svn commit: r340697 - in stable/12: . rescue/rescue share/mk tools/build/options

Tue Nov 20 20:16:06 UTC 2018

Author: emaste
Date: Tue Nov 20 20:16:03 2018
New Revision: 340697
URL: https://svnweb.freebsd.org/changeset/base/340697

Log:
  Introduce src.conf knob to build userland with retpoline
  
  MFC r339511: Introduce src.conf knob to build userland with retpoline
  
  WITH_RETPOLINE enables -mretpoline vulnerability mitigation in userland
  for CVE-2017-5715.
  
  MFC r340099: libcompat: disable retpoline when building build tools
  
  These are built with the host toolchain which may not support retpoline.
  While here, move the MK_ overrides to a separate line and sort them
  alphabetically to support future changes.
  
  MFC r340650: Avoid retpolineplt with static linking
  
  Statically linked binaries linked with -zretpolineplt crash at startup
  as lld produces a broken PLT.
  
  MFC r340652: rescue: set NO_SHARED in Makefile
  
  The rescue binary is built statically via the Makefile generated by
  crunchgen, but that does not trigger other shared/static logic in
  bsd.prog.mk - in particular
  
  PR:		233336
  Reported by:	Peter Malcom (r339511), Charlie Li (r340652)
  Approved by:	re (gjb, early MFC)
  Sponsored by:	The FreeBSD Foundation

Added:
  stable/12/tools/build/options/WITH_RETPOLINE
     - copied unchanged from r339511, head/tools/build/options/WITH_RETPOLINE
Modified:
  stable/12/Makefile.inc1
  stable/12/Makefile.libcompat
  stable/12/rescue/rescue/Makefile
  stable/12/share/mk/bsd.lib.mk
  stable/12/share/mk/bsd.opts.mk
  stable/12/share/mk/bsd.prog.mk
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/Makefile.inc1
==============================================================================

--- stable/12/Makefile.inc1	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/Makefile.inc1	Tue Nov 20 20:16:03 2018	(r340697)
@@ -659,7 +659,7 @@ BSARGS= 	DESTDIR= \
 		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
 		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
 		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
-		MK_LLDB=no MK_TESTS=no \
+		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \
 		MK_INCLUDES=yes
 
 BMAKE=		\
@@ -680,7 +680,7 @@ TMAKE=		\
 		-DNO_LINT \
 		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
 		MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \
-		MK_LLDB=no MK_TESTS=no
+		MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no
 
 # cross-tools stage
 # TOOLS_PREFIX set in BMAKE
@@ -703,7 +703,7 @@ KTMAKE=		\
 		SSP_CFLAGS= \
 		MK_HTML=no -DNO_LINT MK_MAN=no \
 		-DNO_PIC MK_PROFILE=no -DNO_SHARED \
-		-DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no
+		-DNO_CPU_CFLAGS MK_RETPOLINE=no MK_WARNS=no MK_CTF=no
 
 # world stage
 WMAKEENV=	${CROSSENV} \
@@ -2390,6 +2390,7 @@ NXBMAKEARGS+= \
 	MK_OFED=no \
 	MK_OPENSSH=no \
 	MK_PROFILE=no \
+	MK_RETPOLINE=no \
 	MK_SENDMAIL=no \
 	MK_SVNLITE=no \
 	MK_TESTS=no \

Modified: stable/12/Makefile.libcompat
==============================================================================
--- stable/12/Makefile.libcompat	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/Makefile.libcompat	Tue Nov 20 20:16:03 2018	(r340697)
@@ -200,7 +200,8 @@ build${libcompat}: .PHONY
 	    OBJTOP=${LIBCOMPAT_OBJTOP} \
 	    OBJROOT='$${OBJTOP}/' \
 	    MAKEOBJDIRPREFIX= \
-	    DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \
+	    DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS \
+	    MK_CTF=no MK_RETPOLINE=no MK_WARNS=no \
 	    ${_t}
 .endfor
 .endfor

Modified: stable/12/rescue/rescue/Makefile
==============================================================================
--- stable/12/rescue/rescue/Makefile	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/rescue/rescue/Makefile	Tue Nov 20 20:16:03 2018	(r340697)
@@ -6,6 +6,7 @@
 PACKAGE=rescue
 MAN=
 MK_SSP=	no
+NO_SHARED=	yes
 
 PROG=	rescue
 BINDIR?=/rescue

Modified: stable/12/share/mk/bsd.lib.mk
==============================================================================
--- stable/12/share/mk/bsd.lib.mk	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/share/mk/bsd.lib.mk	Tue Nov 20 20:16:03 2018	(r340697)
@@ -69,6 +69,12 @@ TAGS+=		package=${PACKAGE:Uruntime}
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif
 
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+
 .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \
     empty(DEBUG_FLAGS:M-gdwarf*)
 CFLAGS+= ${DEBUG_FILES_CFLAGS}

Modified: stable/12/share/mk/bsd.opts.mk
==============================================================================
--- stable/12/share/mk/bsd.opts.mk	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/share/mk/bsd.opts.mk	Tue Nov 20 20:16:03 2018	(r340697)
@@ -72,6 +72,7 @@ __DEFAULT_NO_OPTIONS = \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
+    RETPOLINE \
     STALE_STAGED
 
 __DEFAULT_DEPENDENT_OPTIONS = \

Modified: stable/12/share/mk/bsd.prog.mk
==============================================================================
--- stable/12/share/mk/bsd.prog.mk	Tue Nov 20 20:08:51 2018	(r340696)
+++ stable/12/share/mk/bsd.prog.mk	Tue Nov 20 20:16:03 2018	(r340697)
@@ -34,6 +34,15 @@ PROG=	${PROG_CXX}
 MK_DEBUG_FILES=	no
 .endif
 
+.if ${MK_RETPOLINE} != "no"
+CFLAGS+= -mretpoline
+CXXFLAGS+= -mretpoline
+# retpolineplt is broken with static linking (PR 233336)
+.if !defined(NO_SHARED) || ${NO_SHARED} == "no" || ${NO_SHARED} == "NO"
+LDFLAGS+= -Wl,-zretpolineplt
+.endif
+.endif
+
 .if defined(CRUNCH_CFLAGS)
 CFLAGS+=${CRUNCH_CFLAGS}
 .else

Copied: stable/12/tools/build/options/WITH_RETPOLINE (from r339511, head/tools/build/options/WITH_RETPOLINE)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/12/tools/build/options/WITH_RETPOLINE	Tue Nov 20 20:16:03 2018	(r340697, copy of r339511, head/tools/build/options/WITH_RETPOLINE)
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to build the base system with the retpoline speculative execution
+vulnerability mitigation for CVE-2017-5715.
