common subsystem configuration
        (sftp-server) is unlikely to be affected.
      • ssh-agent(1):
        PKCS#11 modules must now be specified by their full
        paths. Previously dlopen(3) could search for them in system
        library directories.
    • New features
      • ssh(1):
        add keystroke timing obfuscation to the client. This attempts
        to hide inter-keystroke timings by sending interactive traffic at
        fixed intervals (default: every 20ms) when there is only a small
        amount of data being sent. It also sends fake “chaff” keystrokes for
        a random interval after the last real keystroke. These are
        controlled by a new ssh_config ObscureKeystrokeTiming keyword.
      • ssh(1),
        Introduce a transport-level ping facility. This adds
        a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
        implement a ping capability. These messages use numbers in the “local
        extensions” number space and are advertised using a “”
        ext-info message with a string version number of “0”.
      • sshd(8):
        allow override of Subsystem directives in sshd Match blocks.
      • ssh(1):
        allow forwarding Unix Domain sockets via ssh -W.
      • ssh(1):
        add support for configuration tags to ssh(1).
        This adds a ssh_config(5) “Tag” directive and corresponding
        “Match tag” predicate that may be used to select blocks of
        configuration similar to the pf.conf(5) keywords of the same
      • ssh(1):
        add a “match localnetwork” predicate. This allows matching
        on the addresses of available network interfaces and may be used to
        vary the effective client configuration based on network location.
      • ssh(1),
        infrastructure support for KRL
        extensions. This defines wire formats for optional KRL extensions
        and implements parsing of the new submessages. No actual extensions
        are supported at this point.
      • sshd(8):
        AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
        accept two additional %-expansion sequences: %D which expands to
        the routing domain of the connected session and %C which expands
        to the addresses and port numbers for the source and destination
        of the connection.
      • ssh-keygen(1):
        increase the default work factor (rounds) for the
        bcrypt KDF used to derive symmetric encryption keys for passphrase
        protected key files by 50%.
    • Bugfixes
      • scp(1):
        fix scp in SFTP mode recursive upload and download of
        directories that contain symlinks to other directories. In scp mode,
        the links would be followed, but in SFTP mode they were not.
      • ssh-keygen(1):
        handle cr+lf (instead of just cr) line endings in
        sshsig signature files.
      • ssh(1):
        interactive mode for ControlPersist sessions if they
        originally requested a tty.
      • sshd(8):
        make PerSourceMaxStartups first-match-wins
      • sshd(8):
        limit artificial login delay to a reasonable maximum (5s)
        and don’t delay at all for the “none” authentication mechanism.
      • sshd(8):
        Log errors in kex_exchange_identification() with level
        verbose instead of error to reduce preauth log spam. All of those
        get logged with a more generic error message by sshpkt_fatal().
      • sshd(8):
        correct math for ClientAliveInterval that caused the probes
        to be sent less frequently than configured.
      • ssh-agent(1):
        improve isolation between loaded PKCS#11 modules
        by running separate ssh-pkcs11-helpers for each loaded provider.
      • ssh(1):
        make -f (fork after authentication) work correctly with
        multiplexed connections, including ControlPersist.
      • ssh(1):
        make ConnectTimeout apply to multiplexing sockets and not
        just to network connections.
      • ssh-agent(1),
        improve defences against invalid PKCS#11
        modules being loaded by checking that the requested module
        contains the required symbol before loading it.
      • sshd(8):
        fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
        appears before it in sshd_config. Since OpenSSH 8.7 the
        AuthorizedPrincipalsCommand directive was incorrectly ignored in
        this situation.
      • sshd(8),
        remove vestigial support for KRL
        signatures When the KRL format was originally defined, it included
        support for signing of KRL objects. However, the code to sign KRLs
        and verify KRL signatures was never completed in OpenSSH. This
        release removes the partially-implemented code to verify KRLs.
        All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
        KRL files.
      • All: fix a number of memory leaks and unreachable/harmless integer
      • ssh-agent(1),
        don’t truncate strings logged from PKCS#11 modules
      • sshd(8),
        better validate CASignatureAlgorithms in
        ssh_config and sshd_config. Previously this directive would accept
        certificate algorithm names, but these were unusable in practice as
        OpenSSH does not support CA chains.
      • ssh(1):
        make ssh -Q CASignatureAlgorithms only list signature
        algorithms that are valid for CA signing. Previous behaviour was
        to list all signing algorithms, including certificate algorithms.
      • ssh-keyscan(1):
        gracefully handle systems where rlimits or the
        maximum number of open files is larger than INT_MAX
      • ssh-keygen(1):
        fix “no comment” not showing on when running
        ssh-keygen -l on multiple keys where one has a comment
        and other following keys do not.
      • scp(1),
        adjust ftruncate() logic to handle servers that
        reorder requests. Previously, if the server reordered requests then
        the resultant file would be erroneously truncated.
      • ssh(1):
        don’t incorrectly disable hostname canonicalization when
        CanonicalizeHostname=yes and ProxyJump was explicitly set to
      • scp(1):
        when copying local to remote, check that the source file
        exists before opening an SFTP connection to the server.
  • Ports and packages:

