Date: Wed, 28 Feb 2018 14:57:45 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r330110 - in head: sys/conf tools/build/options Message-ID: <201802281457.w1SEvjNN059852@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Feb 28 14:57:45 2018 New Revision: 330110 URL: https://svnweb.freebsd.org/changeset/base/330110 Log: Add kernel retpoline option for amd64 Retpoline is a compiler-based mitigation for CVE-2017-5715, also known as Spectre V2, that protects against speculative execution branch target injection attacks. In this commit it is disabled by default, but will be changed in a followup commit. Reviewed by: bdrewery (previous version) MFC after: 3 days Security: CVE-2017-5715 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D14242 Added: head/tools/build/options/WITHOUT_KERNEL_RETPOLINE (contents, props changed) head/tools/build/options/WITH_KERNEL_RETPOLINE (contents, props changed) Modified: head/sys/conf/kern.mk head/sys/conf/kern.opts.mk Modified: head/sys/conf/kern.mk ============================================================================== --- head/sys/conf/kern.mk Wed Feb 28 10:00:02 2018 (r330109) +++ head/sys/conf/kern.mk Wed Feb 28 14:57:45 2018 (r330110) @@ -203,7 +203,7 @@ CFLAGS+= -ffreestanding # gcc and clang opimizers take advantage of this. The kernel makes # use of signed integer wraparound mechanics so we need the compiler # to treat it as a wraparound and not take shortcuts. -# +# CFLAGS+= -fwrapv # @@ -212,6 +212,14 @@ CFLAGS+= -fwrapv .if ${MK_SSP} != "no" && \ ${MACHINE_CPUARCH} != "arm" && ${MACHINE_CPUARCH} != "mips" CFLAGS+= -fstack-protector +.endif + +# +# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715) +# +.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \ + ${MK_KERNEL_RETPOLINE} != "no" +CFLAGS+= -mretpoline .endif # Modified: head/sys/conf/kern.opts.mk ============================================================================== --- head/sys/conf/kern.opts.mk Wed Feb 28 10:00:02 2018 (r330109) +++ head/sys/conf/kern.opts.mk Wed Feb 28 14:57:45 2018 (r330110) @@ -47,6 +47,7 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ EXTRA_TCP_STACKS \ + KERNEL_RETPOLINE \ NAND \ OFED \ RATELIMIT \ @@ -83,6 +84,11 @@ BROKEN_OPTIONS+= FORMAT_EXTENSIONS # for them. .if ${MACHINE} != "i386" && ${MACHINE} != "amd64" BROKEN_OPTIONS+= OFED +.endif + +# Things that don't work based on toolchain support. +.if ${MACHINE} != "amd64" +BROKEN_OPTIONS+= KERNEL_RETPOLINE .endif # expanded inline from bsd.mkopt.mk to avoid share/mk dependency Added: head/tools/build/options/WITHOUT_KERNEL_RETPOLINE ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITHOUT_KERNEL_RETPOLINE Wed Feb 28 14:57:45 2018 (r330110) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build. Added: head/tools/build/options/WITH_KERNEL_RETPOLINE ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITH_KERNEL_RETPOLINE Wed Feb 28 14:57:45 2018 (r330110) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802281457.w1SEvjNN059852>