diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -1,5 +1,5 @@
 .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd November 22, 2024
+.Dd January 8, 2025
 .Dt SRC.CONF 5
 .Os
 .Sh NAME
@@ -1862,6 +1862,11 @@
 without support for the IEEE 802.1X protocol and without
 support for EAP-PEAP, EAP-TLS, EAP-LEAP, and EAP-TTLS
 protocols (usable only via 802.1X).
+.It Va WITH_ZEROREGS
+Build the basesystem with code to zero caller-used register contents
+on function return.
+This prevents leaking temporary values for side channel attacks.
+Additionally this reduces the number of usable ROP gadgets for attackers.
 .It Va WITHOUT_ZFS
 Do not build the ZFS file system kernel module, libraries such as
 .Xr libbe 3 ,
diff --git a/share/mk/bsd.compiler.mk b/share/mk/bsd.compiler.mk
--- a/share/mk/bsd.compiler.mk
+++ b/share/mk/bsd.compiler.mk
@@ -24,6 +24,7 @@
 # - retpoline: supports the retpoline speculative execution vulnerability
 #              mitigation.
 # - init-all:  supports stack variable initialization.
+# - zeroregs:  supports zeroing used registers on return
 # - aarch64-sha512: supports the AArch64 sha512 intrinsic functions.
 #
 # When bootstrapping on macOS, 'apple-clang' will be set in COMPILER_FEATURES
@@ -263,6 +264,11 @@
 ${X_}COMPILER_FEATURES+=	fileprefixmap
 .endif
 
+.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \
+	(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000)
+${X_}COMPILER_FEATURES+=	zeroregs
+.endif
+
 .if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 130000) || \
 	(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 90000)
 # AArch64 sha512 intrinsics are supported (and have been tested) in
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -118,6 +118,15 @@
 .endif
 .endif
 
+# Zero used registers on return (mitigate some ROP)
+.if ${MK_ZEROREGS} != "no"
+.if ${COMPILER_FEATURES:Mzeroregs}
+ZEROREG_TYPE?= used
+CFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE}
+CXXFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE}
+.endif
+.endif
+
 # bsd.sanitizer.mk is not installed, so don't require it (e.g. for ports).
 .sinclude "bsd.sanitizer.mk"
 
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -81,7 +81,8 @@
     RETPOLINE \
     STALE_STAGED \
     UBSAN \
-    UNDEFINED_VERSION
+    UNDEFINED_VERSION \
+    ZEROREGS
 
 __DEFAULT_DEPENDENT_OPTIONS = \
     MAKE_CHECK_USE_SANDBOX/TESTS \
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -90,6 +90,15 @@
 .endif
 .endif
 
+# Zero used registers on return (mitigate some ROP)
+.if ${MK_ZEROREGS} != "no"
+.if ${COMPILER_FEATURES:Mzeroregs}
+ZEROREG_TYPE?= used
+CFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE}
+CXXFLAGS+= -fzero-call-used-regs=${ZEROREG_TYPE}
+.endif
+.endif
+
 # bsd.sanitizer.mk is not installed, so don't require it (e.g. for ports).
 .sinclude "bsd.sanitizer.mk"
 
diff --git a/stand/defs.mk b/stand/defs.mk
--- a/stand/defs.mk
+++ b/stand/defs.mk
@@ -11,6 +11,7 @@
 MK_CTF=		no
 MK_SSP=		no
 MK_PIE=		no
+MK_ZEROREGS=	no
 MAN=
 .if !defined(PIC)
 NO_PIC=
diff --git a/tools/build/options/WITHOUT_ZEROREGS b/tools/build/options/WITHOUT_ZEROREGS
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITHOUT_ZEROREGS
@@ -0,0 +1,2 @@
+Do not build build the basesystem with code to zero caller-used register
+contents on function return.
diff --git a/tools/build/options/WITH_ZEROREGS b/tools/build/options/WITH_ZEROREGS
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITH_ZEROREGS
@@ -0,0 +1,4 @@
+Build the basesystem with code to zero caller-used register contents
+on function return.
+This prevents leaking temporary values for side channel attacks.
+Additionally this reduces the number of usable ROP gadgets for attackers.