Some highlights that ‘caught my eye’:
* On sparc64 ldomctl(8) now supports more modern firmware found on SPARC T2+ and T3 machines in particular such as T1000, T5120 and T5240. NVRAM variables can now be set per logical domain.
* ACPI support on OpenBSD/arm64 platforms.
* New acpisurface(4) driver providing ACPI support for Microsoft Surface Book laptops.
* New acpipci(4/arm64) driver providing support for PCI host bridges based on information provided by ACPI.
* Added a sensor for port replicatior status to acpithinkpad(4).Implemented MAP_STACK option for mmap(2). At pagefaults and syscalls the kernel will check that the stack pointer points to MAP_STACK memory, which mitigates against attacks using stack pivots.
* New RETGUARD security mechanism on amd64 and arm64: use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets.
* clang(1) includes a pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386.
* The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386.
* Added SpectreRSB mitigation on amd64.
* Added Intel L1 Terminal Fault mitigation on amd64.
* Meltdown mitigation was added to i386.
amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
* Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.
https://www.openbsd.org/64.html
Firmware Security 