Date: Sun, 8 Apr 2018 20:54:13 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r332306 - in stable/11: sys/conf tools/build/options Message-ID: <201804082054.w38KsDeB036297@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Sun Apr 8 20:54:13 2018 New Revision: 332306 URL: https://svnweb.freebsd.org/changeset/base/332306 Log: MFC r330110: Add kernel retpoline option for amd64 Retpoline is a compiler-based mitigation for CVE-2017-5715, also known as Spectre V2, that protects against speculative execution branch target injection attacks. In this commit it is disabled by default, but will be changed in a followup commit. MFC r330962: Remove KERNEL_RETPOLINE from BROKEN_OPTIONS on i386 Clang will compile both amd64 and i386 with retpoline. Sponsored by: The FreeBSD Foundation Added: stable/11/tools/build/options/WITHOUT_KERNEL_RETPOLINE - copied unchanged from r330110, head/tools/build/options/WITHOUT_KERNEL_RETPOLINE stable/11/tools/build/options/WITH_KERNEL_RETPOLINE - copied unchanged from r330110, head/tools/build/options/WITH_KERNEL_RETPOLINE Modified: stable/11/sys/conf/kern.mk stable/11/sys/conf/kern.opts.mk Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/conf/kern.mk ============================================================================== --- stable/11/sys/conf/kern.mk Sun Apr 8 20:53:00 2018 (r332305) +++ stable/11/sys/conf/kern.mk Sun Apr 8 20:54:13 2018 (r332306) @@ -192,7 +192,7 @@ CFLAGS+= -ffreestanding # gcc and clang opimizers take advantage of this. The kernel makes # use of signed integer wraparound mechanics so we need the compiler # to treat it as a wraparound and not take shortcuts. -# +# CFLAGS+= -fwrapv # @@ -201,6 +201,14 @@ CFLAGS+= -fwrapv .if ${MK_SSP} != "no" && \ ${MACHINE_CPUARCH} != "arm" && ${MACHINE_CPUARCH} != "mips" CFLAGS+= -fstack-protector +.endif + +# +# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715) +# +.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \ + ${MK_KERNEL_RETPOLINE} != "no" +CFLAGS+= -mretpoline .endif # Modified: stable/11/sys/conf/kern.opts.mk ============================================================================== --- stable/11/sys/conf/kern.opts.mk Sun Apr 8 20:53:00 2018 (r332305) +++ stable/11/sys/conf/kern.opts.mk Sun Apr 8 20:54:13 2018 (r332306) @@ -48,6 +48,7 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ EISA \ EXTRA_TCP_STACKS \ + KERNEL_RETPOLINE \ NAND \ OFED \ REPRODUCIBLE_BUILD @@ -83,6 +84,11 @@ BROKEN_OPTIONS+= EISA .if ${MACHINE} != "i386" && ${MACHINE} != "amd64" BROKEN_OPTIONS+= OFED +.endif + +# Things that don't work based on toolchain support. +.if ${MACHINE} != "i386" && ${MACHINE} != "amd64" +BROKEN_OPTIONS+= KERNEL_RETPOLINE .endif # expanded inline from bsd.mkopt.mk to avoid share/mk dependency Copied: stable/11/tools/build/options/WITHOUT_KERNEL_RETPOLINE (from r330110, head/tools/build/options/WITHOUT_KERNEL_RETPOLINE) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/11/tools/build/options/WITHOUT_KERNEL_RETPOLINE Sun Apr 8 20:54:13 2018 (r332306, copy of r330110, head/tools/build/options/WITHOUT_KERNEL_RETPOLINE) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build. Copied: stable/11/tools/build/options/WITH_KERNEL_RETPOLINE (from r330110, head/tools/build/options/WITH_KERNEL_RETPOLINE) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/11/tools/build/options/WITH_KERNEL_RETPOLINE Sun Apr 8 20:54:13 2018 (r332306, copy of r330110, head/tools/build/options/WITH_KERNEL_RETPOLINE) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804082054.w38KsDeB036297>