RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-02-20 07:46:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

add a --without-retpoline configure option

Browse Source 
discussed with deraadt and dtucker a while ago
This commit is contained in:
Damien Miller 2024-03-06 10:33:20 +11:00
parent 3deb501f86
commit 668d270a6c
No known key found for this signature in database
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
configure.ac
View File

@ -149,6 +149,7 @@ fi
use_stack_protector=1 use_stack_protector=1
use_toolchain_hardening=1 use_toolchain_hardening=1
use_retpoline=1
AC_ARG_WITH([stackprotect], AC_ARG_WITH([stackprotect],
[ --without-stackprotect Don't use compiler's stack protection], [ [ --without-stackprotect Don't use compiler's stack protection], [
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
@ -159,6 +160,11 @@ AC_ARG_WITH([hardening],
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
use_toolchain_hardening=0 use_toolchain_hardening=0
fi ]) fi ])
AC_ARG_WITH([retpoline],
[ --without-retpoline Enable retpoline spectre mitigation], [
if test "x$withval" = "xno"; then
use_retpoline=0
fi ])
# We use -Werror for the tests only so that we catch warnings like "this is # We use -Werror for the tests only so that we catch warnings like "this is
# on by default" for things like -fPIE. # on by default" for things like -fPIE.
@ -216,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical]) OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
if test "x$use_toolchain_hardening" = "x1"; then if test "x$use_toolchain_hardening" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@ -240,6 +244,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
esac esac
OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero]) OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
fi fi
if test "x$use_retpoline" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
fi
AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset]) AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
saved_CFLAGS="$CFLAGS" saved_CFLAGS="$CFLAGS"