Index: head/sys/conf/kern.mk =================================================================== --- head/sys/conf/kern.mk +++ head/sys/conf/kern.mk @@ -203,7 +203,7 @@ # gcc and clang opimizers take advantage of this. The kernel makes # use of signed integer wraparound mechanics so we need the compiler # to treat it as a wraparound and not take shortcuts. -# +# CFLAGS+= -fwrapv # @@ -212,6 +212,14 @@ .if ${MK_SSP} != "no" && \ ${MACHINE_CPUARCH} != "arm" && ${MACHINE_CPUARCH} != "mips" CFLAGS+= -fstack-protector +.endif + +# +# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715) +# +.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \ + ${MK_KERNEL_RETPOLINE} != "no" +CFLAGS+= -mretpoline .endif # Index: head/sys/conf/kern.opts.mk =================================================================== --- head/sys/conf/kern.opts.mk +++ head/sys/conf/kern.opts.mk @@ -47,6 +47,7 @@ __DEFAULT_NO_OPTIONS = \ EXTRA_TCP_STACKS \ + KERNEL_RETPOLINE \ NAND \ OFED \ RATELIMIT \ @@ -83,6 +84,11 @@ # for them. .if ${MACHINE} != "i386" && ${MACHINE} != "amd64" BROKEN_OPTIONS+= OFED +.endif + +# Things that don't work based on toolchain support. +.if ${MACHINE} != "amd64" +BROKEN_OPTIONS+= KERNEL_RETPOLINE .endif # expanded inline from bsd.mkopt.mk to avoid share/mk dependency Index: head/tools/build/options/WITHOUT_KERNEL_RETPOLINE =================================================================== --- head/tools/build/options/WITHOUT_KERNEL_RETPOLINE +++ head/tools/build/options/WITHOUT_KERNEL_RETPOLINE @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build. Index: head/tools/build/options/WITH_KERNEL_RETPOLINE =================================================================== --- head/tools/build/options/WITH_KERNEL_RETPOLINE +++ head/tools/build/options/WITH_KERNEL_RETPOLINE @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel +build.