[openssh-commits] [openssh] branch master updated: add a --without-retpoline configure option

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Mar 6 10:33:44 AEDT 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new 668d270a add a --without-retpoline configure option
668d270a is described below

commit 668d270a6c77e8b5a1da26ecad2e6de9f62c8fe4
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Wed Mar 6 10:33:20 2024 +1100

    add a --without-retpoline configure option
    
    discussed with deraadt and dtucker a while ago
---
 configure.ac | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index fda09283..c1af4b42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -149,6 +149,7 @@ fi
 
 use_stack_protector=1
 use_toolchain_hardening=1
+use_retpoline=1
 AC_ARG_WITH([stackprotect],
     [  --without-stackprotect  Don't use compiler's stack protection], [
     if test "x$withval" = "xno"; then
@@ -159,6 +160,11 @@ AC_ARG_WITH([hardening],
     if test "x$withval" = "xno"; then
 	use_toolchain_hardening=0
     fi ])
+AC_ARG_WITH([retpoline],
+    [  --without-retpoline     Enable retpoline spectre mitigation], [
+    if test "x$withval" = "xno"; then
+	use_retpoline=0
+    fi ])
 
 # We use -Werror for the tests only so that we catch warnings like "this is
 # on by default" for things like -fPIE.
@@ -216,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
 	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
     if test "x$use_toolchain_hardening" = "x1"; then
-	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
-	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
 	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
 	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
 	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@@ -240,6 +244,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	esac
 	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
     fi
+    if test "x$use_retpoline" = "x1"; then
+	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
+    fi
 
 	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
 	saved_CFLAGS="$CFLAGS"

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list