The first public release of hardened/12-stable/master branch, which contains lots of security improvements over 11-STABLE.
Among those improvements are:
- Non-Cross-DSO Control-Flow Integrity (CFI) for applications on amd64 and arm64. At this time, CFI is not applied to the kernel.
- Jailed bhyve.
- Per-jail toggles for unprivileged process debugging (the security.bsd.unprivilegedprocessdebug sysctl node).
- Spectre v2 mitigation with retpoline applied to the entirety of base and ports.
- Symmetric Multi-Threading (SMT) disabled by default (re-enable by setting machdep.hyperthreading_allowed to 1 in loader.conf(5)).
- Migration of more compiler toolchain components to llvm's implementations (llvm-ar, llvm-nm, and llvm-objdump).
- Compilation of applications with Link-Time Optimization (LTO).