Index: sys/conf/kern.mk
===================================================================
--- sys/conf/kern.mk
+++ sys/conf/kern.mk
@@ -203,7 +203,7 @@
 # gcc and clang opimizers take advantage of this.  The kernel makes
 # use of signed integer wraparound mechanics so we need the compiler
 # to treat it as a wraparound and not take shortcuts.
-# 
+#
 CFLAGS+=	-fwrapv
 
 #
@@ -214,6 +214,14 @@
 CFLAGS+=	-fstack-protector
 .endif
 
+#
+# Retpoline speculative execution vulnerability mitigation (CVE-2017-5715)
+#
+.if defined(COMPILER_FEATURES) && ${COMPILER_FEATURES:Mretpoline} != "" && \
+    ${MK_KERNEL_RETPOLINE} != "no"
+CFLAGS+=	-mretpoline
+.endif
+
 #
 # Add -gdwarf-2 when compiling -g. The default starting in clang v3.4
 # and gcc 4.8 is to generate DWARF version 4. However, our tools don't
Index: sys/conf/kern.opts.mk
===================================================================
--- sys/conf/kern.opts.mk
+++ sys/conf/kern.opts.mk
@@ -47,6 +47,7 @@
 
 __DEFAULT_NO_OPTIONS = \
     EXTRA_TCP_STACKS \
+    KERNEL_RETPOLINE \
     NAND \
     OFED \
     RATELIMIT \
@@ -85,6 +86,11 @@
 BROKEN_OPTIONS+= OFED
 .endif
 
+# Things that don't work based on toolchain support.
+.if ${MACHINE} != "amd64"
+BROKEN_OPTIONS+= KERNEL_RETPOLINE
+.endif
+
 # expanded inline from bsd.mkopt.mk to avoid share/mk dependency
 
 # Those that default to yes
Index: tools/build/options/WITHOUT_KERNEL_RETPOLINE
===================================================================
--- /dev/null
+++ tools/build/options/WITHOUT_KERNEL_RETPOLINE
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to disable the "retpoline" mitigation for CVE-2017-5715 in the kernel
+build.
Index: tools/build/options/WITH_KERNEL_RETPOLINE
===================================================================
--- /dev/null
+++ tools/build/options/WITH_KERNEL_RETPOLINE
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Set to enable the "retpoline" mitigation for CVE-2017-5715 in the kernel
+build.