Add a conditional to enable retpoline support

Using retpoline in userland code that doesn't run arbitrary code is
questionable to start with.

Linux is also getting SPECTRE v2 userspace-to-userspace protection.

In addition, some platforms have a gcc version that advertises
support for retpolines, but the resulting binaries simply don't work
or cannot be linked.

So, do not enable this by default. Let builders choose if they
really want to enable this in their builds.
This commit is contained in:
Frank Denis 2019-01-04 12:43:47 +01:00
parent 3ab71f873f
commit a01c5f8fd8
2 changed files with 11 additions and 8 deletions

View File

@ -10,7 +10,6 @@ module; fall back to Javascript on these.
counterpart.
- Added a workaround for Visual Studio 2010 bug causing CPU features
not to be detected.
- The library now enables compilation with retpoline by default.
- Portability improvements.
- Test vectors from Project Wycheproof have been added.
- New low-level APIs for arithmetic mod the order of the prime order group:

View File

@ -149,6 +149,17 @@ AC_ARG_WITH(ctgrind,
])
])
AC_ARG_ENABLE(retpoline,
[AS_HELP_STRING(--enable-retpoline,Use return trampolines for indirect calls)],
[AS_IF([test "x$enableval" = "xyes"], [
AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk-inline],
[CFLAGS="$CFLAGS -mindirect-branch=thunk-inline"],
[AX_CHECK_COMPILE_FLAG([-mretpoline], [CFLAGS="$CFLAGS -mretpoline"])]
)
AX_CHECK_COMPILE_FLAG([-mindirect-branch-register])
])
])
ENABLE_CWFLAGS=no
AC_ARG_ENABLE(debug,
[AS_HELP_STRING(--enable-debug,For maintainers only - please do not use)],
@ -197,13 +208,6 @@ AC_CHECK_DEFINE([_FORTIFY_SOURCE], [], [
[CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"])
])
AS_IF([test "x$EMSCRIPTEN" = "x" -a "$host_os" != "pnacl"], [
AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk],
[CFLAGS="$CFLAGS -mindirect-branch=thunk"],
[AX_CHECK_COMPILE_FLAG([-mretpoline], [CFLAGS="$CFLAGS -mretpoline"])]
)
])
AX_CHECK_COMPILE_FLAG([-fvisibility=hidden],
[CFLAGS="$CFLAGS -fvisibility=hidden"])