svn commit: r340773 - in releng/12.0: . rescue/rescue share/mk tools/build/options
Ed Maste
emaste at FreeBSD.org
Thu Nov 22 18:59:07 UTC 2018
Author: emaste
Date: Thu Nov 22 18:59:05 2018
New Revision: 340773
URL: https://svnweb.freebsd.org/changeset/base/340773
Log:
MF12 r340697: Introduce src.conf knob to build userland with retpoline
MFC r339511: Introduce src.conf knob to build userland with retpoline
WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland
for CVE-2017-5715.
MFC r340099: libcompat: disable retpoline when building build tools
These are built with the host toolchain which may not support retpoline.
While here, move the MK_ overrides to a separate line and sort them
alphabetically to support future changes.
MFC r340650: Avoid retpolineplt with static linking
Statically linked binaries linked with -zretpolineplt crash at startup
as lld produces a broken PLT.
MFC r340652: rescue: set NO_SHARED in Makefile
The rescue binary is built statically via the Makefile generated by
crunchgen, but that does not trigger other shared/static logic in
bsd.prog.mk - in particular
PR: 233336
Reported by: Peter Malcom (r339511), Charlie Li (r340652)
Approved by: re (kib)
Sponsored by: The FreeBSD Foundation
Added:
releng/12.0/tools/build/options/WITH_RETPOLINE
- copied unchanged from r340697, stable/12/tools/build/options/WITH_RETPOLINE
Modified:
releng/12.0/Makefile.inc1
releng/12.0/Makefile.libcompat
releng/12.0/rescue/rescue/Makefile
releng/12.0/share/mk/bsd.lib.mk
releng/12.0/share/mk/bsd.opts.mk
releng/12.0/share/mk/bsd.prog.mk
Directory Properties:
releng/12.0/ (props changed)
Modified: releng/12.0/Makefile.inc1
==============================================================================
--- releng/12.0/Makefile.inc1 Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/Makefile.inc1 Thu Nov 22 18:59:05 2018 (r340773)
@@ -659,7 +659,7 @@ BSARGS= DESTDIR= \
-DNO_PIC MK_PROFILE=no -DNO_SHARED \
-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
- MK_LLDB=no MK_TESTS=no \
+ MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
MK_INCLUDES=yes
BMAKE= \
@@ -680,7 +680,7 @@ TMAKE= \
-DNO_LINT \
-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
- MK_LLDB=no MK_TESTS=no
+ MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no
# cross-tools stage
# TOOLS_PREFIX set in BMAKE
@@ -703,7 +703,7 @@ KTMAKE= \
SSP_CFLAGS= \
MK_HTML=no -DNO_LINT MK_MAN=no \
-DNO_PIC MK_PROFILE=no -DNO_SHARED \
- -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
+ -DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no
# world stage
WMAKEENV= ${CROSSENV} \
@@ -2390,6 +2390,7 @@ NXBMAKEARGS+= \
MK_OFED=no \
MK_OPENSSH=no \
MK_PROFILE=no \
+ MK_RETPOLINE=no \
MK_SENDMAIL=no \
MK_SVNLITE=no \
MK_TESTS=no \
Modified: releng/12.0/Makefile.libcompat
==============================================================================
--- releng/12.0/Makefile.libcompat Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/Makefile.libcompat Thu Nov 22 18:59:05 2018 (r340773)
@@ -200,7 +200,8 @@ build${libcompat}: .PHONY
OBJTOP=${LIBCOMPAT_OBJTOP} \
OBJROOT='$${OBJTOP}/' \
MAKEOBJDIRPREFIX= \
- DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
+ DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS \
+ MK_CTF=no MK_RETPOLINE=no MK_WARNS=no \
${_t}
.endfor
.endfor
Modified: releng/12.0/rescue/rescue/Makefile
==============================================================================
--- releng/12.0/rescue/rescue/Makefile Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/rescue/rescue/Makefile Thu Nov 22 18:59:05 2018 (r340773)
@@ -6,6 +6,7 @@
PACKAGE=rescue
MAN=
MK_SSP= no
+NO_SHARED= yes
PROG= rescue
BINDIR?=/rescue
Modified: releng/12.0/share/mk/bsd.lib.mk
==============================================================================
--- releng/12.0/share/mk/bsd.lib.mk Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/share/mk/bsd.lib.mk Thu Nov 22 18:59:05 2018 (r340773)
@@ -69,6 +69,12 @@ TAGS+= package=${PACKAGE:Uruntime}
TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
.endif
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+
.if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
empty(DEBUG_FLAGS:M-gdwarf*)
CFLAGS+= ${DEBUG_FILES_CFLAGS}
Modified: releng/12.0/share/mk/bsd.opts.mk
==============================================================================
--- releng/12.0/share/mk/bsd.opts.mk Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/share/mk/bsd.opts.mk Thu Nov 22 18:59:05 2018 (r340773)
@@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
CCACHE_BUILD \
CTF \
INSTALL_AS_USER \
+ RETPOLINE \
STALE_STAGED
__DEFAULT_DEPENDENT_OPTIONS = \
Modified: releng/12.0/share/mk/bsd.prog.mk
==============================================================================
--- releng/12.0/share/mk/bsd.prog.mk Thu Nov 22 17:51:19 2018 (r340772)
+++ releng/12.0/share/mk/bsd.prog.mk Thu Nov 22 18:59:05 2018 (r340773)
@@ -34,6 +34,15 @@ PROG= ${PROG_CXX}
MK_DEBUG_FILES= no
.endif
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+# retpolineplt is broken with static linking (PR 233336)
+.if !defined(NO_SHARED) || ${NO_SHARED} == "no" || ${NO_SHARED} == "NO"
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+.endif
+
.if defined(CRUNCH_CFLAGS)
CFLAGS+=${CRUNCH_CFLAGS}
.else
Copied: releng/12.0/tools/build/options/WITH_RETPOLINE (from r340697, stable/12/tools/build/options/WITH_RETPOLINE)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ releng/12.0/tools/build/options/WITH_RETPOLINE Thu Nov 22 18:59:05 2018 (r340773, copy of r340697, stable/12/tools/build/options/WITH_RETPOLINE)
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to build the base system with the retpoline speculative execution
+vulnerability mitigation for CVE-2017-5715.
More information about the svn-src-releng
mailing list