golang: Add option to enable Spectre mitigations

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

lang/golang/golang-package.mk

@@ -155,6 +155,14 @@ ifdef CONFIG_PKG_ASLR_PIE_REGULAR
   endif
 endif
 
+ifdef CONFIG_GOLANG_SPECTRE
+  ifeq ($(GO_TARGET_SPECTRE_SUPPORTED),1)
+    GO_PKG_ENABLE_SPECTRE:=1
+  else
+    $(warning Spectre mitigations are not supported for $(GO_ARCH))
+  endif
+endif
+
 # sstrip causes corrupted section header size
 ifneq ($(CONFIG_USE_SSTRIP),)
   ifneq ($(CONFIG_DEBUG),)
@@ -211,6 +219,12 @@ GO_PKG_VARS= \
 	$(GO_PKG_TARGET_VARS) \
 	$(GO_PKG_BUILD_VARS)
 
+GO_PKG_DEFAULT_GCFLAGS= \
+	$(if $(GO_PKG_ENABLE_SPECTRE),-spectre all)
+
+GO_PKG_DEFAULT_ASMFLAGS= \
+	$(if $(GO_PKG_ENABLE_SPECTRE),-spectre all)
+
 GO_PKG_DEFAULT_LDFLAGS= \
 	-buildid '$(SOURCE_DATE_EPOCH)' \
 	-linkmode external \
@@ -224,11 +238,13 @@ GO_PKG_INSTALL_ARGS= \
 	-v \
 	-trimpath \
 	-ldflags "all=$(GO_PKG_DEFAULT_LDFLAGS)" \
+	$(if $(GO_PKG_DEFAULT_GCFLAGS),-gcflags "all=$(GO_PKG_DEFAULT_GCFLAGS)") \
+	$(if $(GO_PKG_DEFAULT_ASMFLAGS),-asmflags "all=$(GO_PKG_DEFAULT_ASMFLAGS)") \
 	$(if $(filter $(GO_PKG_ENABLE_PIE),1),-buildmode pie) \
 	$(if $(filter $(GO_ARCH),arm),-installsuffix "v$(GO_ARM)") \
 	$(if $(filter $(GO_ARCH),mips mipsle),-installsuffix "$(GO_MIPS)") \
 	$(if $(filter $(GO_ARCH),mips64 mips64le),-installsuffix "$(GO_MIPS64)") \
-	$(if $(GO_PKG_GCFLAGS),-gcflags "$(GO_PKG_GCFLAGS)") \
+	$(if $(GO_PKG_GCFLAGS),-gcflags "$(GO_PKG_GCFLAGS) $(GO_PKG_DEFAULT_GCFLAGS)") \
 	$(if $(GO_PKG_CUSTOM_LDFLAGS),-ldflags "$(GO_PKG_CUSTOM_LDFLAGS) $(GO_PKG_DEFAULT_LDFLAGS)") \
 	$(if $(GO_PKG_TAGS),-tags "$(GO_PKG_TAGS)")
 
@@ -271,6 +287,10 @@ endef
 
 
 ifneq ($(strip $(GO_PKG)),)
+  ifeq ($(GO_TARGET_SPECTRE_SUPPORTED),1)
+    PKG_CONFIG_DEPENDS+=CONFIG_GOLANG_SPECTRE
+  endif
+
   Build/Configure=$(call GoPackage/Build/Configure)
   Build/Compile=$(call GoPackage/Build/Compile)
   Hooks/Compile/Post+=Go/CacheCleanup

lang/golang/golang-values.mk

@@ -221,6 +221,19 @@ ifneq ($(filter $(GO_OS_ARCH),$(GO_PIE_SUPPORTED_OS_ARCH)),)
 endif
 
 
+# Spectre mitigations
+
+GO_SPECTRE_SUPPORTED_ARCH:=amd64
+
+ifneq ($(filter $(GO_HOST_ARCH),$(GO_SPECTRE_SUPPORTED_ARCH)),)
+  GO_HOST_SPECTRE_SUPPORTED:=1
+endif
+
+ifneq ($(filter $(GO_ARCH),$(GO_SPECTRE_SUPPORTED_ARCH)),)
+  GO_TARGET_SPECTRE_SUPPORTED:=1
+endif
+
+
 # General build info
 
 GO_BUILD_CACHE_DIR:=$(or $(call qstrip,$(CONFIG_GOLANG_BUILD_CACHE_DIR)),$(TOPDIR)/.go-build)

lang/golang/golang/Config.in

@@ -23,4 +23,11 @@ config GOLANG_MOD_CACHE_WORLD_READABLE
 	bool "Ensure Go module cache is world-readable"
 	default n
 
+config GOLANG_SPECTRE
+	bool "Enable Spectre mitigations"
+	default n
+	depends on x86_64
+	help
+	  Currently only available for x86-64 (amd64).
+
 endmenu

lang/golang/golang/Makefile

@@ -96,6 +96,10 @@ BOOTSTRAP_UNPACK:=$(HOST_TAR) -C "$(BOOTSTRAP_BUILD_DIR)" --strip-components=1 -
 RSTRIP:=:
 STRIP:=:
 
+ifeq ($(GO_TARGET_SPECTRE_SUPPORTED),1)
+  PKG_CONFIG_DEPENDS+=CONFIG_GOLANG_SPECTRE
+endif
+
 define Package/golang/Default
 $(call GoPackage/GoSubMenu)
   TITLE:=Go programming language
@@ -269,6 +273,12 @@ PKG_GO_VARS= \
 	PKG_CONFIG=pkg-config \
 	PATH="$(HOST_GO_ROOT)/openwrt:$$$$PATH"
 
+PKG_GO_GCFLAGS= \
+	$(if $(GO_PKG_ENABLE_SPECTRE),-spectre all)
+
+PKG_GO_ASMFLAGS= \
+	$(if $(GO_PKG_ENABLE_SPECTRE),-spectre all)
+
 PKG_GO_LDFLAGS= \
 	-buildid '$(SOURCE_DATE_EPOCH)' \
 	-linkmode external \
@@ -280,6 +290,8 @@ PKG_GO_LDFLAGS= \
 # static / not dependent on the build environment
 PKG_GO_INSTALL_ARGS= \
 	-ldflags "all=$(PKG_GO_LDFLAGS)" \
+	$(if $(PKG_GO_GCFLAGS),-gcflags "all=$(PKG_GO_GCFLAGS)") \
+	$(if $(PKG_GO_ASMFLAGS),-asmflags "all=$(PKG_GO_ASMFLAGS)") \
 	$(if $(filter $(GO_PKG_ENABLE_PIE),1),-buildmode pie)
 
 define Build/Compile