OpenBSD 6.3 (original) (raw)

Released Apr 15, 2018Copyright 1997-2018, Theo de Raadt.Artwork by Sam Hester. See the information on the FTP page for a list of mirror machines.Go to the pub/OpenBSD/6.3/ directory on one of the mirror sites.Have a look at the 6.3 errata page for a list of bugs and workarounds.See a detailed log of changes between the 6.2 and 6.3 releases.signify(1) pubkeys for this release: openbsd-63-base.pub:RWRxzbLwAd76ZZxHU7wuIFUOVGwl6SjNNzanKWTql8w+hui7WLE/72mWopenbsd-63-fw.pub:RWT3tdmiAc+DH/CJOxPFT10kUM90/UcLTgSEUEKzhKm9QEhy+UD4CWPyopenbsd-63-pkg.pub:RWT58k1AWz/zZO9DHcPHXiHhDNP6hdwGjxNkyMoc/sh4O5NI8Zz1R1lD All applicable copyrights and credits are in the src.tar.gz, sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the files fetched via ports.tar.gz.

What's New

This is a partial list of new features and systems included in OpenBSD 6.3. For a comprehensive list, see the changelog leading to 6.3.

• Improved hardware support, including:
  • SMP support on OpenBSD/arm64 platforms.
  • VFP and NEON support on OpenBSD/armv7 platforms.
  • New acrtc(4) driver for X-Powers AC100 audio codec and Real Time Clock.
  • New axppmic(4) driver for X-Powers AXP Power Management ICs.
  • New bcmrng(4) driver for Broadcom BCM2835/BCM2836/BCM2837 random number generator.
  • New bcmtemp(4) driver for Broadcom BCM2835/BCM2836/BCM2837 temperature monitor.
  • New bgw(4) driver for Bosch motion sensor.
  • New bwfm(4) driver for Broadcom and Cypress FullMAC 802.11 devices (still experimental and not compiled into the kernel by default)
  • New efi(4) driver for EFI runtime services.
  • New imxanatop(4) driver for i.MX6 integrated regulator.
  • New rkpcie(4) driver for Rockchip RK3399 Host/PCIe bridge.
  • New sxirsb(4) driver for Allwinner Reduced Serial Bus controller.
  • New sxitemp(4) driver for Allwinner temperature monitor.
  • New sxits(4) driver for temperature sensor on Allwinner A10/A20 touchpad controller.
  • New sxitwi(4) driver for two-wire bus found on several Allwinner SoCs.
  • New sypwr(4) driver for the Silergy SY8106A regulator.
  • Support for Rockchip RK3328 SoCs has been added to thedwge(4),rkgrf(4),rkclock(4) andrkpinctrl(4) drivers.
  • Support for Rockchip RK3288/RK3328 SoCs has been added to therktemp(4) driver.
  • Support for Allwinner A10/A20, A23/A33, A80 and R40/V40 SoCs has been added to thesxiccmu(4) driver.
  • Support for Allwinner A33, GR8 and R40/V40 SoCs has been added to thesxipio(4) driver.
  • Support for SAS3.5 MegaRAIDs has been added to themfii(4) driver.
  • Support for Intel Cannon Lake and Ice Lake integrated Ethernet has been added to theem(4) driver.
  • cnmac(4) ports are now assigned to different CPU cores for distributed interrupt processing.
  • The pms(4) driver now detects and handles reset announcements.
  • On amd64 Intel CPU microcode is loaded on boot and installed/updated byfw_update(1).
  • Support the sun4v hypervisor interrupt cookie API, adding support for SPARC T7-1/2/4 machines.
  • Hibernate support has been added for SD/MMC storage attached tosdhc(4) controllers.
  • clang(1) is now used as the system compiler on armv7, and it is also provided on sparc64.
• vmm(4)/vmd(8) improvements:
  • Add CD-ROM/DVD ISO support to vmd(8) via vioscsi(4).
  • vmd(8) no longer creates an underlying bridge interface for virtual switches defined invm.conf(5).
  • vmd(8) receives switch information (rdomain, etc) from underlying switch interface in conjunction of settings in vm.conf(5).
  • Time Stamp Counter (TSC) support in guest VMs.
  • Support ukvm/Solo5 unikernels invmm(4).
  • Handle valid (but uncommon) instruction encodings better.
  • Better PAE paging support for 32-bit Linux guest VMs.
  • vmd(8) now allows up to four network interfaces in each VM.
  • Add paused migration and snapshotting support to vmm(4) for AMD SVM/RVI hosts.
  • BREAK commands sent over apty(4) are now understood byvmd(8).
  • Many fixes to vmctl(8) and vmd(8) error handling.
• IEEE 802.11 wireless stack improvements:
  • The iwm(4) andiwn(4) drivers will automatically roam between access points which share an ESSID. Forcing a particular AP's MAC address with ifconfig's bssid command disables roaming.
  • Automatically clear configured WEP/WPA keys when a new network ESSID is configured.
  • Removed the ability for userland to read configured WEP/WPA keys back from the kernel.
  • The iwm(4) driver can now connect to networks with a hidden SSID.
  • USB devices supported by theathn(4) driver now use an open source firmware, and hostap mode now works with these devices.
• Generic network stack improvements:
  • The network stack no longer runs with the KERNEL_LOCK() when IPsec is enabled.
  • Processing of incoming TCP/UDP packets is now done without KERNEL_LOCK().
  • The socket splicing task runs without KERNEL_LOCK().
  • Cleanup and removal of code in sys/netinet6 since autoconfiguration runs in userland now.
