Author: emaste
Date: Tue Nov 20 20:16:03 2018
New Revision: 340697
URL: https://svnweb.freebsd.org/changeset/base/340697
Log:
Introduce src.conf knob to build userland with retpoline
MFC r339511: Introduce src.conf knob to build userland with retpoline
WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland
for CVE-2017-5715.
MFC r340099: libcompat: disable retpoline when building build tools
These are built with the host toolchain which may not support retpoline.
While here, move the MK_ overrides to a separate line and sort them
alphabetically to support future changes.
MFC r340650: Avoid retpolineplt with static linking
Statically linked binaries linked with -zretpolineplt crash at startup
as lld produces a broken PLT.
MFC r340652: rescue: set NO_SHARED in Makefile
The rescue binary is built statically via the Makefile generated by
crunchgen, but that does not trigger other shared/static logic in
bsd.prog.mk - in particular
PR: 233336
Reported by: Peter Malcom (r339511), Charlie Li (r340652)
Approved by: re (gjb, early MFC)
Sponsored by: The FreeBSD Foundation
Added:
stable/12/tools/build/options/WITH_RETPOLINE
- copied unchanged from r339511, head/tools/build/options/WITH_RETPOLINE
Modified:
stable/12/Makefile.inc1
stable/12/Makefile.libcompat
stable/12/rescue/rescue/Makefile
stable/12/share/mk/bsd.lib.mk
stable/12/share/mk/bsd.opts.mk
stable/12/share/mk/bsd.prog.mk
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/Makefile.inc1
==============================================================================
--- stable/12/Makefile.inc1 Tue Nov 20 20:08:51 2018 (r340696)
+++ stable/12/Makefile.inc1 Tue Nov 20 20:16:03 2018 (r340697)
@@ -659,7 +659,7 @@ BSARGS= DESTDIR= \
-DNO_PIC MK_PROFILE=no -DNO_SHARED \
-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
- MK_LLDB=no MK_TESTS=no \
+ MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
MK_INCLUDES=yes
BMAKE= \
@@ -680,7 +680,7 @@ TMAKE= \
-DNO_LINT \
-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
- MK_LLDB=no MK_TESTS=no
+ MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no
# cross-tools stage
# TOOLS_PREFIX set in BMAKE
@@ -703,7 +703,7 @@ KTMAKE= \
SSP_CFLAGS= \
MK_HTML=no -DNO_LINT MK_MAN=no \
-DNO_PIC MK_PROFILE=no -DNO_SHARED \
- -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
+ -DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no
# world stage
WMAKEENV= ${CROSSENV} \
@@ -2390,6 +2390,7 @@ NXBMAKEARGS+= \
MK_OFED=no \
MK_OPENSSH=no \
MK_PROFILE=no \
+ MK_RETPOLINE=no \
MK_SENDMAIL=no \
MK_SVNLITE=no \
MK_TESTS=no \
Modified: stable/12/Makefile.libcompat
==============================================================================
--- stable/12/Makefile.libcompat Tue Nov 20 20:08:51 2018
(r340696)
+++ stable/12/Makefile.libcompat Tue Nov 20 20:16:03 2018
(r340697)
@@ -200,7 +200,8 @@ build${libcompat}: .PHONY
OBJTOP=${LIBCOMPAT_OBJTOP} \
OBJROOT='$${OBJTOP}/' \
MAKEOBJDIRPREFIX= \
- DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
+ DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS \
+ MK_CTF=no MK_RETPOLINE=no MK_WARNS=no \
${_t}
.endfor
.endfor
Modified: stable/12/rescue/rescue/Makefile
==============================================================================
--- stable/12/rescue/rescue/Makefile Tue Nov 20 20:08:51 2018
(r340696)
+++ stable/12/rescue/rescue/Makefile Tue Nov 20 20:16:03 2018
(r340697)
@@ -6,6 +6,7 @@
PACKAGE=rescue
MAN=
MK_SSP= no
+NO_SHARED= yes
PROG= rescue
BINDIR?=/rescue
Modified: stable/12/share/mk/bsd.lib.mk
==============================================================================
--- stable/12/share/mk/bsd.lib.mk Tue Nov 20 20:08:51 2018
(r340696)
+++ stable/12/share/mk/bsd.lib.mk Tue Nov 20 20:16:03 2018
(r340697)
@@ -69,6 +69,12 @@ TAGS+= package=${PACKAGE:Uruntime}
TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
.endif
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+
.if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
empty(DEBUG_FLAGS:M-gdwarf*)
CFLAGS+= ${DEBUG_FILES_CFLAGS}
Modified: stable/12/share/mk/bsd.opts.mk
==============================================================================
--- stable/12/share/mk/bsd.opts.mk Tue Nov 20 20:08:51 2018
(r340696)
+++ stable/12/share/mk/bsd.opts.mk Tue Nov 20 20:16:03 2018
(r340697)
@@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
CCACHE_BUILD \
CTF \
INSTALL_AS_USER \
+ RETPOLINE \
STALE_STAGED
__DEFAULT_DEPENDENT_OPTIONS = \
Modified: stable/12/share/mk/bsd.prog.mk
==============================================================================
--- stable/12/share/mk/bsd.prog.mk Tue Nov 20 20:08:51 2018
(r340696)
+++ stable/12/share/mk/bsd.prog.mk Tue Nov 20 20:16:03 2018
(r340697)
@@ -34,6 +34,15 @@ PROG= ${PROG_CXX}
MK_DEBUG_FILES= no
.endif
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+# retpolineplt is broken with static linking (PR 233336)
+.if !defined(NO_SHARED) || ${NO_SHARED} == "no" || ${NO_SHARED} == "NO"
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+.endif
+
.if defined(CRUNCH_CFLAGS)
CFLAGS+=${CRUNCH_CFLAGS}
.else
Copied: stable/12/tools/build/options/WITH_RETPOLINE (from r339511,
head/tools/build/options/WITH_RETPOLINE)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/12/tools/build/options/WITH_RETPOLINE Tue Nov 20 20:16:03
2018 (r340697, copy of r339511, head/tools/build/options/WITH_RETPOLINE)
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to build the base system with the retpoline speculative execution
+vulnerability mitigation for CVE-2017-5715.
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
