Limit some cc options based upon features
Limit the use of stack clash protection and zeroregs based upon compiler features: - switch unconditional use of stack clash protection into a compiler feature - limit the use of stack clash protection on unsupported architectures (I did not wade into the source of each compiler to determine when support arrived for each architecture, I used the compiler version when it was introduced with what is supported currently) - add a safeguard for stack clash protection in places where we have no SSP provisions (we may not need it, but better safe than sorry when something changes or is overridden by the user) - limit the use of zeroregs the same way, so that even specifying it will not lead to build failures (useful for universe builds when WITH_ZEROREGS is specified in src.conf) Differential Revision: https://reviews.freebsd.org/D48724
This commit is contained in:
@@ -24,6 +24,7 @@
|
||||
# - retpoline: supports the retpoline speculative execution vulnerability
|
||||
# mitigation.
|
||||
# - init-all: supports stack variable initialization.
|
||||
# - stackclash:supports stack clash protection
|
||||
# - zeroregs: supports zeroing used registers on return
|
||||
# - aarch64-sha512: supports the AArch64 sha512 intrinsic functions.
|
||||
#
|
||||
@@ -264,8 +265,18 @@ ${X_}COMPILER_FEATURES+= compressed-debug
|
||||
${X_}COMPILER_FEATURES+= fileprefixmap
|
||||
.endif
|
||||
|
||||
.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 70000 \
|
||||
&& ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "") || \
|
||||
(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 81000 \
|
||||
&& ${MACHINE_ARCH:Mriscv*} != "")
|
||||
${X_}COMPILER_FEATURES+= stackclash
|
||||
.endif
|
||||
|
||||
|
||||
.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \
|
||||
(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000)
|
||||
(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) && \
|
||||
${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "" && \
|
||||
${MACHINE_ARCH:Marmv7*} != ""
|
||||
${X_}COMPILER_FEATURES+= zeroregs
|
||||
.endif
|
||||
|
||||
|
||||
+5
-5
@@ -170,7 +170,7 @@ PO_FLAG=-pg
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.c.nossppico:
|
||||
${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
|
||||
${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.c.pieo:
|
||||
@@ -184,7 +184,7 @@ PO_FLAG=-pg
|
||||
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
|
||||
|
||||
.cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico:
|
||||
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
|
||||
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
|
||||
|
||||
.cc.pieo .C.pieo .cpp.pieo .cxx.pieo:
|
||||
${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
|
||||
@@ -198,7 +198,7 @@ PO_FLAG=-pg
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.f.nossppico:
|
||||
${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC}
|
||||
${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} -o ${.TARGET} -c ${.IMPSRC}
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.s.po .s.pico .s.nossppico .s.pieo:
|
||||
@@ -217,7 +217,7 @@ PO_FLAG=-pg
|
||||
|
||||
.asm.nossppico:
|
||||
${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \
|
||||
${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
|
||||
${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.asm.pieo:
|
||||
@@ -236,7 +236,7 @@ PO_FLAG=-pg
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
.S.nossppico:
|
||||
${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \
|
||||
${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} \
|
||||
-c ${.IMPSRC} -o ${.TARGET}
|
||||
${CTFCONVERT_CMD}
|
||||
|
||||
|
||||
@@ -304,7 +304,11 @@ CXXFLAGS.clang+= -Wno-c++11-extensions
|
||||
FORTIFY_SOURCE?= 0
|
||||
.if ${MK_SSP} != "no"
|
||||
# Don't use -Wstack-protector as it breaks world with -Werror.
|
||||
.if ${COMPILER_FEATURES:Mstackclash}
|
||||
SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection
|
||||
.else
|
||||
SSP_CFLAGS?= -fstack-protector-strong
|
||||
.endif
|
||||
CFLAGS+= ${SSP_CFLAGS}
|
||||
.endif # SSP
|
||||
.if ${FORTIFY_SOURCE} > 0
|
||||
|
||||
Reference in New Issue
Block a user