Add option to clear caller-used registers on function return.

The WITH_ZEROREGS option for src.conf will zero caller-used register
contents just before returning from a function, ensuring that
tempo

Add option to clear caller-used registers on function return.

The WITH_ZEROREGS option for src.conf will zero caller-used register
contents just before returning from a function, ensuring that
temporary values are not leaked beyond the function boundary. This
means that register contents are less likely to be available for side
channel attacks and information exposures.

It reduces all except 1 of the simple "write-what-where" ROP gadgets in
/lib:
grep "Gadget found" /tmp/before_lib* | wc -l
197
grep "Gadget found" /tmp/after_lib* | wc -l
1
grep "Gadget found" /tmp/after_lib*
/tmp/after_libbsdxml.so.4.txt: [+] Gadget found: 0x1b3f1 mov qword ptr [rdi], rcx ; pop rbp ; ret

To reproduce:
for lib in *.so.*; do
echo $lib:
ROPgadget --ropchain --binary /tmp/be_mount.Sx87/lib/$lib | sed -n '/Step 1/,/Step 2/p' >! /tmp/before_$lib.txt
ROPgadget --ropchain --binary $lib | sed -n '/Step 1/,/Step 2/p' >! /tmp/after_$lib.txt
done

Additionally, in some cases this reduces the number of all ROP gadgets
(quick check with /libs only):
libalias.so.7: reduction 10.000%
libavl.so.2: reduction 13.900%
libbsdxml.so.4: reduction 37.500%
libc.so.7: reduction 10.000%
libc++.so.1: reduction 14.800%
libcam.so.7: reduction 50.700%
libcap_netdb.so.1: reduction 5.800%
libcasper.so.1: reduction 14.600%
libcrypto.so.30: reduction 7.500%
libdtrace.so.2: reduction 3.900%
libelf.so.2: reduction 15.800%
libgcc_s.so.1: reduction 32.700%
libibverbs.so.1: reduction 5.300%
libicp.so.3: reduction 2.100%
libipt.so.0: reduction 28.200%
libirdma.so.1: reduction 1.600%
libkiconv.so.4: reduction 0%
libm.so.5: reduction 21.900%
libmd.so.6: reduction 0%
libmd.so.7: reduction 3.100%
libncursesw.so.9: reduction 11.200%
libnvpair.so.2: reduction 40.200%
libpcap.so.8: reduction 11.400%
libpjdlog.so.0: reduction 27.400%
libsbuf.so.6: reduction 2.900%
libspl.so.2: reduction 42.300%
libsys.so.7: reduction 2.700%
libthr.so.3: reduction 21.000%
libuutil.so.2: reduction 13.100%
libz.so.6: reduction 5.600%
libzpool.so.2: reduction 15.100%

In some cases it adds some ROP gadgets despite removing the simple ROP
gadgets:
lib80211.so.1: reduction -32.700%
libbe.so.1: reduction -22.300%
libbegemot.so.4: reduction -20.500%
libcap_dns.so.2: reduction -58.000%
libcap_fileargs.so.1: reduction -28.200%
libcap_grp.so.1: reduction -54.000%
libcap_net.so.1: reduction -28.800%
libcap_pwd.so.1: reduction -38.800%
libcap_sysctl.so.2: reduction -71.100%
libcap_syslog.so.1: reduction -15.000%
libcrypt.so.5: reduction -14.600%
libctf.so.2: reduction -.300%
libcxxrt.so.1: reduction -14.000%
libdevstat.so.7: reduction -1.600%
libedit.so.8: reduction -4.200%
libgeom.so.5: reduction -16.500%
libicp_rescue.so.3: reduction -2.300%
libipsec.so.4: reduction -31.800%
libjail.so.1: reduction -21.700%
libkvm.so.7: reduction -5.300%
libmlx5.so.1: reduction -6.300%
libmt.so.5: reduction -23.000%
libnv.so.1: reduction -.400%
librss.so.1: reduction -3.800%
librt.so.1: reduction -24.000%
libssp.so.0: reduction -21.100%
libstats.so.0: reduction -9.000%
libtinfow.so.9: reduction -3.500%
libtpool.so.2: reduction -36.500%
libufs.so.8: reduction -11.900%
libulog.so.0: reduction -67.400%
libumem.so.2: reduction -2.000%
libutil.so.9: reduction -7.200%
libxo.so.0: reduction -9.000%
libzdb.so.2: reduction -11.700%
libzfs_core.so.2: reduction -17.700%
libzfs.so.4: reduction -.300%
libzfsbootenv.so.1: reduction -26.900%
libzutil.so.2: reduction -5.600%

