Introduce src.conf knob to build userland with retpoline

WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland for CVE-2017-5715. Reported by: Peter Malcom Reviewed by: markj MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17421
2018-10-21 00:27:59 +00:00 · 2018-10-21 00:27:59 +00:00 · fc191b1111
commit fc191b1111
parent 6492be46b8
5 changed files with 20 additions and 3 deletions
--- a/Makefile.inc1
+++ b/Makefile.inc1
@ -659,7 +659,7 @@ BSARGS= 	DESTDIR= \
 		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
 		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
 		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
-		MK_LLDB=no MK_TESTS=no \
+		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
 		MK_INCLUDES=yes

 BMAKE=		\
@ -680,7 +680,7 @@ TMAKE=		\
 		-DNO_LINT \
 		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
 		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
-		MK_LLDB=no MK_TESTS=no
+		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no

 # cross-tools stage
 # TOOLS_PREFIX set in BMAKE
@ -703,7 +703,7 @@ KTMAKE=		\
 		SSP_CFLAGS= \
 		MK_HTML=no -DNO_LINT MK_MAN=no \
 		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
-		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
+		-DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no

 # world stage
 WMAKEENV=	${CROSSENV} \
@ -2383,6 +2383,7 @@ NXBMAKEARGS+= \
 	MK_OFED=no \
 	MK_OPENSSH=no \
 	MK_PROFILE=no \
+	MK_RETPOLINE=no \
 	MK_SENDMAIL=no \
 	MK_SVNLITE=no \
 	MK_TESTS=no \
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@ -69,6 +69,12 @@ TAGS+=		package=${PACKAGE:Uruntime}
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif

+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+
 .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
    empty(DEBUG_FLAGS:M-gdwarf*)
 CFLAGS+= ${DEBUG_FILES_CFLAGS}
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
    CCACHE_BUILD \
    CTF \
    INSTALL_AS_USER \
+    RETPOLINE \
    STALE_STAGED

 __DEFAULT_DEPENDENT_OPTIONS = \
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@ -34,6 +34,12 @@ PROG=	${PROG_CXX}
 MK_DEBUG_FILES=	no
 .endif

+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+
 .if defined(CRUNCH_CFLAGS)
 CFLAGS+=${CRUNCH_CFLAGS}
 .else
--- a/tools/build/options/WITH_RETPOLINE
+++ b/tools/build/options/WITH_RETPOLINE
@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to build the base system with the retpoline speculative execution
+vulnerability mitigation for CVE-2017-5715.