configure: Add spectre variant 2 mitigations

--enable-hardening adds -mfunction-return=thunk and -mindirect-branch=thunk compiler options if supported.
dovecot · Aug 7, 2018 · 9a90f5a · 9a90f5a
1 parent 1333d1d
commit 9a90f5a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/configure.ac b/configure.ac
@@ -321,6 +321,7 @@ CC_CLANG
 AC_CC_PIE
 AC_CC_F_STACK_PROTECTOR
 AC_CC_D_FORTIFY_SOURCE
+AC_CC_RETPOLINE
 AC_LD_RELRO
 AC_LD_WHOLE_ARCHIVE
 

diff --git a/m4/cc_retpoline.m4 b/m4/cc_retpoline.m4
@@ -0,0 +1,18 @@
+dnl
+dnl Check for support for Retpoline
+dnl
+
+AC_DEFUN([AC_CC_RETPOLINE],[
+    AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+    if test $enable_hardening = yes; then
+      case "$host" in
+        *)
+          gl_COMPILER_OPTION_IF([-mfunction-return=thunk -mindirect-branch=thunk], [
+            CFLAGS="$CFLAGS -mfunction-return=thunk -mindirect-branch=thunk"
+            ],
+            [],
+            [AC_LANG_PROGRAM()]
+          )
+      esac
+    fi
+])