  • bridge(4) members can now be prevented to talk to each others with the new protected option.
  • The pf divert-packet feature has been simplified. The IP_DIVERTFL socket option has been removed from divert(4).
  • Various corner cases of pf divert-to and divert-reply are more consistent now.
  • Enforce in pf(4) that all neighbor discovery packets have 255 in their IPv6 header hop limit field.
  • New set syncookies option inpf.conf(5).
  • Support for GRE over IPv6.
  • New egre(4) driver for Ethernet over GRE tunnels.
  • Support for the optional GRE key header and GRE key entropy ingre(4) andegre(4).
  • New nvgre(4) driver for Network Virtualization using Generic Routing Encapsulation.
  • Support for configuring the Don't Fragment flag on packets encapsulated by tunnel interfaces.
• Installer improvements:
  • if install.site or upgrade.site fails, notify the user and error out after storing rand.seed.
  • allow CIDR notation when entering IPv4 and IPv6 addresses.
  • repair selection of a HTTP mirror from the list of mirrors.
  • allow '-' in usernames.
  • ask a question at the end of the install/upgrade process so carriage return causes the appropriate action, e.g. reboot.
  • display the mode (install or upgrade) shell prompts as long as no hostname is known.
  • correctly detect which interface has the default route and if it was configured via DHCP.
  • ensure sets can be read from the prefetch area.
  • ensure URL redirection is effective for entire install/upgrade.
  • add the HTTP proxy used when fetching sets to rc.firsttime, where fw_update and syspatch can find and use it.
  • add logic to support RFC 7217 with SLAAC.
  • ensure that IPv6 is configured for dynamically created network interfaces like vlan(4).
  • create correct hostname when both domain-name and domain-search options are provided in the DHCP lease.
• Routing daemons and other userland network improvements:
  • bgpctl(8) has a newssv option which outputs rib entries as a single semicolon-separated like for selection before output.
  • slaacd(8) generates random but stable IPv6 stateless autoconfiguration addresses according to RFC 7217. These are enabled per default in accordance with RFC 8064.
  • slaacd(8) follows RFC 4862 by removing an artificial limitation on /64 sized prefixes using RFC 7217 (random but stable) and RFC 4941 (privacy) style stateless autoconfiguration addresses.
  • ospfd(8) can now set the metric for a route depending on the status of an interface.
  • ifconfig(8) has a newstaticarp option to make interfaces reply to ARP requests only.
  • ipsecctl(8) can now collapse flow outputs having the same source or destination.
  • The -n option innetstart(8) no longer messes with the default route. It is now documented as well.
• Security improvements:
  • Use even more trap-sleds on various architectures.
  • More use of .rodata for constant variables in assembly source.
  • Stop using x86 "repz ret" in dusty corners of the tree.
  • Introduce "execpromises" inpledge(2).
  • The elfrdsetroot utility used to build ramdisks and therebound(8) monitoring process now usepledge(2).
  • Prepare for the introduction of MAP_STACK tommap(2) after 6.3.
  • Push a small piece of KARL-linked kernel text into the random number generator as entropy at startup.
  • Put a small random gap at the top of thread stacks, so that attackers have yet another calculation to perform for their ROP work.
  • Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs.
  • OpenBSD/arm64 now uses kernel page table isolation to mitigate Spectre variant 3 (Meltdown) attacks.
  • OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer (BTB) on processors that do speculative execution to mitigate Spectre variant 2 attacks.
  • pool_get(9) perturbs the order of items on newly allocated pages, making the kernel heap layout harder to predict.
  • Thefktrace(2) system call was deleted.
• dhclient(8) improvements:
  • Parsing dhclient.conf(5) no longer leaks SSID strings, strings that are too long for the parsing buffer or repeated string options and commands.
  • Storing leases in dhclient.conf(5) is no longer supported.
  • 'DENY' is no longer valid in dhclient.conf(5).
  • dhclient.conf(5) and dhclient.leases(5) parsing error messages have been simplified and clarified, with improved behaviour in the presence of unexpected semicolons.
  • More care is taken to only use configuration information that was successfully parsed.
  • '-n' has been added, which causes dhclient(8) to exit after parsing dhclient.conf(5).
  • Default routes in options classless-static-routes (121) and classless-ms-static-routes (249) are now correctly represented in dhclient.leases(5) files.
  • Overwrite the file specified with '-L' rather than appending to it.
  • Leases in dhclient.leases(5) now contain an 'epoch' attribute recording the time the lease was accepted, which is used to calculate correct renewal, rebinding and expiry times.
