Disable retpoline validation if your compiler sucks, and otherwise
select the validation stuff for RETPOLINE (most builds would already
have it set due to ORC).
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
---
Makefile | 5 +++++
arch/x86/Kconfig | 1 +
scripts/Makefile.build | 2 ++
3 files changed, 8 insertions(+)
--- a/Makefile
+++ b/Makefile
@@ -486,6 +486,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG
KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
endif
+ifneq ($(call cc-option,-mindirect-branch=thunk-extern
-mindirect-branch-register),)
+ CC_HAS_RETPOLINE := 1
+endif
+export CC_HAS_RETPOLINE
+
ifeq ($(config-targets),1)
# ===========================================================================
# *config targets only - make sure prerequisites are updated, and descend
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -432,6 +432,7 @@ config GOLDFISH
config RETPOLINE
bool "Avoid speculative indirect branches in kernel"
default y
+ select STACK_VALIDATION
help
Compile kernel with the retpoline compiler options to guard against
kernel-to-user data leaks by avoiding speculative indirect
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -267,8 +267,10 @@ else
objtool_args += $(call cc-ifversion, -lt, 0405, --no-unreachable)
endif
ifdef CONFIG_RETPOLINE
+ifdef CC_HAS_RETPOLINE
objtool_args += --retpoline
endif
+endif
ifdef CONFIG_MODVERSIONS
