From bc4845413b1871ad113f822a84b0ce143789f000 Mon Sep 17 00:00:00 2001 From: deraadt Date: Sun, 16 Apr 2023 23:57:59 +0000 Subject: [PATCH] compile regular kernels with -fcf-protection=branch, and ramdisks with -fcf-protection=none, regardless of what the compiler default is. -fcf-protection=branch puts endbr64 instructions on functions which could be reached indirectly. ok guenther kettenis --- sys/arch/amd64/conf/Makefile.amd64 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/arch/amd64/conf/Makefile.amd64 b/sys/arch/amd64/conf/Makefile.amd64 index 6117a92a0f9..3aee5b4a1d1 100644 --- a/sys/arch/amd64/conf/Makefile.amd64 +++ b/sys/arch/amd64/conf/Makefile.amd64 @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.amd64,v 1.129 2023/01/01 01:34:33 jsg Exp $ +# $OpenBSD: Makefile.amd64,v 1.130 2023/04/16 23:57:59 deraadt Exp $ # For instructions on building kernels consult the config(8) and options(4) # manual pages. @@ -69,8 +69,10 @@ CMACHFLAGS+= -msave-args SORTR= cat COPTIMIZE= -Oz .if ${COMPILER_VERSION:Mclang} -CMACHFLAGS+= -mno-retpoline +CMACHFLAGS+= -mno-retpoline -fcf-protection=branch .endif +.else +CMACHFLAGS+= -fcf-protection=branch .endif .if ${COMPILER_VERSION:Mclang} NO_INTEGR_AS= -no-integrated-as -- 2.20.1