  • No longer nag about underscores in names violating RFC 952.
  • Unconditionally send host-name information when requesting a lease, eliminating the need for dhclient.conf(5) in the default installation.
  • Be quiet by default. '-q' has been removed and '-v' added to enable verbose logging.
  • Decline duplicate offers for the requested address.
  • Unconditionally go into the background after link-timeout seconds.
  • Significantly reduce logging when being quiet, but make '-v' log all debug information without needing to compile a custom executable.
  • Ignore 'interface' statements in dhclient.leases(5) and assume all leases in the file are for the interface being configured.
  • Display the source of the lease bound to the interface.
  • 'ignore', 'request' and 'require' declarations in dhclient.conf(5) now add the specified options to the relevant list rather than replacing the list.
  • Eliminate a startup race that could result in dhclient(8) exiting without configuring the interface.
• Assorted improvements:
  • Code reorganization and other improvements tomalloc(3) and friends to make them more efficient.
  • When performing suspend or hibernate operations, ensure all filesystems are properly synchronized and marked clean, or if they cannot be put into perfectly clean state on disk (due to open+unlinked files) then mark them dirty, so that a failed resume/unhibernate is guaranteed to perform fsck(8).
  • acme-client(1) autodetects the agreement URL and follows 30x HTTP redirects.
  • Added __cxa_thread_atexit() to support modern C++ tool chains.
  • Added EVFILT_DEVICE support tokqueue(2) for monitoring changes todrm(4) devices.
  • ldexp(3) now handles the sign of denormal numbers correctly on mips64.
  • New sincos(3) functions in libm.
  • fdisk(8) now ensures the validity of MBR partition offsets entered while editing.
  • fdisk(8) now ensures that default values lie within the valid range.
  • less(1) now splits only the environment variable LESS on '$'.
  • less(1) no longer creates a spurious file when encountering '$' in the initial command.
  • softraid(4) now validates the number of chunks when assembling a volume, ensuring the on-disk and in-memory metadata are in sync.
  • disklabel(8) now always offers to edit an FFS partition's fragment size before offering to edit the blocksize.
  • disklabel(8) now allows editing the cylinders/group (cpg) attribute whenever the partition blocksize can be edited.
  • disklabel(8) now detects ^D and invalid input during (R)esize commands.
  • disklabel(8) now detects underflows and overflows when -/+ operators are used.
  • disklabel(8) now avoids an off-by-one when calculating the number of cylinders in a free chunk.
  • disklabel(8) now validates the requested partition size against the size of the largest free chunk instead of the total free space.
  • Support for dumping USB transfers viabpf(4).
  • tcpdump(8) can now understand dumps of USB transfers in theUSBPcap format.
  • The default prompts of csh(1),ksh(1) andsh(1) now include the hostname.
  • Memory allocation inksh(1) was switched fromcalloc(3) back tomalloc(3), making it easier to recognize uninitialized memory. As a result, a history-related bug in emacs editing mode was discovered and fixed.
  • New script(1) -c option to run a command instead of a shell.
  • New grep(1) -m option to limit the number of matches.
  • New uniq(1) -i option for case-insensitive comparison.
  • The printf(3) format string is no longer validated when looking for % formats. Based on a commit by android and following most other operating systems.
  • Improved error checking invfwprintf(3).
  • Many base programs have been audited and fixed for stale file descriptors, includingcron(8),ftp(1),mandoc(1),openssl(1),ssh(1) andsshd(8).
  • Various bug fixes and improvements injot(1):
    * Arbitrary length limits for the arguments for the-b, -s, -w options were removed.
    * The %F format specifier is now supported and a bug in the %D format was fixed.
    * Better code coverage in regression tests.
    * Several buffer overruns were fixed.
  • The patch(1) utility now copes better with git diffs that create or delete files.
  • pkg_add(1) now has improved support for HTTP(S) redirectors such as_cdn.openbsd.org_.
  • ftp(1) andpkg_add(1) now support HTTPS session resumption for improved speed.
  • mandoc(1) -T ps output file size reduced by more than 50%.
  • syslogd(8) logs if there were warnings during startup.
  • syslogd(8) stopped logging to files in a full filesystem. Now it writes a warning and continues after space has been made available.
  • vmt(4) now allows cloning and taking disk-only snapshots of running guests.
• OpenSMTPD 6.0.4
  • Add spf walk option tosmtpctl(8).
  • Assorted cleanups and improvements.
  • Numerous manual page fixes and improvements.
• OpenSSH 7.7
  • New/changed features:
