Date: Sat, 20 Oct 2018 20:31:14 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Ed Maste <emaste@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r339511 - in head: . share/mk tools/build/options Message-ID: <20181021003114.dtvjaklkcymksnj5@mutt-hbsd> In-Reply-To: <201810210027.w9L0Rxea029138@repo.freebsd.org> References: <201810210027.w9L0Rxea029138@repo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sun, Oct 21, 2018 at 12:27:59AM +0000, Ed Maste wrote: > Author: emaste > Date: Sun Oct 21 00:27:59 2018 > New Revision: 339511 > URL: https://svnweb.freebsd.org/changeset/base/339511 > > Log: > Introduce src.conf knob to build userland with retpoline > > WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland > for CVE-2017-5715. > > Reported by: Peter Malcom > Reviewed by: markj > MFC after: 1 week > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D17421 > > Added: > head/tools/build/options/WITH_RETPOLINE (contents, props changed) > Modified: > head/Makefile.inc1 > head/share/mk/bsd.lib.mk > head/share/mk/bsd.opts.mk > head/share/mk/bsd.prog.mk > > Modified: head/Makefile.inc1 > ============================================================================== > --- head/Makefile.inc1 Sun Oct 21 00:20:40 2018 (r339510) > +++ head/Makefile.inc1 Sun Oct 21 00:27:59 2018 (r339511) > @@ -659,7 +659,7 @@ BSARGS= DESTDIR= \ > -DNO_PIC MK_PROFILE=no -DNO_SHARED \ > -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ > MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \ > - MK_LLDB=no MK_TESTS=no \ > + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \ > MK_INCLUDES=yes > > BMAKE= \ > @@ -680,7 +680,7 @@ TMAKE= \ > -DNO_LINT \ > -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ > MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \ > - MK_LLDB=no MK_TESTS=no > + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no > > # cross-tools stage > # TOOLS_PREFIX set in BMAKE > @@ -703,7 +703,7 @@ KTMAKE= \ > SSP_CFLAGS= \ > MK_HTML=no -DNO_LINT MK_MAN=no \ > -DNO_PIC MK_PROFILE=no -DNO_SHARED \ > - -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no > + -DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no > > # world stage > WMAKEENV= ${CROSSENV} \ > @@ -2383,6 +2383,7 @@ NXBMAKEARGS+= \ > MK_OFED=no \ > MK_OPENSSH=no \ > MK_PROFILE=no \ > + MK_RETPOLINE=no \ > MK_SENDMAIL=no \ > MK_SVNLITE=no \ > MK_TESTS=no \ > > Modified: head/share/mk/bsd.lib.mk > ============================================================================== > --- head/share/mk/bsd.lib.mk Sun Oct 21 00:20:40 2018 (r339510) > +++ head/share/mk/bsd.lib.mk Sun Oct 21 00:27:59 2018 (r339511) > @@ -69,6 +69,12 @@ TAGS+= package=${PACKAGE:Uruntime} > TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} > .endif > > +.if ${MK_RETPOLINE} != "no" > +CFLAGS+= -mretpoline > +CXXFLAGS+= -mretpoline > +LDFLAGS+= -Wl,-zretpolineplt > +.endif > + > .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \ > empty(DEBUG_FLAGS:M-gdwarf*) > CFLAGS+= ${DEBUG_FILES_CFLAGS} > > Modified: head/share/mk/bsd.opts.mk > ============================================================================== > --- head/share/mk/bsd.opts.mk Sun Oct 21 00:20:40 2018 (r339510) > +++ head/share/mk/bsd.opts.mk Sun Oct 21 00:27:59 2018 (r339511) > @@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \ > CCACHE_BUILD \ > CTF \ > INSTALL_AS_USER \ > + RETPOLINE \ > STALE_STAGED [snip] We at HardenedBSD have had Retpoline enabled in 12 userland and kernel for a few months now. I've found it to be safe to enable by default. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlvLyM0ACgkQaoRlj1JF bu4h6w/+N8vmrsqCh8XiXAtk6yUvtLfNYgzHOmqzX1RBHW39w6hZIydt0qsIq/8E F42sA2LVrjr7lME4ETYd+vWi5LateM6K77ebUU7+c+BAT3SM0PRJNgsi0UFLNzTz HNGxo9VOVRKml347mGeg7EwA+zVxN82y5+XhByJCcyuKlAXN0XcFFz9Qyosay8V0 PmT1+DcL/NpgdcCBf+C82xdnz3qBwC7BVOfz01UNFxkYNqgRlOj9MDj6ZBSm9qjL 9GiKO3hJ2g6A/nUDPGkjrglZPMH9puivlaJIStyzx1j8QSQOMRsCUImfl8g/E7QR OzTdRV31vDWvNgGzjzpgfI6fFtIAi4Cf7kGUml/HJvymqyHYTCTJrmkrNJbb2SEZ hw2hXIVjWnw9oMl0fatQfuirfp8OepWmFxzd2QSVhm3Tgpjrcg6OTT++PIdHak93 ntXHR+QxofCF0UVB0v8E4bHF1Tz1MU/SVMLSR1N5PiDPPm2hk9Dgha0y7j9zGBso G6XaF5uakZ9uEBHFUBzylYnawBO442H1ILtuEQcVZX4XJmrL6TqObL09OYS07yVq DZlN660SpDlDdeWNGs2otsrfDDY2JcPZVOA/v+z1ngHXw6diI5vwjvvOkgDJt2IF v7FtHmHnmG6RUjysHvEqwOedCkriDozaFSELgi6rW1pXUOK4dWI= =qKBY -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181021003114.dtvjaklkcymksnj5>