To reproduce:
for lib in *.so.*; do
echo -n $lib:
before="$(ROPgadget --nosys --nojop --binary /tmp/be_mount.Sx87/lib/$lib | tail -n1 | cut -d : -f 2)"
after="$(ROPgadget --nosys --nojop --binary $lib | tail -n1 | cut -d : -f 2)"
echo " reduction" $(bc -S 3 -e "(1-${after}/${before})*100")%
done >/tmp/reduction.txt

Most of the time the size difference is very small (<1% for >50% of the
files and >10% for only 2 files):
lib80211.so.1: size change .100%
libalias.so.7: size change 0%
libavl.so.2: size change 0%
libbe.so.1: size change .100%
libbegemot.so.4: size change .100%
libbsdxml.so.4: size change 0%
libc.so.7: size change 1.200%
libc++.so.1: size change 1.600%
libcam.so.7: size change 1.900%
libcap_dns.so.2: size change .100%
libcap_fileargs.so.1: size change .100%
libcap_grp.so.1: size change .100%
libcap_net.so.1: size change .100%
libcap_netdb.so.1: size change .100%
libcap_pwd.so.1: size change .100%
libcap_sysctl.so.2: size change .100%
libcap_syslog.so.1: size change .100%
libcasper.so.1: size change 0%
libcrypt.so.5: size change 3.900%
libcrypto.so.30: size change 1.400%
libctf.so.2: size change .100%
libcxxrt.so.1: size change .100%
libdevstat.so.7: size change 15.400% exceptional
libdtrace.so.2: size change .600%
libedit.so.8: size change 1.800%
libelf.so.2: size change .100%
libgcc_s.so.1: size change 3.000%
libgeom.so.5: size change 0%
libibverbs.so.1: size change .100%
libicp_rescue.so.3: size change .100%
libicp.so.3: size change 1.500%
libipsec.so.4: size change .100%
libipt.so.0: size change 3.100%
libirdma.so.1: size change .100%
libjail.so.1: size change .100%
libkiconv.so.4: size change .100%
libkvm.so.7: size change .100%
libm.so.5: size change 1.700%
libmd.so.6: size change 0%
libmd.so.7: size change .100%
libmlx5.so.1: size change 0%
libmt.so.5: size change .100%
libncursesw.so.9: size change 1.900%
libnv.so.1: size change 4.300%
libnvpair.so.2: size change 4.300%
libpcap.so.8: size change 1.200%
libpjdlog.so.0: size change .100%
librss.so.1: size change .200%
librt.so.1: size change .100%
libsbuf.so.6: size change .100%
libspl.so.2: size change 0%
libssp.so.0: size change .100%
libstats.so.0: size change .100%
libsys.so.7: size change .100%
libthr.so.3: size change 2.400%
libtinfow.so.9: size change 1.600%
libtpool.so.2: size change .100%
libufs.so.8: size change .100%
libulog.so.0: size change .100%
libumem.so.2: size change 54.300% exceptional
libutil.so.9: size change .100%
libuutil.so.2: size change .100%
libxo.so.0: size change .100%
libz.so.6: size change .100%
libzdb.so.2: size change .300%
libzfs_core.so.2: size change .100%
libzfs.so.4: size change 2.000%
libzfsbootenv.so.1: size change .100%
libzpool.so.2: size change 1.200%
libzutil.so.2: size change 0%

show more ...

