diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index 88df18b3142..4d48edff3c8 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1,5 +1,5 @@ .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman. -.Dd November 22, 2024 +.Dd January 22, 2025 .Dt SRC.CONF 5 .Os .Sh NAME @@ -1856,6 +1856,11 @@ Build without support for the IEEE 802.1X protocol and without support for EAP-PEAP, EAP-TLS, EAP-LEAP, and EAP-TTLS protocols (usable only via 802.1X). +.It Va WITH_ZEROREGS +Build the basesystem with code to zero caller-used register contents +on function return. +This prevents leaking temporary values for side channel attacks. +Additionally this reduces the number of usable ROP gadgets for attackers. .It Va WITHOUT_ZFS Do not build the ZFS file system kernel module, libraries such as .Xr libbe 3 , diff --git a/share/mk/bsd.compiler.mk b/share/mk/bsd.compiler.mk index fd236b2e6b8..bf6ef3956d7 100644 --- a/share/mk/bsd.compiler.mk +++ b/share/mk/bsd.compiler.mk @@ -24,6 +24,7 @@ # - retpoline: supports the retpoline speculative execution vulnerability # mitigation. # - init-all: supports stack variable initialization. +# - zeroregs: supports zeroing used registers on return # - aarch64-sha512: supports the AArch64 sha512 intrinsic functions. # # When bootstrapping on macOS, 'apple-clang' will be set in COMPILER_FEATURES @@ -263,6 +264,11 @@ ${X_}COMPILER_FEATURES+= compressed-debug ${X_}COMPILER_FEATURES+= fileprefixmap .endif +.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \ + (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) +${X_}COMPILER_FEATURES+= zeroregs +.endif + .if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 130000) || \ (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 90000) # AArch64 sha512 intrinsics are supported (and have been tested) in diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index d669dccdc26..cf4140d0b3e 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -118,6 +118,15 @@ CXXFLAGS+= -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-cl .endif .endif +# Zero used registers on return (mitigate some ROP) +.if ${MK_ZEROREGS} != "no" +.if ${COMPILER_FEATURES:Mzeroregs} +ZEROREG_TYPE?= used +CFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE} +CXXFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE} +.endif +.endif + # bsd.sanitizer.mk is not installed, so don't require it (e.g. for ports). .sinclude "bsd.sanitizer.mk" diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index c05de9b079c..f79c5bc61a2 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -81,7 +81,8 @@ __DEFAULT_NO_OPTIONS = \ RETPOLINE \ STALE_STAGED \ UBSAN \ - UNDEFINED_VERSION + UNDEFINED_VERSION \ + ZEROREGS __DEFAULT_DEPENDENT_OPTIONS = \ MAKE_CHECK_USE_SANDBOX/TESTS \ diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index 89534b21d0e..1894a8b938d 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -90,6 +90,15 @@ CXXFLAGS+= -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-cl .endif .endif +# Zero used registers on return (mitigate some ROP) +.if ${MK_ZEROREGS} != "no" +.if ${COMPILER_FEATURES:Mzeroregs} +ZEROREG_TYPE?= used +CFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE} +CXXFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE} +.endif +.endif + # bsd.sanitizer.mk is not installed, so don't require it (e.g. for ports). .sinclude "bsd.sanitizer.mk" diff --git a/stand/defs.mk b/stand/defs.mk index fa3c89a4c3c..f39966f2ca8 100644 --- a/stand/defs.mk +++ b/stand/defs.mk @@ -11,6 +11,7 @@ FORTIFY_SOURCE= 0 MK_CTF= no MK_SSP= no MK_PIE= no +MK_ZEROREGS= no MAN= .if !defined(PIC) NO_PIC= diff --git a/tools/build/options/WITHOUT_ZEROREGS b/tools/build/options/WITHOUT_ZEROREGS new file mode 100644 index 00000000000..edaf5fd8d6c --- /dev/null +++ b/tools/build/options/WITHOUT_ZEROREGS @@ -0,0 +1,2 @@ +Do not build build the basesystem with code to zero caller-used register +contents on function return. diff --git a/tools/build/options/WITH_ZEROREGS b/tools/build/options/WITH_ZEROREGS new file mode 100644 index 00000000000..1fc4b856bd5 --- /dev/null +++ b/tools/build/options/WITH_ZEROREGS @@ -0,0 +1,4 @@ +Build the basesystem with code to zero caller-used register contents +on function return. +This prevents leaking temporary values for side channel attacks. +Additionally this reduces the number of usable ROP gadgets for attackers.