Add GCC specific options to help mitigation Spectre variant 2. For 32-bit kernels: -mindirect-branch=thunk -mindirect-branch-register For 64-bit kernels: -mindirect-branch=thunk-inline -mindirect-branch-register Index: share/man/man4/options.4 =================================================================== RCS file: /cvsroot/src/share/man/man4/options.4,v retrieving revision 1.484 diff -p -u -r1.484 options.4 --- share/man/man4/options.4 1 Apr 2018 04:35:02 -0000 1.484 +++ share/man/man4/options.4 5 Apr 2018 22:27:31 -0000 @@ -30,7 +30,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" -.Dd February 17, 2018 +.Dd April 5, 2018 .Dt OPTIONS 4 .Os .Sh NAME @@ -2469,6 +2469,17 @@ base memory size to prevent programs ove This is correct behavior, and you should not use the .Em REALBASEMEM option to access this memory). +.It Cd options SPECTRE_V2_GCC_MITIGATION=1 +Enable GCC-specific Spectre variant 2 mitigations. +For 32-bit kernels this means these options: +.Bd -literal -offset indent +-mindirect-branch=thunk -mindirect-branch-register +.Ed +.Pp +For 64-bit kernels this means these options: +.Bd -literal -offset indent +-mindirect-branch=thunk-inline -mindirect-branch-register +.Ed .It Cd options REALEXTMEM=integer Overrides the extended memory size passed in from the boot block. (Value given in kilobytes. @@ -2702,6 +2713,7 @@ bolded .\" .Sh EXAMPLES .Sh SEE ALSO .Xr config 1 , +.Xr gcc 1 , .Xr gdb 1 , .Xr ktrace 1 , .Xr pmc 1 , Index: sys/arch/i386/conf/GENERIC =================================================================== RCS file: /cvsroot/src/sys/arch/i386/conf/GENERIC,v retrieving revision 1.1174 diff -p -u -r1.1174 GENERIC --- sys/arch/i386/conf/GENERIC 10 Dec 2017 17:19:48 -0000 1.1174 +++ sys/arch/i386/conf/GENERIC 5 Apr 2018 22:27:31 -0000 @@ -29,6 +29,8 @@ maxusers 64 # estimated number of users # CPU-related options. options USER_LDT # user-settable LDT; used by WINE #options PAE # PAE mode (36 bits physical addressing) +makeoptions SPECTRE_V2_GCC_MITIGATION=1 # GCC Spectre variant 2 + # migitation # CPU features acpicpu* at cpu? # ACPI CPU (including frequency scaling) Index: sys/arch/i386/conf/Makefile.i386 =================================================================== RCS file: /cvsroot/src/sys/arch/i386/conf/Makefile.i386,v retrieving revision 1.189 diff -p -u -r1.189 Makefile.i386 --- sys/arch/i386/conf/Makefile.i386 23 Feb 2018 14:16:52 -0000 1.189 +++ sys/arch/i386/conf/Makefile.i386 5 Apr 2018 22:27:31 -0000 @@ -39,6 +39,11 @@ CFLAGS+= -msoft-float ## no-sse implies no-sse2 but not no-avx CFLAGS+= -mno-mmx -mno-sse -mno-avx +.if !empty(SPECTRE_V2_GCC_MITIGATION) && ${HAVE_GCC:U0} > 0 +CFLAGS+= -mindirect-branch=thunk +CFLAGS+= -mindirect-branch-register +.endif + ## ## (3) libkern and compat ## Index: sys/arch/i386/conf/files.i386 =================================================================== RCS file: /cvsroot/src/sys/arch/i386/conf/files.i386,v retrieving revision 1.391 diff -p -u -r1.391 files.i386 --- sys/arch/i386/conf/files.i386 16 Mar 2018 12:48:54 -0000 1.391 +++ sys/arch/i386/conf/files.i386 5 Apr 2018 22:27:31 -0000 @@ -41,6 +41,9 @@ defparam opt_pcibios.h PCIBIOS_IRQS_HINT # splraise()/spllower() debug defflag opt_spldebug.h SPLDEBUG +# Enable GCC spectre V2 mitigation options +defflag opt_spectre.h SPECTRE_V2_GCC_MITIGATION + # Beep on halt defflag opt_beep.h BEEP_ONHALT defparam opt_beep.h BEEP_ONHALT_COUNT=3 Index: sys/arch/amd64/conf/GENERIC =================================================================== RCS file: /cvsroot/src/sys/arch/amd64/conf/GENERIC,v retrieving revision 1.486 diff -p -u -r1.486 GENERIC --- sys/arch/amd64/conf/GENERIC 22 Mar 2018 12:26:29 -0000 1.486 +++ sys/arch/amd64/conf/GENERIC 5 Apr 2018 22:27:31 -0000 @@ -76,6 +76,8 @@ options SYSCTL_INCLUDE_DESCR # Include # CPU-related options #options USER_LDT # user-settable LDT; used by WINE options SVS # Separate Virtual Space +makeoptions SPECTRE_V2_GCC_MITIGATION=1 # GCC Spectre variant 2 + # migitation # CPU features acpicpu* at cpu? # ACPI CPU (including frequency scaling) Index: sys/arch/amd64/conf/Makefile.amd64 =================================================================== RCS file: /cvsroot/src/sys/arch/amd64/conf/Makefile.amd64,v retrieving revision 1.66 diff -p -u -r1.66 Makefile.amd64 --- sys/arch/amd64/conf/Makefile.amd64 23 Feb 2018 14:16:52 -0000 1.66 +++ sys/arch/amd64/conf/Makefile.amd64 5 Apr 2018 22:27:31 -0000 @@ -43,6 +43,11 @@ CFLAGS+= -msoft-float # For gcc we might need this, but other compilers barf # CFLAGS+= -mno-fp-ret-in-387 +.if !empty(SPECTRE_V2_GCC_MITIGATION) && ${HAVE_GCC:U0} > 0 +CFLAGS+= -mindirect-branch=thunk-inline +CFLAGS+= -mindirect-branch-register +.endif + ## ## (3) libkern and compat ## Index: sys/arch/amd64/conf/files.amd64 =================================================================== RCS file: /cvsroot/src/sys/arch/amd64/conf/files.amd64,v retrieving revision 1.101 diff -p -u -r1.101 files.amd64 --- sys/arch/amd64/conf/files.amd64 20 Jan 2018 14:27:14 -0000 1.101 +++ sys/arch/amd64/conf/files.amd64 5 Apr 2018 22:27:31 -0000 @@ -19,6 +19,9 @@ defparam opt_realmem.h REALBASEMEM REALE # The PHYSMEM_MAX_{SIZE,ADDR} optionms defparam opt_physmem.h PHYSMEM_MAX_ADDR PHYSMEM_MAX_SIZE +# Enable GCC spectre V2 mitigation options +defflag opt_spectre.h SPECTRE_V2_GCC_MITIGATION + # # XXX these are just here at the moment so that we can share files # with the i386 (they include the opt_*.h for these)