The branch main has been updated by netchild:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1c2ae9233b0ed4f6b92c59c0e4026f6ddc073e4a
commit 1c2ae9233b0ed4f6b92c59c0e4026f6ddc073e4a
Author: Alexander Leidinger <netch...@freebsd.org>
AuthorDate: 2025-01-31 12:11:06 +0000
Commit: Alexander Leidinger <netch...@freebsd.org>
CommitDate: 2025-01-31 12:15:29 +0000
Limit some cc options based upon features
Limit the use of stack clash protection and zeroregs based upon
compiler features:
- switch unconditional use of stack clash protection into a compiler
feature
- limit the use of stack clash protection on unsupported architectures
(I did not wade into the source of each compiler to determine when
support arrived for each architecture, I used the compiler version
when it was introduced with what is supported currently)
- add a safeguard for stack clash protection in places where we have no
SSP provisions (we may not need it, but better safe than sorry when
something changes or is overridden by the user)
- limit the use of zeroregs the same way, so that even specifying it
will not lead to build failures (useful for universe builds when
WITH_ZEROREGS is specified in src.conf)
Differential Revision: https://reviews.freebsd.org/D48724
---
share/mk/bsd.compiler.mk | 13 ++++++++++++-
share/mk/bsd.lib.mk | 10 +++++-----
share/mk/bsd.sys.mk | 4 ++++
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/share/mk/bsd.compiler.mk b/share/mk/bsd.compiler.mk
index bf6ef3956d7d..f93d3495b1aa 100644
--- a/share/mk/bsd.compiler.mk
+++ b/share/mk/bsd.compiler.mk
@@ -24,6 +24,7 @@
# - retpoline: supports the retpoline speculative execution vulnerability
# mitigation.
# - init-all: supports stack variable initialization.
+# - stackclash:supports stack clash protection
# - zeroregs: supports zeroing used registers on return
# - aarch64-sha512: supports the AArch64 sha512 intrinsic functions.
#
@@ -264,8 +265,18 @@ ${X_}COMPILER_FEATURES+= compressed-debug
${X_}COMPILER_FEATURES+= fileprefixmap
.endif
+.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 70000 \
+ && ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "") || \
+ (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 81000 \
+ && ${MACHINE_ARCH:Mriscv*} != "")
+${X_}COMPILER_FEATURES+= stackclash
+.endif
+
+
.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000)
|| \
- (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000)
+ (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000)
&& \
+ ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "" && \
+ ${MACHINE_ARCH:Marmv7*} != ""
${X_}COMPILER_FEATURES+= zeroregs
.endif
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index cf4140d0b3e6..cf8057907a1f 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -170,7 +170,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD}
.c.nossppico:
- ${CC} ${PICFLAG} -DPIC
${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//}
${CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o
${.TARGET}
+ ${CC} ${PICFLAG} -DPIC
${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//}
${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//}
-c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD}
.c.pieo:
@@ -184,7 +184,7 @@ PO_FLAG=-pg
${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o
${.TARGET}
.cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico:
- ${CXX} ${PICFLAG} -DPIC
${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//}
${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o
${.TARGET}
+ ${CXX} ${PICFLAG} -DPIC
${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//}
${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//}
-c ${.IMPSRC} -o ${.TARGET}
.cc.pieo .C.pieo .cpp.pieo .cxx.pieo:
${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o
${.TARGET}
@@ -198,7 +198,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD}
.f.nossppico:
- ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o
${.TARGET} -c ${.IMPSRC}
+ ${FC} ${PICFLAG} -DPIC
${FFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} -o
${.TARGET} -c ${.IMPSRC}
${CTFCONVERT_CMD}
.s.po .s.pico .s.nossppico .s.pieo:
@@ -217,7 +217,7 @@ PO_FLAG=-pg
.asm.nossppico:
${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \
- ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o
${.TARGET}
+
${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS}
-c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD}
.asm.pieo:
@@ -236,7 +236,7 @@ PO_FLAG=-pg
${CTFCONVERT_CMD}
.S.nossppico:
- ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC
${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \
+ ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC
${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS}
\
-c ${.IMPSRC} -o ${.TARGET}
${CTFCONVERT_CMD}
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index 06f8e6e9fe78..c136bf1e1aff 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -304,7 +304,11 @@ CXXFLAGS.clang+= -Wno-c++11-extensions
FORTIFY_SOURCE?= 0
.if ${MK_SSP} != "no"
# Don't use -Wstack-protector as it breaks world with -Werror.
+.if ${COMPILER_FEATURES:Mstackclash}
SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection
+.else
+SSP_CFLAGS?= -fstack-protector-strong
+.endif
CFLAGS+= ${SSP_CFLAGS}
.endif # SSP
.if ${FORTIFY_SOURCE} > 0
