Add checks for Spectre v2 mitigation (retpoline)

This adds checks for gcc and clang flags for mitigations for Spectre variant 2, ie "retpoline". It'll automatically enabled if the compiler supports it as part of toolchain hardening flag. ok djm@
openssh · Feb 10, 2018 · 3377df0 · 3377df0
1 parent d9e5cf0
commit 3377df0
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/configure.ac b/configure.ac
@@ -163,6 +163,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
 	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
     if test "x$use_toolchain_hardening" = "x1"; then
+	OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
+	OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
+	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
+	OSSH_CHECK_CFLAG_LINK([-z retpolineplt])
 	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
 	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
 	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])