From: "H.J. Lu" <hjl.tools@xxxxxxxxx> When Indirect Branch Tracking (IBT) is enabled, vDSO entry points need ENDBR32/ENDBR64 as first instructions. Kconfig X86_IBT verifies compiler's -fcf-protection support. Update vDso Makefile to enable it. Signed-off-by: H.J. Lu <hjl.tools@xxxxxxxxx> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> --- arch/x86/entry/vdso/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 05c4abc2fdfd..a773a5f03b63 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -93,6 +93,10 @@ endif $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +ifdef CONFIG_X86_IBT +$(vobjs) $(vobjs32): KBUILD_CFLAGS += -fcf-protection=branch +endif + # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. # -- 2.21.0
