compile regular kernels with -fcf-protection=branch, and ramdisks with

-fcf-protection=none, regardless of what the compiler default is.
-fcf-protection=branch puts endbr64 instructions on functions which could
be reached indirectly.
ok guenther kettenis

diff --git a/sys/arch/amd64/conf/Makefile.amd64 b/sys/arch/amd64/conf/Makefile.amd64
index 6117a92..3aee5b4 100644 (file)
--- a/sys/arch/amd64/conf/Makefile.amd64
+++ b/sys/arch/amd64/conf/Makefile.amd64
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile.amd64,v 1.129 2023/01/01 01:34:33 jsg Exp $
+#      $OpenBSD: Makefile.amd64,v 1.130 2023/04/16 23:57:59 deraadt Exp $
 
 # For instructions on building kernels consult the config(8) and options(4)
 # manual pages.
@@ -69,8 +69,10 @@ CMACHFLAGS+= -msave-args
 SORTR=         cat
 COPTIMIZE=     -Oz
 .if ${COMPILER_VERSION:Mclang}
-CMACHFLAGS+=   -mno-retpoline
+CMACHFLAGS+=   -mno-retpoline -fcf-protection=branch
 .endif
+.else
+CMACHFLAGS+=   -fcf-protection=branch
 .endif
 .if ${COMPILER_VERSION:Mclang}
 NO_INTEGR_AS=  -no-integrated-as