    * All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default.
    * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux).
    * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present.
    * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present.
    * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys.
    * ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress).
    * ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface.
    * sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server.
    * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm.
    * ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither).
    * sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760
    * sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria.
  • The following significant bugs have been fixed in this release:
    * ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1.
    * sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810
    * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799
    * ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message.
    * sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664
    * ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shows. bz#2814
    * ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821
    * regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823
    * ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent.
    * scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.)
    * ssh-keygen(1): Refuse to create a certificate with an unusable number of principals.
    * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline.
    * ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763
    * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803
    * sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800
    * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps.
    * Numerous manual page fixes and improvements.
• LibreSSL 2.7.2
  • Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on observations of real-world usage in applications. These are implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility changes have not been made to existing structs, allowing code written for older OpenSSL APIs to continue working.
  • Extensive corrections, improvements, and additions to the API documentation, including new public APIs from OpenSSL that had no pre-existing documentation.
  • Added support for automatic library initialization in libcrypto, libssl, and libtls. Support for pthread_once or a compatible equivalent is now required of the target operating system. As a side-effect, minimum Windows support is Vista or higher.
  • Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages.
  • Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions.
  • Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_* macros (asn1_mac.h) from API that needs to continue to exist.
  • Added support for client-side session resumption in libtls. A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes.
  • Improved support for strict alignment on ARMv7 architectures, conditionally enabling assembly in those cases.
  • Fixed a memory leak in libtls when reusing a tls_config.
  • Merged more DTLS support into the regular TLS code path, removing duplicated code.
• Ports and packages:
  • dpb(1) and normalports(7) can now enjoy the same privilege separated model by settingPORTS_PRIVSEP=Yes
    Many pre-built packages for each architecture:
  • aarch64: 7990
  • alpha: 1
  • amd64: 9912
  • arm: 6582
  • i386: 9861
  • mips64: 8149
  • mips64el: 8254
  • powerpc: 8809
  • sh: 1
  • sparc64: 8401
    Some highlights:
  • AFL 2.52b
  • CMake 3.10.2
  • Chromium 65.0.3325.181
  • Emacs 21.4 and 25.3
  • GCC 4.9.4
  • GHC 8.2.2
  • Gimp 2.8.22
  • GNOME 3.26.2
  • Go 1.10
  • Groff 1.22.3
  • JDK 8u144
  • KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
  • LLVM/Clang 5.0.1
  • LibreOffice 6.0.2.1
  • Lua 5.1.5, 5.2.4 and 5.3.4
  • MariaDB 10.0.34
  • Mozilla Firefox 52.7.3esr and 59.0.2
  • Mozilla Thunderbird 52.7.0
  • Mutt 1.9.4 and NeoMutt 20180223
  • Node.js 8.9.4
  • Ocaml 4.03.0
  • OpenLDAP 2.3.43 and 2.4.45
  • PHP 5.6.34 and 7.0.28
  • Postfix 3.3.0 and 3.4-20180203
  • PostgreSQL 10.3
  • Python 2.7.14 and 3.6.4
  • R 3.4.4
  • Ruby 2.3.6, 2.4.3 and 2.5.0
  • Rust 1.24.0
  • Sendmail 8.16.0.21
  • SQLite3 3.22.0
  • Sudo 1.8.22
  • Tcl/Tk 8.5.19 and 8.6.8
  • TeX Live 2017
  • Vim 8.0.1589
  • Xfce 4.12
• As usual, steady improvements in manual pages and other documentation.
• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches, freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330, xkeyboard-config 2.20 and more)
  • LLVM/Clang 5.0.1 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.24.3 (+ patches)
  • NSD 4.1.20
  • Unbound 1.6.8
  • Ncurses 5.7
  • Binutils 2.17 (+ patches)
  • Gdb 6.3 (+ patches)
  • Awk Aug 10, 2011 version
  • Expat 2.2.5

