Index: sys/conf/kern.mk
===================================================================
--- sys/conf/kern.mk
+++ sys/conf/kern.mk
@@ -203,7 +203,7 @@
 # gcc and clang opimizers take advantage of this.  The kernel makes
 # use of signed integer wraparound mechanics so we need the compiler
 # to treat it as a wraparound and not take shortcuts.
-# 
+#
 CFLAGS+=	-fwrapv
 
 #
@@ -214,6 +214,16 @@
 CFLAGS+=	-fstack-protector
 .endif
 
+#
+# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715)
+#
+.if ${MK_RETPOLINE} != "no"
+.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} == ""
+.error Retpoline enabled but not supported by the compiler.
+.endif
+CFLAGS+=	-mretpoline
+.endif
+
 #
 # Add -gdwarf-2 when compiling -g. The default starting in clang v3.4
 # and gcc 4.8 is to generate DWARF version 4. However, our tools don't
Index: sys/conf/kern.opts.mk
===================================================================
--- sys/conf/kern.opts.mk
+++ sys/conf/kern.opts.mk
@@ -41,6 +41,7 @@
     NETGRAPH \
     PF \
     REPRODUCIBLE_BUILD \
+    RETPOLINE \
     SOURCELESS_HOST \
     SOURCELESS_UCODE \
     TESTS \
@@ -87,6 +88,11 @@
 BROKEN_OPTIONS+= OFED
 .endif
 
+# Things that don't work based on toolchain support.
+.if ${MACHINE} != "amd64"
+BROKEN_OPTIONS+= RETPOLINE
+.endif
+
 # expanded inline from bsd.mkopt.mk to avoid share/mk dependency
 
 # Those that default to yes
Index: tools/build/options/WITHOUT_RETPOLINE
===================================================================
--- /dev/null
+++ tools/build/options/WITHOUT_RETPOLINE
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel
+build.