Index: Makefile.inc1 =================================================================== --- Makefile.inc1 +++ Makefile.inc1 @@ -655,7 +655,7 @@ -DNO_PIC MK_PROFILE=no -DNO_SHARED \ -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \ - MK_LLDB=no MK_TESTS=no \ + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no \ MK_INCLUDES=yes BMAKE= \ @@ -676,7 +676,7 @@ -DNO_LINT \ -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ MK_CLANG_EXTRAS=no MK_CLANG_FULL=no \ - MK_LLDB=no MK_TESTS=no + MK_LLDB=no MK_RETPOLINE=no MK_TESTS=no # cross-tools stage # TOOLS_PREFIX set in BMAKE @@ -2344,6 +2344,7 @@ MK_OFED=no \ MK_OPENSSH=no \ MK_PROFILE=no \ + MK_RETPOLINE=no \ MK_SENDMAIL=no \ MK_SVNLITE=no \ MK_TESTS=no \ Index: share/mk/bsd.lib.mk =================================================================== --- share/mk/bsd.lib.mk +++ share/mk/bsd.lib.mk @@ -69,6 +69,12 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .endif +.if ${MK_RETPOLINE} != "no" +CFLAGS+= -mretpoline +CXXFLAGS+= -mretpoline +LDFLAGS+= -Wl,-zretpolineplt +.endif + .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \ empty(DEBUG_FLAGS:M-gdwarf*) CFLAGS+= ${DEBUG_FILES_CFLAGS} Index: share/mk/bsd.opts.mk =================================================================== --- share/mk/bsd.opts.mk +++ share/mk/bsd.opts.mk @@ -72,6 +72,7 @@ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ + RETPOLINE \ STALE_STAGED __DEFAULT_DEPENDENT_OPTIONS = \ Index: share/mk/bsd.prog.mk =================================================================== --- share/mk/bsd.prog.mk +++ share/mk/bsd.prog.mk @@ -34,6 +34,12 @@ MK_DEBUG_FILES= no .endif +.if ${MK_RETPOLINE} != "no" +CFLAGS+= -mretpoline +CXXFLAGS+= -mretpoline +LDFLAGS+= -Wl,-zretpolineplt +.endif + .if defined(CRUNCH_CFLAGS) CFLAGS+=${CRUNCH_CFLAGS} .else Index: tools/build/options/WITH_RETPOLINE =================================================================== --- /dev/null +++ tools/build/options/WITH_RETPOLINE @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Set to build the base system with the retpoline speculative execution +vulnerability mitigation for CVE-2017-5715.