if (actually... when) the compiler is flipped to do BTI/ENDBR by default,

the install media would grow too much, so use the same strategy as we
for stack protector and other things: disable them, just on the install
media
ok kettenis

diff --git a/distrib/special/Makefile.inc b/distrib/special/Makefile.inc
index bc3c3ab..99547e8 100644 (file)
--- a/distrib/special/Makefile.inc
+++ b/distrib/special/Makefile.inc
@@ -2,6 +2,14 @@
 
 COPTS+=-Oz -fno-stack-protector
 COPTS+=-fno-unwind-tables -fno-asynchronous-unwind-tables
+
+.if ${MACHINE} == "amd64"
+COPTS+=-fcf-protection=none
+.endif
+.if ${MACHINE} == "arm64"
+COPTS+=-mbranch-protection=none
+.endif
+
 MAN=
 LDSTATIC=-static
 NOPIE=

diff --git a/usr.sbin/crunchgen/crunchgen.c b/usr.sbin/crunchgen/crunchgen.c
index 4526290..1bb6c30 100644 (file)
--- a/usr.sbin/crunchgen/crunchgen.c
+++ b/usr.sbin/crunchgen/crunchgen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crunchgen.c,v 1.25 2021/11/15 15:14:24 millert Exp $       */
+/* $OpenBSD: crunchgen.c,v 1.26 2023/04/16 19:57:01 deraadt Exp $       */
 
 /*
  * Copyright (c) 1994 University of Maryland
@@ -895,6 +895,12 @@ top_makefile_rules(FILE * outmk)
        fprintf(outmk, "CFLAGS+=-Oz\n");
        fprintf(outmk, "CFLAGS+=-fno-stack-protector\n");
        fprintf(outmk, "CFLAGS+=-fno-unwind-tables\n");
+       fprintf(outmk, ".if ${MACHINE} == \"amd64\"\n");
+       fprintf(outmk, "CFLAGS+=-fcf-protection=none\n");
+       fprintf(outmk, ".endif\n");
+       fprintf(outmk, ".if ${MACHINE} == \"arm64\"\n");
+       fprintf(outmk, "CFLAGS+=-mbranch-protection=none\n");
+       fprintf(outmk, ".endif\n");
        fprintf(outmk, "CFLAGS+=-fno-asynchronous-unwind-tables\n");
        fprintf(outmk, "LDFLAGS+=$(NOPIE_LDFLAGS)\n");
        fprintf(outmk, "STRIP?=strip\n");