OpenBSD 7.9: Security-First Engineering and Modern Hardware Support

The release of OpenBSD 7.9 marks a significant milestone: the 60th official release of an operating system that has remained steadfast in its commitment to proactive security and code correctness. While many modern operating systems prioritize feature velocity and ecosystem growth, OpenBSD continues to treat security not as a layer added on top, but as the very foundation of the system.

This release brings a blend of deep kernel refinements, expanded hardware compatibility for modern ARM and RISC-V architectures, and critical updates to the core toolchain, including OpenSSH 10.3 and LibreSSL 4.3.0.

Kernel and Scheduler Evolution

One of the most noteworthy additions in 7.9 is the introduction of a mechanism to manage CPU cores with varying speeds in the scheduler. As modern processors increasingly adopt hybrid architectures (Performance vs. Efficiency cores), OpenBSD has introduced the hw.blockcpu sysctl variable. This allows administrators to specify which types of cores—SMT, Performance (P), Efficient (E), or Lethargic (L)—should be excluded from the scheduler.

This "shotgun approach" to hybrid cores reflects OpenBSD's philosophy of predictability over complexity. By allowing users to simply kick slow cores out of the scheduler (with SL as the default), the system avoids the performance unpredictability often associated with naive scheduling on big.LITTLE architectures.

Other significant kernel improvements include:

• Parking Locks: The replacement of the cas spinlock in kernel mutexes with a "parking" lock to improve synchronization efficiency.
• Memory Management: Implementation of delayed hibernation to prevent battery exhaustion during suspend by waking the system after a configurable time to perform a full hibernation.
• SMP Enhancements: Parallel fault handling is now enabled on amd64 and arm64, and socket splicing has been unlocked for better performance.

Networking and Wireless Advancements

OpenBSD has long been the gold standard for networking stacks, and 7.9 continues this trend with several high-impact changes:

The Wireless Leap

For years, OpenBSD users have navigated a trade-off between security and wireless hardware support. Version 7.9 makes a major leap forward with the introduction of basic 802.11ax (WiFi 6) support and 160 MHz window support at 5 GHz. The iwx(4) driver has seen extensive work, including the addition of Protected Management Frames (PMF) and improved roaming capabilities.

Virtual Ethernet Bridge (veb)

The Virtual Ethernet Bridge (veb(4)) is now a VLAN-aware bridge. It supports PVID (port VLAN identifier) and VID maps, allowing ports to be configured as "access," "trunk," or "hybrid." This brings enterprise-grade VLAN flexibility to the system's virtual networking.

General Stack Improvements

• IPv6 by Default: IPv6 autoconf (SLAAC) is now enabled by default, simplifying modern network deployment.
• PF Firewall: The pf(4) firewall introduces source and state limiters, giving administrators finer control over traffic shaping and rate limiting.

Security Toolchain: OpenSSH and LibreSSL

OpenSSH 10.3

OpenSSH continues to evolve with a focus on mitigating shell injection and improving identity management. Key security fixes in 10.3 include:

• Input Validation: Stricter validation of shell metacharacters in usernames to prevent arbitrary command execution via %-tokens in ssh_config.
• Certificate Handling: A fix for a bug where certificates with empty principals sections were treated as wildcards, which could have allowed unauthorized authentication if a CA issued a certificate accidentally.
• New Features: Support for IANA-assigned codepoints for SSH agent forwarding and the addition of an invaliduser penalty to PerSourcePenalties to thwart brute-force attempts on non-existent accounts.

LibreSSL 4.3.0

LibreSSL 4.3.0 focuses on post-quantum readiness and internal cleanup. It now supports the MLKEM768_X25519 keyshare in TLS, providing a critical step toward quantum-resistant encryption. Additionally, the release disables TLSv1.1 and lower at the method level, further pruning legacy, insecure protocols.

Hardware and Platform Support

OpenBSD 7.9 continues to expand its footprint across diverse architectures:

• ARM64: Added support for RK3588 and RK3576 SoCs, and improved SDHC controller support for Apple Silicon laptops.
• RISC-V: Significant gains for the SpacemiT K1 SoC, including new drivers for clock/reset controllers and GPIO.
• AMD64: Increased MAXCPUs to 255 and mitigated floating point state leakage on Zen/Zen+ processors.

Community Perspective and Trade-offs

While the release is widely praised for its engineering rigor, the community discussions highlight the inherent trade-offs of the OpenBSD approach. Some users point to the lack of a journaled filesystem as a significant hurdle for production environments where power-loss recovery is critical. Others note that while wireless support is improving, certain features like Bluetooth remain absent.

However, as one user noted, the project's release engineering is a model for the industry:

"No 'When it's done' here. Like clockwork twice a year, they slow down, clean the shop, get their experiments in order and cook a release, a stable point in time."

OpenBSD 7.9 is more than just a version bump; it is a testament to the endurance of a development philosophy that prioritizes the "correct" way to build a system over the "fastest" way to satisfy the market.