From owner-svn-src-all@freebsd.org Sun Oct 21 00:31:28 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05A5BFFBCCA for ; Sun, 21 Oct 2018 00:31:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6FDB87197A for ; Sun, 21 Oct 2018 00:31:27 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wr1-x429.google.com with SMTP id w5-v6so41052675wrt.2 for ; Sat, 20 Oct 2018 17:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Zxk4fhnxWaE6j2tmM7qO95QiPCp3EwKm8JytDG3jxZ0=; b=kTj9al7Eav1vCcSuitIOLF5zG5obR4uf60u5s1N+bPRMlRngZuScqo6g/EFumbye9D MvJm3/Iyfh6iJosj6Tuzeo2OkpfwJBCozUdcfR1TK/yIOhGNFkQbp9k9mKNDfsWc1+H9 Rb/MATFrCgiROY+U9eiy9GwVpwnlSNgg8obeRiBBwa3DatD2lboqqb+SgUUivqGj7Tuf oa71QusU23a+VTfB+m1cyo7yhEC4pBWhdur7H7XQMA7vv7etQk8mPgxZrcLo2cPmbX9B P53Fy+nhV0fgo4RqdnlSA9PjsedXrJCSTHMIrHH4k+h13DyjGjHM1GLBvtiBJ72SbmJB W39g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Zxk4fhnxWaE6j2tmM7qO95QiPCp3EwKm8JytDG3jxZ0=; b=uBzqEFHwn347ASadbBpxbmMljIxOBFhgNIsUYL+mcpWsfCN2x7VsaN6N7IhIe1eLxO x/kevM18lmQvas3KxkCEX+2x2iHWzTqfBUkWPgY5SqX5/+1KAtu8HTz/1vuwGposwxs5 A703tmJus5jOwxd51DKX3ZWEibS9ved5O//LZfGFc6jlDAF3r+8L6KBSG7430M0hdDph HzNrIFWRYpHMGnDmDZN0ADiJOWKMFTOCyvccyq9vAhi60Z7R0VhCAnhObfADgDU4GNuw pnFD4+Yz70eqMUF5r5pD2mL4USFO+bajxIKssTf3n2feDEHEs8VUIcj8DFVCgNjDQtw+ 4hxg== X-Gm-Message-State: ABuFfojAFHKmrnhDXbRnek/TQwS9gPoTvZU3cN6+0vjYPuBnYFYCW0MK jQrDuG18Wd+Qol6R3e+eqYbHkA== X-Google-Smtp-Source: ACcGV63RdybzWNcSbJR/sJcVhvUf4jAy2DEBfZ+vzwIH+4SnPtlYoHr0w15ZGDR4b/zyvybD3mFuVw== X-Received: by 2002:a5d:6902:: with SMTP id t2-v6mr39370720wru.323.1540081885688; Sat, 20 Oct 2018 17:31:25 -0700 (PDT) Received: from mutt-hbsd ([185.220.102.4]) by smtp.gmail.com with ESMTPSA id u191-v6sm7037259wmd.31.2018.10.20.17.31.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 20 Oct 2018 17:31:24 -0700 (PDT) Date: Sat, 20 Oct 2018 20:31:14 -0400 From: Shawn Webb To: Ed Maste Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r339511 - in head: . share/mk tools/build/options Message-ID: <20181021003114.dtvjaklkcymksnj5@mutt-hbsd> References: <201810210027.w9L0Rxea029138@repo.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y7omgbbolddkzumk" Content-Disposition: inline In-Reply-To: <201810210027.w9L0Rxea029138@repo.freebsd.org> X-Operating-System: FreeBSD mutt-hbsd 12.0-ALPHA7 FreeBSD 12.0-ALPHA7 X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180622 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2018 00:31:28 -0000 --y7omgbbolddkzumk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 21, 2018 at 12:27:59AM +0000, Ed Maste wrote: > Author: emaste > Date: Sun Oct 21 00:27:59 2018 > New Revision: 339511 > URL: https://svnweb.freebsd.org/changeset/base/339511 >=20 > Log: > Introduce src.conf knob to build userland with retpoline > =20 > WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland > for CVE-2017-5715. > =20 > Reported by: Peter Malcom > Reviewed by: markj > MFC after: 1 week > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D17421 >=20 > Added: > head/tools/build/options/WITH_RETPOLINE (contents, props changed) > Modified: > head/Makefile.inc1 > head/share/mk/bsd.lib.mk > head/share/mk/bsd.opts.mk > head/share/mk/bsd.prog.mk >=20 > Modified: head/Makefile.inc1 