How to install

Please refer to the following files on the mirror site for extensive details on how to install OpenBSD 6.3 on your machine:

• .../OpenBSD/6.3/alpha/INSTALL.alpha
• .../OpenBSD/6.3/amd64/INSTALL.amd64
• .../OpenBSD/6.3/arm64/INSTALL.arm64
• .../OpenBSD/6.3/armv7/INSTALL.armv7
• .../OpenBSD/6.3/hppa/INSTALL.hppa
• .../OpenBSD/6.3/i386/INSTALL.i386
• .../OpenBSD/6.3/landisk/INSTALL.landisk
• .../OpenBSD/6.3/loongson/INSTALL.loongson
• .../OpenBSD/6.3/luna88k/INSTALL.luna88k
• .../OpenBSD/6.3/macppc/INSTALL.macppc
• .../OpenBSD/6.3/octeon/INSTALL.octeon
• .../OpenBSD/6.3/sgi/INSTALL.sgi
• .../OpenBSD/6.3/sparc64/INSTALL.sparc64

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/alpha:

Write floppy63.fs or floppyB63.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

OpenBSD/amd64:

If your machine can boot from CD, you can write install63.iso or_cd63.iso_ to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install63.fs or_miniroot63.fs_ to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.

OpenBSD/arm64:

Write miniroot63.fs to a disk and boot from it after connecting to the serial console. Refer to INSTALL.arm64 for more details.

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or thehppa platform page.

OpenBSD/i386:

If your machine can boot from CD, you can write install63.iso or_cd63.iso_ to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install63.fs or_miniroot63.fs_ to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.

OpenBSD/landisk:

Write miniroot63.fs to the start of the CF or disk, and boot normally.

OpenBSD/loongson:

Write miniroot63.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.

OpenBSD/luna88k:

Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /6.3/macppc/bsd.rd

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.

OpenBSD/sgi:

To install, burn cd63.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from CD-ROM, and need a proper invocation from the PROM prompt. Refer to the instructions in INSTALL.sgi for more details.

If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details.

OpenBSD/sparc64:

Burn the image from a mirror site to a CDROM, boot from it, and type_boot cdrom_.

If this doesn't work, or if you don't have a CDROM drive, you can write_floppy63.fs_ or floppyB63.fs(depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write miniroot63.fs to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

How to upgrade

If you already have an OpenBSD 6.2 system, and do not want to reinstall, upgrade instructions and advice can be found in theUpgrade Guide.

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

mkdir -p /usr/src

cd /usr/src

tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

mkdir -p /usr/src/sys

cd /usr/src

tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

cd /usr

tar xvfz /tmp/ports.tar.gz

Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports. As with our complete source tree, our ports tree is available viaAnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

cd /usr/ports

cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_3

[Of course, you must replace the server name here with a nearby anoncvs server.]

Note that most ports are available as packages on our mirrors. Updated ports for the 6.3 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing listports@openbsd.org is a good place to know.