Limit some cc options based upon features

Limit the use of stack clash protection and zeroregs based upon
compiler features:
 - switch unconditional use of stack clash protection into a compiler
   feature
 - limit the use of stack clash protection on unsupported architectures
   (I did not wade into the source of each compiler to determine when
   support arrived for each architecture, I used the compiler version
   when it was introduced with what is supported currently)
 - add a safeguard for stack clash protection in places where we have no
   SSP provisions (we may not need it, but better safe than sorry when
   something changes or is overridden by the user)
 - limit the use of zeroregs the same way, so that even specifying it
   will not lead to build failures (useful for universe builds when
   WITH_ZEROREGS is specified in src.conf)

Differential Revision:	https://reviews.freebsd.org/D48724
This commit is contained in:
Alexander Leidinger
2025-01-31 13:11:06 +01:00
parent 36fdc42c6a
commit 1c2ae9233b
3 changed files with 21 additions and 6 deletions
+12 -1
View File
@@ -24,6 +24,7 @@
# - retpoline: supports the retpoline speculative execution vulnerability # - retpoline: supports the retpoline speculative execution vulnerability
# mitigation. # mitigation.
# - init-all: supports stack variable initialization. # - init-all: supports stack variable initialization.
# - stackclash:supports stack clash protection
# - zeroregs: supports zeroing used registers on return # - zeroregs: supports zeroing used registers on return
# - aarch64-sha512: supports the AArch64 sha512 intrinsic functions. # - aarch64-sha512: supports the AArch64 sha512 intrinsic functions.
# #
@@ -264,8 +265,18 @@ ${X_}COMPILER_FEATURES+= compressed-debug
${X_}COMPILER_FEATURES+= fileprefixmap ${X_}COMPILER_FEATURES+= fileprefixmap
.endif .endif
.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 70000 \
&& ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "") || \
(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 81000 \
&& ${MACHINE_ARCH:Mriscv*} != "")
${X_}COMPILER_FEATURES+= stackclash
.endif
.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \ .if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \
(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) && \
${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "" && \
${MACHINE_ARCH:Marmv7*} != ""
${X_}COMPILER_FEATURES+= zeroregs ${X_}COMPILER_FEATURES+= zeroregs
.endif .endif
+5 -5
View File
@@ -170,7 +170,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.c.nossppico: .c.nossppico:
${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.c.pieo: .c.pieo:
@@ -184,7 +184,7 @@ PO_FLAG=-pg
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
.cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico: .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico:
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
.cc.pieo .C.pieo .cpp.pieo .cxx.pieo: .cc.pieo .C.pieo .cpp.pieo .cxx.pieo:
${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
@@ -198,7 +198,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.f.nossppico: .f.nossppico:
${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC} ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} -o ${.TARGET} -c ${.IMPSRC}
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.s.po .s.pico .s.nossppico .s.pieo: .s.po .s.pico .s.nossppico .s.pieo:
@@ -217,7 +217,7 @@ PO_FLAG=-pg
.asm.nossppico: .asm.nossppico:
${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \ ${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \
${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.asm.pieo: .asm.pieo:
@@ -236,7 +236,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
.S.nossppico: .S.nossppico:
${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \ ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} \
-c ${.IMPSRC} -o ${.TARGET} -c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD} ${CTFCONVERT_CMD}
+4
View File
@@ -304,7 +304,11 @@ CXXFLAGS.clang+= -Wno-c++11-extensions
FORTIFY_SOURCE?= 0 FORTIFY_SOURCE?= 0
.if ${MK_SSP} != "no" .if ${MK_SSP} != "no"
# Don't use -Wstack-protector as it breaks world with -Werror. # Don't use -Wstack-protector as it breaks world with -Werror.
.if ${COMPILER_FEATURES:Mstackclash}
SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection
.else
SSP_CFLAGS?= -fstack-protector-strong
.endif
CFLAGS+= ${SSP_CFLAGS} CFLAGS+= ${SSP_CFLAGS}
.endif # SSP .endif # SSP
.if ${FORTIFY_SOURCE} > 0 .if ${FORTIFY_SOURCE} > 0