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/Makefile.inc1 Sun Oct 21 00:20:40 2018 (r339510) > +++ head/Makefile.inc1 Sun Oct 21 00:27:59 2018 (r339511) > @@ -659,7 +659,7 @@ BSARGS=3D DESTDIR=3D \ > -DNO_PIC MK_PROFILE=3Dno -DNO_SHARED \ > -DNO_CPU_CFLAGS MK_WARNS=3Dno MK_CTF=3Dno \ > MK_CLANG_EXTRAS=3Dno MK_CLANG_FULL=3Dno \ > - MK_LLDB=3Dno MK_TESTS=3Dno \ > + MK_LLDB=3Dno MK_RETPOLINE=3Dno MK_TESTS=3Dno \ > MK_INCLUDES=3Dyes > =20 > BMAKE=3D \ > @@ -680,7 +680,7 @@ TMAKE=3D \ > -DNO_LINT \ > -DNO_CPU_CFLAGS MK_WARNS=3Dno MK_CTF=3Dno \ > MK_CLANG_EXTRAS=3Dno MK_CLANG_FULL=3Dno \ > - MK_LLDB=3Dno MK_TESTS=3Dno > + MK_LLDB=3Dno MK_RETPOLINE=3Dno MK_TESTS=3Dno > =20 > # cross-tools stage > # TOOLS_PREFIX set in BMAKE > @@ -703,7 +703,7 @@ KTMAKE=3D \ > SSP_CFLAGS=3D \ > MK_HTML=3Dno -DNO_LINT MK_MAN=3Dno \ > -DNO_PIC MK_PROFILE=3Dno -DNO_SHARED \ > - -DNO_CPU_CFLAGS MK_WARNS=3Dno MK_CTF=3Dno > + -DNO_CPU_CFLAGS MK_RETPOLINE=3Dno MK_WARNS=3Dno MK_CTF=3Dno > =20 > # world stage > WMAKEENV=3D ${CROSSENV} \ > @@ -2383,6 +2383,7 @@ NXBMAKEARGS+=3D \ > MK_OFED=3Dno \ > MK_OPENSSH=3Dno \ > MK_PROFILE=3Dno \ > + MK_RETPOLINE=3Dno \ > MK_SENDMAIL=3Dno \ > MK_SVNLITE=3Dno \ > MK_TESTS=3Dno \ >=20 > Modified: head/share/mk/bsd.lib.mk > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/share/mk/bsd.lib.mk Sun Oct 21 00:20:40 2018 (r339510) > +++ head/share/mk/bsd.lib.mk Sun Oct 21 00:27:59 2018 (r339511) > @@ -69,6 +69,12 @@ TAGS+=3D package=3D${PACKAGE:Uruntime} > TAG_ARGS=3D -T ${TAGS:[*]:S/ /,/g} > .endif > =20 > +.if ${MK_RETPOLINE} !=3D "no" > +CFLAGS+=3D -mretpoline > +CXXFLAGS+=3D -mretpoline > +LDFLAGS+=3D -Wl,-zretpolineplt > +.endif > + > .if ${MK_DEBUG_FILES} !=3D "no" && empty(DEBUG_FLAGS:M-g) && \ > empty(DEBUG_FLAGS:M-gdwarf*) > CFLAGS+=3D ${DEBUG_FILES_CFLAGS} >=20 > Modified: head/share/mk/bsd.opts.mk > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/share/mk/bsd.opts.mk Sun Oct 21 00:20:40 2018 (r339510) > +++ head/share/mk/bsd.opts.mk Sun Oct 21 00:27:59 2018 (r339511) > @@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS =3D \ > CCACHE_BUILD \ > CTF \ > INSTALL_AS_USER \ > + RETPOLINE \ > STALE_STAGED [snip] We at HardenedBSD have had Retpoline enabled in 12 userland and kernel for a few months now. I've found it to be safe to enable by default. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --y7omgbbolddkzumk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlvLyM0ACgkQaoRlj1JF bu4h6w/+N8vmrsqCh8XiXAtk6yUvtLfNYgzHOmqzX1RBHW39w6hZIydt0qsIq/8E F42sA2LVrjr7lME4ETYd+vWi5LateM6K77ebUU7+c+BAT3SM0PRJNgsi0UFLNzTz HNGxo9VOVRKml347mGeg7EwA+zVxN82y5+XhByJCcyuKlAXN0XcFFz9Qyosay8V0 PmT1+DcL/NpgdcCBf+C82xdnz3qBwC7BVOfz01UNFxkYNqgRlOj9MDj6ZBSm9qjL 9GiKO3hJ2g6A/nUDPGkjrglZPMH9puivlaJIStyzx1j8QSQOMRsCUImfl8g/E7QR OzTdRV31vDWvNgGzjzpgfI6fFtIAi4Cf7kGUml/HJvymqyHYTCTJrmkrNJbb2SEZ hw2hXIVjWnw9oMl0fatQfuirfp8OepWmFxzd2QSVhm3Tgpjrcg6OTT++PIdHak93 ntXHR+QxofCF0UVB0v8E4bHF1Tz1MU/SVMLSR1N5PiDPPm2hk9Dgha0y7j9zGBso G6XaF5uakZ9uEBHFUBzylYnawBO442H1ILtuEQcVZX4XJmrL6TqObL09OYS07yVq DZlN660SpDlDdeWNGs2otsrfDDY2JcPZVOA/v+z1ngHXw6diI5vwjvvOkgDJt2IF v7FtHmHnmG6RUjysHvEqwOedCkriDozaFSELgi6rW1pXUOK4dWI= =qKBY -----END PGP SIGNATURE----- --y7omgbbolddkzumk--