svn commit: r339511 - in head: . share/mk tools/build/options

Shawn Webb shawn.webb at hardenedbsd.org
Sun Oct 21 00:31:28 UTC 2018 

On Sun, Oct 21, 2018 at 12:27:59AM +0000, Ed Maste wrote:
> Author: emaste
> Date: Sun Oct 21 00:27:59 2018
> New Revision: 339511
> URL: https://svnweb.freebsd.org/changeset/base/339511
> 
> Log:
>   Introduce src.conf knob to build userland with retpoline
>   
>   WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland
>   for CVE-2017-5715.
>   
>   Reported by:	Peter Malcom
>   Reviewed by:	markj
>   MFC after:	1 week
>   Sponsored by:	The FreeBSD Foundation
>   Differential Revision:	https://reviews.freebsd.org/D17421
> 
> Added:
>   head/tools/build/options/WITH_RETPOLINE   (contents, props changed)
> Modified:
>   head/Makefile.inc1
>   head/share/mk/bsd.lib.mk
>   head/share/mk/bsd.opts.mk
>   head/share/mk/bsd.prog.mk
> 
> Modified: head/Makefile.inc1
> ==============================================================================
> --- head/Makefile.inc1	Sun Oct 21 00:20:40 2018	(r339510)
> +++ head/Makefile.inc1	Sun Oct 21 00:27:59 2018	(r339511)
> @@ -659,7 +659,7 @@ BSARGS= 	DESTDIR= \
>  		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
>  		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
>  		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
> -		MK_LLDB=no MK_TESTS=no \
> +		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
>  		MK_INCLUDES=yes
>  
>  BMAKE=		\
> @@ -680,7 +680,7 @@ TMAKE=		\
>  		-DNO_LINT \
>  		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
>  		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
> -		MK_LLDB=no MK_TESTS=no
> +		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no
>  
>  # cross-tools stage
>  # TOOLS_PREFIX set in BMAKE
> @@ -703,7 +703,7 @@ KTMAKE=		\
>  		SSP_CFLAGS= \
>  		MK_HTML=no -DNO_LINT MK_MAN=no \
>  		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
> -		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
> +		-DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no
>  
>  # world stage
>  WMAKEENV=	${CROSSENV} \
> @@ -2383,6 +2383,7 @@ NXBMAKEARGS+= \
>  	MK_OFED=no \
>  	MK_OPENSSH=no \
>  	MK_PROFILE=no \
> +	MK_RETPOLINE=no \
>  	MK_SENDMAIL=no \
>  	MK_SVNLITE=no \
>  	MK_TESTS=no \
> 
> Modified: head/share/mk/bsd.lib.mk
> ==============================================================================
> --- head/share/mk/bsd.lib.mk	Sun Oct 21 00:20:40 2018	(r339510)
> +++ head/share/mk/bsd.lib.mk	Sun Oct 21 00:27:59 2018	(r339511)
> @@ -69,6 +69,12 @@ TAGS+=		package=${PACKAGE:Uruntime}
>  TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
>  .endif
>  
> +.if ${MK_RETPOLINE} != "no"
> +CFLAGS+= -mretpoline
> +CXXFLAGS+= -mretpoline
> +LDFLAGS+= -Wl,-zretpolineplt
> +.endif
> +
>  .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
>      empty(DEBUG_FLAGS:M-gdwarf*)
>  CFLAGS+= ${DEBUG_FILES_CFLAGS}
> 
> Modified: head/share/mk/bsd.opts.mk
> ==============================================================================
> --- head/share/mk/bsd.opts.mk	Sun Oct 21 00:20:40 2018	(r339510)
> +++ head/share/mk/bsd.opts.mk	Sun Oct 21 00:27:59 2018	(r339511)
> @@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
>      CCACHE_BUILD \
>      CTF \
>      INSTALL_AS_USER \
> +    RETPOLINE \
>      STALE_STAGED

[snip]

We at HardenedBSD have had Retpoline enabled in 12 userland and kernel
for a few months now. I've found it to be safe to enable by default.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20181020/ac452511/attachment.sig>

More information about the svn-src-head mailing list