LLVM 20.0.0git
Macros | Functions | Variables
X86SpeculativeLoadHardening.cpp File Reference

Provide a pass which mitigates speculative execution attacks which operate by speculating incorrectly past some predicate (a type check, bounds check, or other condition) to reach a load with invalid inputs and leak the data accessed by that load using a side channel out of the speculative domain. More...

#include "X86.h"
#include "X86InstrInfo.h"
#include "X86Subtarget.h"
#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/SparseBitVector.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineConstantPool.h"
#include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstr.h"
#include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/CodeGen/MachineOperand.h"
#include "llvm/CodeGen/MachineRegisterInfo.h"
#include "llvm/CodeGen/MachineSSAUpdater.h"
#include "llvm/CodeGen/TargetInstrInfo.h"
#include "llvm/CodeGen/TargetRegisterInfo.h"
#include "llvm/CodeGen/TargetSchedule.h"
#include "llvm/CodeGen/TargetSubtargetInfo.h"
#include "llvm/IR/DebugLoc.h"
#include "llvm/MC/MCSchedule.h"
#include "llvm/Pass.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/Target/TargetMachine.h"
#include <cassert>
#include <iterator>
#include <optional>
#include <utility>

Go to the source code of this file.

Macros

#define PASS_KEY   "x86-slh"
 
#define DEBUG_TYPE   PASS_KEY
 

Functions

 STATISTIC (NumCondBranchesTraced, "Number of conditional branches traced")
 
 STATISTIC (NumBranchesUntraced, "Number of branches unable to trace")
 
 STATISTIC (NumAddrRegsHardened, "Number of address mode used registers hardaned")
 
 STATISTIC (NumPostLoadRegsHardened, "Number of post-load register values hardened")
 
 STATISTIC (NumCallsOrJumpsHardened, "Number of calls or jumps requiring extra hardening")
 
 STATISTIC (NumInstsInserted, "Number of instructions inserted")
 
 STATISTIC (NumLFENCEsInserted, "Number of lfence instructions inserted")
 
static MachineBasicBlocksplitEdge (MachineBasicBlock &MBB, MachineBasicBlock &Succ, int SuccCount, MachineInstr *Br, MachineInstr *&UncondBr, const X86InstrInfo &TII)
 
static void canonicalizePHIOperands (MachineFunction &MF)
 Removing duplicate PHI operands to leave the PHI in a canonical and predictable form.
 
static bool hasVulnerableLoad (MachineFunction &MF)
 Helper to scan a function for loads vulnerable to misspeculation that we want to harden.
 
static const TargetRegisterClassgetRegClassForUnfoldedLoad (MachineFunction &MF, const X86InstrInfo &TII, unsigned Opcode)
 Compute the register class for the unfolded load.
 
static bool isEFLAGSDefLive (const MachineInstr &MI)
 
static bool isEFLAGSLive (MachineBasicBlock &MBB, MachineBasicBlock::iterator I, const TargetRegisterInfo &TRI)
 
 INITIALIZE_PASS_BEGIN (X86SpeculativeLoadHardeningPass, PASS_KEY, "X86 speculative load hardener", false, false) INITIALIZE_PASS_END(X86SpeculativeLoadHardeningPass
 

Variables

static cl::opt< boolEnableSpeculativeLoadHardening ("x86-speculative-load-hardening", cl::desc("Force enable speculative load hardening"), cl::init(false), cl::Hidden)
 
static cl::opt< boolHardenEdgesWithLFENCE (PASS_KEY "-lfence", cl::desc("Use LFENCE along each conditional edge to harden against speculative " "loads rather than conditional movs and poisoned pointers."), cl::init(false), cl::Hidden)
 
static cl::opt< boolEnablePostLoadHardening (PASS_KEY "-post-load", cl::desc("Harden the value loaded *after* it is loaded by " "flushing the loaded bits to 1. This is hard to do " "in general but can be done easily for GPRs."), cl::init(true), cl::Hidden)
 
static cl::opt< boolFenceCallAndRet (PASS_KEY "-fence-call-and-ret", cl::desc("Use a full speculation fence to harden both call and ret edges " "rather than a lighter weight mitigation."), cl::init(false), cl::Hidden)
 
static cl::opt< boolHardenInterprocedurally (PASS_KEY "-ip", cl::desc("Harden interprocedurally by passing our state in and out of " "functions in the high bits of the stack pointer."), cl::init(true), cl::Hidden)
 
static cl::opt< boolHardenLoads (PASS_KEY "-loads", cl::desc("Sanitize loads from memory. When disable, no " "significant security is provided."), cl::init(true), cl::Hidden)
 
static cl::opt< boolHardenIndirectCallsAndJumps (PASS_KEY "-indirect", cl::desc("Harden indirect calls and jumps against using speculatively " "stored attacker controlled addresses. This is designed to " "mitigate Spectre v1.2 style attacks."), cl::init(true), cl::Hidden)
 
 PASS_KEY
 
X86 speculative load hardener
 
X86 speculative load false
 

Detailed Description

Provide a pass which mitigates speculative execution attacks which operate by speculating incorrectly past some predicate (a type check, bounds check, or other condition) to reach a load with invalid inputs and leak the data accessed by that load using a side channel out of the speculative domain.