    Many pre-built packages for each architecture:

    • aarch64: 11508
    • amd64: 11845
    • arm:
    • i386: 10603
    • mips64:
    • powerpc:
    • powerpc64:
    • riscv64:
    • sparc64: 8469

    Some highlights:

    • Asterisk 16.30.1, 18.19.0 and 20.4.0
    • Audacity 3.3.3
    • CMake 3.27.5
    • Chromium 117.0.5938.149
    • Emacs 29.1
    • FFmpeg 4.4.4
    • GCC 8.4.0 and 11.2.0
    • GHC 9.2.7
    • GNOME 44
    • Go 1.21.1
    • JDK 8u382, 11.0.20 and 17.0.8
    • KDE Applications 23.08.0
    • KDE Frameworks 5.110.0
    • Krita 5.1.5
    • LLVM/Clang 13.0.0 and 16.0.6
    • LibreOffice
    • Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
    • MariaDB 10.9.6
    • Mono
    • Mozilla Firefox 118.0.1 and ESR 115.3.1
    • Mozilla Thunderbird 115.3.1
    • Mutt 2.2.12 and NeoMutt 20230517
    • Node.js 18.18.0
    • OCaml 4.12.1
    • OpenLDAP 2.6.6
    • PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
    • Postfix 3.7.3
    • PostgreSQL 15.4
    • Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
    • Qt 5.15.10 and 6.5.2
    • R 4.2.3
    • Ruby 3.0.6, 3.1.4 and 3.2.2
    • Rust 1.72.1
    • SQLite 3.42.0
    • Shotcut 23.07.29
    • Sudo
    • Suricata 6.0.12
    • Tcl/Tk 8.5.19 and 8.6.13
    • TeX Live 2022
    • Vim 9.0.1897 and Neovim 0.9.1
    • Xfce 4.18
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
    • Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
      freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
      xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
    • LLVM/Clang 13.0.0 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.36.1 (+ patches)
    • NSD 4.7.0
    • Unbound 1.18.0
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patches)
    • Awk September 12, 2023
    • Expat 2.5.0
    • zlib 1.3 (+ patches)

How to install

Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.4 on your machine:

Quick installer information for people familiar with OpenBSD, and the use of
the “disklabel -E” command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!


If your machine can boot from CD, you can write install74.iso or
cd74.iso to a CD and boot from it.
Refer to INSTALL.alpha for more details.


If your machine can boot from CD, you can write install74.iso or
cd74.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install74.img or
miniroot74.img to a USB stick and boot from it.

If you can’t boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.


Write install74.img or miniroot74.img to a disk and boot from it
after connecting to the serial console. Refer to INSTALL.arm64 for more


Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.


Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.


If your machine can boot from CD, you can write install74.iso or
cd74.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install74.img or
miniroot74.img to a USB stick and boot from it.

If you can’t boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.


Write miniroot74.img to the start of the CF
or disk, and boot normally.


Write miniroot74.img to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.


Copy ‘boot’ and ‘bsd.rd’ to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.


Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot


After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.


To install, write install74.img or miniroot74.img to a
USB stick, plug it into the machine and choose the OpenBSD
menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.


To install, write install74.img or miniroot74.img to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.


Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.

If this doesn’t work, or if you don’t have a CDROM drive, you can write
floppy74.img or floppyB74.img
(depending on your machine) to a floppy and boot it with boot
. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

You can also write miniroot74.img to the swap partition on
the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

How to upgrade

If you already have an OpenBSD 7.3 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz

Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:

# cd /usr/ports
# cvs -d update -Pd -rOPENBSD_7_4

[Of course, you must replace the server name here with a nearby anoncvs

Note that most ports are available as packages on our mirrors. Updated
ports for the 7.4 release will be made available if problems arise.

If you’re interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list is a good place to know.

Read More