svn commit: r339511 - in head: . share/mk tools/build/options
Shawn Webb
shawn.webb at hardenedbsd.org
Sun Oct 21 00:31:28 UTC 2018
On Sun, Oct 21, 2018 at 12:27:59AM +0000, Ed Maste wrote:
> Author: emaste
> Date: Sun Oct 21 00:27:59 2018
> New Revision: 339511
> URL: https://svnweb.freebsd.org/changeset/base/339511
>
> Log:
> Introduce src.conf knob to build userland with retpoline
>
> WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland
> for CVE-2017-5715.
>
> Reported by: Peter Malcom
> Reviewed by: markj
> MFC after: 1 week
> Sponsored by: The FreeBSD Foundation
> Differential Revision: https://reviews.freebsd.org/D17421
>
> Added:
> head/tools/build/options/WITH_RETPOLINE (contents, props changed)
> Modified:
> head/Makefile.inc1
> head/share/mk/bsd.lib.mk
> head/share/mk/bsd.opts.mk
> head/share/mk/bsd.prog.mk
>
> Modified: head/Makefile.inc1
> ==============================================================================
> --- head/Makefile.inc1 Sun Oct 21 00:20:40 2018 (r339510)
> +++ head/Makefile.inc1 Sun Oct 21 00:27:59 2018 (r339511)
> @@ -659,7 +659,7 @@ BSARGS= DESTDIR= \
> -DNO_PIC MK_PROFILE=no -DNO_SHARED \
> -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
> MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
> - MK_LLDB=no MK_TESTS=no \
> + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
> MK_INCLUDES=yes
>
> BMAKE= \
> @@ -680,7 +680,7 @@ TMAKE= \
> -DNO_LINT \
> -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
> MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
> - MK_LLDB=no MK_TESTS=no
> + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no
>
> # cross-tools stage
> # TOOLS_PREFIX set in BMAKE
> @@ -703,7 +703,7 @@ KTMAKE= \
> SSP_CFLAGS= \
> MK_HTML=no -DNO_LINT MK_MAN=no \
> -DNO_PIC MK_PROFILE=no -DNO_SHARED \
> - -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
> + -DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no
>
> # world stage
> WMAKEENV= ${CROSSENV} \
> @@ -2383,6 +2383,7 @@ NXBMAKEARGS+= \
> MK_OFED=no \
> MK_OPENSSH=no \
> MK_PROFILE=no \
> + MK_RETPOLINE=no \
> MK_SENDMAIL=no \
> MK_SVNLITE=no \
> MK_TESTS=no \
>
> Modified: head/share/mk/bsd.lib.mk
> ==============================================================================
> --- head/share/mk/bsd.lib.mk Sun Oct 21 00:20:40 2018 (r339510)
> +++ head/share/mk/bsd.lib.mk Sun Oct 21 00:27:59 2018 (r339511)
> @@ -69,6 +69,12 @@ TAGS+= package=${PACKAGE:Uruntime}
> TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
> .endif
>
> +.if ${MK_RETPOLINE} != "no"
> +CFLAGS+= -mretpoline
> +CXXFLAGS+= -mretpoline
> +LDFLAGS+= -Wl,-zretpolineplt
> +.endif
> +
> .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
> empty(DEBUG_FLAGS:M-gdwarf*)
> CFLAGS+= ${DEBUG_FILES_CFLAGS}
>
> Modified: head/share/mk/bsd.opts.mk
> ==============================================================================
> --- head/share/mk/bsd.opts.mk Sun Oct 21 00:20:40 2018 (r339510)
> +++ head/share/mk/bsd.opts.mk Sun Oct 21 00:27:59 2018 (r339511)
> @@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
> CCACHE_BUILD \
> CTF \
> INSTALL_AS_USER \
> + RETPOLINE \
> STALE_STAGED
[snip]
We at HardenedBSD have had Retpoline enabled in 12 userland and kernel
for a few months now. I've found it to be safe to enable by default.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
Tor+XMPP+OTR: lattera at is.a.hacker.sx
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20181020/ac452511/attachment.sig>
More information about the svn-src-head
mailing list