Retire MK_PROFILE infrastructure

It was disabled by default in fe52b7f60ef4. We planned to (but did not)
remove the option before FreeBSD 14. Remove it now, for FreeBSD 15.

Relnotes: Yes
Reviewed

Retire MK_PROFILE infrastructure

It was disabled by default in fe52b7f60ef4. We planned to (but did not)
remove the option before FreeBSD 14. Remove it now, for FreeBSD 15.

Relnotes: Yes
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31558

show more ...

share/mk: Remove armv6 support

It is being removed from the tree. Remove the build infrastructure to
configure armv6 builds.

Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revisi

share/mk: Remove armv6 support

It is being removed from the tree. Remove the build infrastructure to
configure armv6 builds.

Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45643

show more ...

arm64: Allow userspace to be built with PAC and BTI

Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used
to enable the use of pointer authentication (FEAT_PAuth) and branch
target id

arm64: Allow userspace to be built with PAC and BTI

Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used
to enable the use of pointer authentication (FEAT_PAuth) and branch
target identification (FEAT_BTI) in userspace.

The kernel already handles both of these is userspace, we just need
to enable it.

Leave disabled for a short period for this to settle before enabling.

Reviewed by: emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42596

show more ...

Make WITHOUT_UNDEFINED_VERSION the default

Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.

(cherry picked from comm

Make WITHOUT_UNDEFINED_VERSION the default

Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.

(cherry picked from commit 4510f2ca9170927309a423274e03f1eb8e27da27)
This reverts commit b25ceb97eddcd58cfb2b433fe301ab28c678c249.

Reviewed by: arichardson, kib, dim, emaste
Differential Revision: https://reviews.freebsd.org/D44216

show more ...

Revert "Make WITHOUT_UNDEFINED_VERSION the default"

This is causing failures on gcc13 CI builds so those need to be fixed
or worked around.

This reverts commit 4510f2ca9170927309a423274e03f1eb8e27d

Revert "Make WITHOUT_UNDEFINED_VERSION the default"

This is causing failures on gcc13 CI builds so those need to be fixed
or worked around.

This reverts commit 4510f2ca9170927309a423274e03f1eb8e27da27.

show more ...

Make WITHOUT_UNDEFINED_VERSION the default

Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.

Reviewed by: arichardson

Make WITHOUT_UNDEFINED_VERSION the default

Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.

Reviewed by: arichardson, kib, dim, emaste
Differential Revision: https://reviews.freebsd.org/D44216

show more ...

bsd.opts.mk: drop transtion aid for NO_* options

Setting NO_CTF, NO_DEBUG_FILES, NO_INSTALLLIB, NO_MAN, NO_PROFILE,
and NO_WARNS was deprecated in 2014 and made an error prior to the
13.0.0 release

bsd.opts.mk: drop transtion aid for NO_* options

Setting NO_CTF, NO_DEBUG_FILES, NO_INSTALLLIB, NO_MAN, NO_PROFILE,
and NO_WARNS was deprecated in 2014 and made an error prior to the
13.0.0 release in commit d3a5bf95f2013af081607abd91b5175f6eafa563.
Likewise, NO_WERROR was made an error prior to 13.0.0 in commit
7fa2f2a62f04f095e1e27ad55aa22a8f59b1df8f.

Remove this transition aid making these variables no-ops as setting them
will result in an error on all supported releases.

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D44345

show more ...

Add an UNDEFINED_VERSION option

When enabled (current default) link with --undefined-version to allow
symbol maps to contain symbols not defined by libraries. When disabled,
link with --no-undefine

Add an UNDEFINED_VERSION option

When enabled (current default) link with --undefined-version to allow
symbol maps to contain symbols not defined by libraries. When disabled,
link with --no-undefined-version to disallow these bugs.

