From e9093b66d54d71026d083389f3c9ca674f849083 Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Wed, 28 Feb 2018 14:57:45 +0000 Subject: [PATCH] Add kernel retpoline option for amd64 Retpoline is a compiler-based mitigation for CVE-2017-5715, also known as Spectre V2, that protects against speculative execution branch target injection attacks. In this commit it is disabled by default, but will be changed in a followup commit. Reviewed by: bdrewery (previous version) MFC after: 3 days Security: CVE-2017-5715 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D14242 --- sys/conf/kern.mk | 10 +++++++++- sys/conf/kern.opts.mk | 6 ++++++ tools/build/options/WITHOUT_KERNEL_RETPOLINE | 3 +++ tools/build/options/WITH_KERNEL_RETPOLINE | 3 +++ 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tools/build/options/WITHOUT_KERNEL_RETPOLINE create mode 100644 tools/build/options/WITH_KERNEL_RETPOLINE diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk index 330af13d9dc..d85351d977c 100644 --- a/sys/conf/kern.mk +++ b/sys/conf/kern.mk @@ -203,7 +203,7 @@ CFLAGS+= -ffreestanding # gcc and clang opimizers take advantage of this. The kernel makes # use of signed integer wraparound mechanics so we need the compiler # to treat it as a wraparound and not take shortcuts. -# +# CFLAGS+= -fwrapv # @@ -214,6 +214,14 @@ CFLAGS+= -fwrapv CFLAGS+= -fstack-protector .endif +# +# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715) +# +.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \ + ${MK_KERNEL_RETPOLINE} != "no" +CFLAGS+= -mretpoline +.endif + # # Add -gdwarf-2 when compiling -g. The default starting in clang v3.4 # and gcc 4.8 is to generate DWARF version 4. However, our tools don't diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk index ba271be2886..4e38c06f13c 100644 --- a/sys/conf/kern.opts.mk +++ b/sys/conf/kern.opts.mk @@ -47,6 +47,7 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ EXTRA_TCP_STACKS \ + KERNEL_RETPOLINE \ NAND \ OFED \ RATELIMIT \ @@ -85,6 +86,11 @@ BROKEN_OPTIONS+= FORMAT_EXTENSIONS BROKEN_OPTIONS+= OFED .endif +# Things that don't work based on toolchain support. +.if ${MACHINE} != "amd64" +BROKEN_OPTIONS+= KERNEL_RETPOLINE +.endif + # expanded inline from bsd.mkopt.mk to avoid share/mk dependency # Those that default to yes diff --git a/tools/build/options/WITHOUT_KERNEL_RETPOLINE b/tools/build/options/WITHOUT_KERNEL_RETPOLINE new file mode 100644 index 00000000000..ca7bd77dd95 --- /dev/null +++ b/tools/build/options/WITHOUT_KERNEL_RETPOLINE @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build. diff --git a/tools/build/options/WITH_KERNEL_RETPOLINE b/tools/build/options/WITH_KERNEL_RETPOLINE new file mode 100644 index 00000000000..3a0ff6cd437 --- /dev/null +++ b/tools/build/options/WITH_KERNEL_RETPOLINE @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build.