Add kernel retpoline option for amd64
Retpoline is a compiler-based mitigation for CVE-2017-5715, also known as Spectre V2, that protects against speculative execution branch target injection attacks. In this commit it is disabled by default, but will be changed in a followup commit. Reviewed by: bdrewery (previous version) MFC after: 3 days Security: CVE-2017-5715 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D14242
This commit is contained in:
+9
-1
@@ -203,7 +203,7 @@ CFLAGS+= -ffreestanding
|
||||
# gcc and clang opimizers take advantage of this. The kernel makes
|
||||
# use of signed integer wraparound mechanics so we need the compiler
|
||||
# to treat it as a wraparound and not take shortcuts.
|
||||
#
|
||||
#
|
||||
CFLAGS+= -fwrapv
|
||||
|
||||
#
|
||||
@@ -214,6 +214,14 @@ CFLAGS+= -fwrapv
|
||||
CFLAGS+= -fstack-protector
|
||||
.endif
|
||||
|
||||
#
|
||||
# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715)
|
||||
#
|
||||
.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \
|
||||
${MK_KERNEL_RETPOLINE} != "no"
|
||||
CFLAGS+= -mretpoline
|
||||
.endif
|
||||
|
||||
#
|
||||
# Add -gdwarf-2 when compiling -g. The default starting in clang v3.4
|
||||
# and gcc 4.8 is to generate DWARF version 4. However, our tools don't
|
||||
|
||||
@@ -47,6 +47,7 @@ __DEFAULT_YES_OPTIONS = \
|
||||
|
||||
__DEFAULT_NO_OPTIONS = \
|
||||
EXTRA_TCP_STACKS \
|
||||
KERNEL_RETPOLINE \
|
||||
NAND \
|
||||
OFED \
|
||||
RATELIMIT \
|
||||
@@ -85,6 +86,11 @@ BROKEN_OPTIONS+= FORMAT_EXTENSIONS
|
||||
BROKEN_OPTIONS+= OFED
|
||||
.endif
|
||||
|
||||
# Things that don't work based on toolchain support.
|
||||
.if ${MACHINE} != "amd64"
|
||||
BROKEN_OPTIONS+= KERNEL_RETPOLINE
|
||||
.endif
|
||||
|
||||
# expanded inline from bsd.mkopt.mk to avoid share/mk dependency
|
||||
|
||||
# Those that default to yes
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
.\" $FreeBSD$
|
||||
Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel
|
||||
build.
|
||||
@@ -0,0 +1,3 @@
|
||||
.\" $FreeBSD$
|
||||
Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel
|
||||
build.
|
||||
Reference in New Issue
Block a user