WITHOUT_UNDEFINED_VERSION is currently broken. Once it is fixed it
should be made the default and this option should likely be removed.

Reviewed by: dim, emaste
Differential Revision: https://reviews.freebsd.org/D44169

show more ...

pkgbase: Split out manpages by default

This helps with building small container images using pkgbase.

Reviewed by: manu bapt
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41

pkgbase: Split out manpages by default

This helps with building small container images using pkgbase.

Reviewed by: manu bapt
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41861

show more ...

Add INIT_ALL build option

This option replaces WITH_INIT_ALL_PATTERN and WITH_INIT_ALL_ZERO with
INIT_ALL=pattern and INIT_ALL=zero respectively. As these are
relatively rarely used options no back

Add INIT_ALL build option

This option replaces WITH_INIT_ALL_PATTERN and WITH_INIT_ALL_ZERO with
INIT_ALL=pattern and INIT_ALL=zero respectively. As these are
relatively rarely used options no backwards compatibility is
implemented.

Reviewed by: emaste
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D41675

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Add some more local.*.mk includes

These facilitate customizing the build with minimal churn.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.

Add some more local.*.mk includes

These facilitate customizing the build with minimal churn.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D37592

show more ...

Add RELRO build knob, default to enabled

Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob s

Add RELRO build knob, default to enabled

Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob so that the option can be disabled if desired, and so
that builds using the GNU toolchain are equivalent to those using the
standard Clang/LLVM toolchain.

Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35545

show more ...

Remove more quotes around Makefile .error/.warn/.info strings.

Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D34175

bsd.opts.mk: Remove mips support

We don't need to list all the 32-bit mips variants here anymore.

Sponsored by: Netflix

Add clarifying comments

Expand on the terse comments for where each of these files is used.

Reviewed by: emaste
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33716

Disable PROFILE option by default

Hardware based profiling (e.g. hwpmc) is much better and produces more
useful results. Today the profiling lib archives (_p.a) serve no real
purpose other than inc

Disable PROFILE option by default

Hardware based profiling (e.g. hwpmc) is much better and produces more
useful results. Today the profiling lib archives (_p.a) serve no real
purpose other than increasing the library build time.

Both upstream and base system (in commit b762974cf4b9) Clang have been
modified to remove the special case for linking against these libraries.

Clang's -pg support and mcount() remain, so building with -pg can still
be used on code that the user builds; we just no longer provide prebuilt
libraries compiled with -pg.

Discussed on freebsd-hackers[1] / freebsd-current [2] in 2020 and
freebsd-arch [3] in 2021. A deprecation notice was added in
commit 175841285e28.

[1] https://lists.freebsd.org/pipermail/freebsd-hackers/2020-January/055551.html
[2] https://lists.freebsd.org/pipermail/freebsd-current/2020-January/075105.html
[3] https://lists.freebsd.org/archives/freebsd-arch/2021-June/000016.html

PR: 256873 [exp-run]
Reviewed by: imp, jhb, kib
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30833

show more ...

Add build system support for ASAN+UBSAN instrumentation

This adds two new options WITH_ASAN/WITH_UBSAN that can be set to
enable instrumentation of all binaries with AddressSanitizer and/or
Undefine

Add build system support for ASAN+UBSAN instrumentation

This adds two new options WITH_ASAN/WITH_UBSAN that can be set to
enable instrumentation of all binaries with AddressSanitizer and/or
UndefinedBehaviourSanitizer. This current patch is almost sufficient
to get a complete buildworld with sanitizer instrumentation but in
order to actually build and boot a system it depends on a few more
follow-up commits.

Reviewed By: brooks, kib, markj
Differential Revision: https://reviews.freebsd.org/D31043

show more ...

pkgbase: Fix building out-of-tree manual pages

c7e6cb9e08d6 introduced MK_MANSPLITPKG but it was not available for
building out-of-tree manual pages. For example, x11/nvidia-driver fails
with the f

pkgbase: Fix building out-of-tree manual pages

c7e6cb9e08d6 introduced MK_MANSPLITPKG but it was not available for
building out-of-tree manual pages. For example, x11/nvidia-driver fails
with the following error:

===> doc (all)
make[3]: "/usr/share/mk/bsd.man.mk" line 53: Malformed conditional (${MK_MANSPLITPKG} == "no")
make[3]: Fatal errors encountered -- cannot continue

Move the definition from src.opts.mk to bsd.opts.mk to make it visible.

show more ...

Enable PIE by default on 64-bit architectures

This patch adds Position Independent Executables (PIE)
flags for building OS. It allows to enable the ASLR
feature based only on the sysctl knobs, witho

Enable PIE by default on 64-bit architectures

This patch adds Position Independent Executables (PIE)
flags for building OS. It allows to enable the ASLR
feature based only on the sysctl knobs, without
need to rebuild the image. Tests showed that
no problems with stability / performance degradation
were seen when using PIEs with ASLR disabled.

The change is limited only for 64-bit architectures.

Use bsd.opts.mk instead of the src.opts.mk in order
to satisfy all build dependencies related to MK_PIE.

Reviewed by: emaste, imp
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D28328

show more ...

Rename NO_WERROR -> MK_WERROR=no

As suggested in D27598. This also supports MK_WERROR.clang=no and
MK_WERROR.gcc=no to support the existing NO_WERROR.<compiler> uses.

Reviewed By: brooks
Differenti

Rename NO_WERROR -> MK_WERROR=no

As suggested in D27598. This also supports MK_WERROR.clang=no and
MK_WERROR.gcc=no to support the existing NO_WERROR.<compiler> uses.

Reviewed By: brooks
Differential Revision: https://reviews.freebsd.org/D27601

show more ...

Fix `make makeman` after r367577

WITH_INIT_ALL_ZERO and WITH_INIT_ALL_PATTERN are mutually exclusive.
The .error when they were both set broke makeman so demote it to a
warning (and presumably the c

Fix `make makeman` after r367577

WITH_INIT_ALL_ZERO and WITH_INIT_ALL_PATTERN are mutually exclusive.
The .error when they were both set broke makeman so demote it to a
warning (and presumably the compiler will fail on an error later on).

We could improve this to make one take precedence but this is sufficient
for now.

MFC with: r367577
Sponsored by: The FreeBSD Foundation

show more ...

Support initializing stack variables on function entry

There are two options:
- WITH_INIT_ALL_ZERO: Zero all variables on the stack.
- WITH_INIT_ALL_PATTERN: Initialize variables with well-defined

Support initializing stack variables on function entry

There are two options:
- WITH_INIT_ALL_ZERO: Zero all variables on the stack.
- WITH_INIT_ALL_PATTERN: Initialize variables with well-defined patterns.

The exact pattern are a compiler implementation detail and vary by type.
They are somewhat documented in the LLVM commit message:
https://reviews.llvm.org/rL349442
I've used WITH_INIT_ALL_* to match Microsoft's InitAll feature rather
than naming them after the LLVM specific compiler flags.

In a range of consumer products, options like these are used in
both debug and production builds with debugs builds using patterns
(intended to provoke crashes on use of uninitialized values) and
production using zeros (deemed more likely to lead to harmless
misbehavior or NULL-pointer dereferences).

Reviewed by: emaste
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D27131

show more ...

Remove the SYMVER build option.

This option was added as a transition aide when symbol versioning was
first added. It was enabled by default in 2007 and is supported even
by the old GPLv2 binutils.

Remove the SYMVER build option.

This option was added as a transition aide when symbol versioning was
first added. It was enabled by default in 2007 and is supported even
by the old GPLv2 binutils. Trying to disable it currently fails to
build in libc and at this point it isn't worth fixing the build.

Reported by: Michael Dexter
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D24637

show more ...