For details on the attacks, see the first variant in both the Project Zero writeup and the Spectre paper: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://spectreattack.com/spectre.pdf

Definition in file X86SpeculativeLoadHardening.cpp.

Macro Definition Documentation

◆ DEBUG_TYPE

#define DEBUG_TYPE   PASS_KEY

Definition at line 62 of file X86SpeculativeLoadHardening.cpp.

◆ PASS_KEY

#define PASS_KEY   "x86-slh"

Definition at line 61 of file X86SpeculativeLoadHardening.cpp.

Function Documentation

◆ canonicalizePHIOperands()

static void canonicalizePHIOperands ( MachineFunction MF)
static

Removing duplicate PHI operands to leave the PHI in a canonical and predictable form.

FIXME: It's really frustrating that we have to do this, but SSA-form in MIR isn't what you might expect. We may have multiple entries in PHI nodes for a single predecessor. This makes CFG-updating extremely complex, so here we simplify all PHI nodes to a model even simpler than the IR's model: exactly one entry per predecessor, regardless of how many edges there are.

Definition at line 326 of file X86SpeculativeLoadHardening.cpp.

References llvm::SmallPtrSetImplBase::clear(), llvm::SmallVectorBase< Size_T >::empty(), llvm::SmallPtrSetImpl< PtrType >::insert(), MBB, MI, llvm::SmallVectorImpl< T >::pop_back_val(), and llvm::SmallVectorTemplateBase< T, bool >::push_back().

◆ getRegClassForUnfoldedLoad()

static const TargetRegisterClass * getRegClassForUnfoldedLoad ( MachineFunction MF,
const X86InstrInfo TII,
unsigned  Opcode 
)
static

Compute the register class for the unfolded load.

FIXME: This should probably live in X86InstrInfo, potentially by adding a way to unfold into a newly created vreg rather than requiring a register input.

Definition at line 839 of file X86SpeculativeLoadHardening.cpp.

References TII.

◆ hasVulnerableLoad()

static bool hasVulnerableLoad ( MachineFunction MF)
static

Helper to scan a function for loads vulnerable to misspeculation that we want to harden.

We use this to avoid making changes to functions where there is nothing we need to do to harden against misspeculation.

Definition at line 370 of file X86SpeculativeLoadHardening.cpp.

References MBB, and MI.

◆ INITIALIZE_PASS_BEGIN()

INITIALIZE_PASS_BEGIN ( X86SpeculativeLoadHardeningPass  ,
PASS_KEY  ,
"X86 speculative load hardener"  ,
false  ,
false   
)

◆ isEFLAGSDefLive()

static bool isEFLAGSDefLive ( const MachineInstr MI)
static

Definition at line 1203 of file X86SpeculativeLoadHardening.cpp.

References MI.

◆ isEFLAGSLive()

static bool isEFLAGSLive ( MachineBasicBlock MBB,
MachineBasicBlock::iterator  I,
const TargetRegisterInfo TRI 
)
static

◆ splitEdge()

static MachineBasicBlock & splitEdge ( MachineBasicBlock MBB,
MachineBasicBlock Succ,
int  SuccCount,
MachineInstr Br,
MachineInstr *&  UncondBr,
const X86InstrInfo TII 
)
static

◆ STATISTIC() [1/7]

STATISTIC ( NumAddrRegsHardened  ,
"Number of address mode used registers hardaned"   
)

◆ STATISTIC() [2/7]

STATISTIC ( NumBranchesUntraced  ,
"Number of branches unable to trace"   
)

◆ STATISTIC() [3/7]

STATISTIC ( NumCallsOrJumpsHardened  ,
"Number of calls or jumps requiring extra hardening"   
)

◆ STATISTIC() [4/7]

STATISTIC ( NumCondBranchesTraced  ,
"Number of conditional branches traced"   
)

◆ STATISTIC() [5/7]

STATISTIC ( NumInstsInserted  ,
"Number of instructions inserted"   
)

◆ STATISTIC() [6/7]

STATISTIC ( NumLFENCEsInserted  ,
"Number of lfence instructions inserted"   
)

◆ STATISTIC() [7/7]

STATISTIC ( NumPostLoadRegsHardened  ,
"Number of post-load register values hardened"   
)

Variable Documentation

◆ EnablePostLoadHardening

cl::opt< bool > EnablePostLoadHardening(PASS_KEY "-post-load", cl::desc("Harden the value loaded *after* it is loaded by " "flushing the loaded bits to 1. This is hard to do " "in general but can be done easily for GPRs."), cl::init(true), cl::Hidden) ( PASS_KEY "-post-load"  ,
cl::desc("Harden the value loaded *after* it is loaded by " "flushing the loaded bits to 1. This is hard to do " "in general but can be done easily for GPRs.")  ,
cl::init(true ,
cl::Hidden   
)
static

◆ EnableSpeculativeLoadHardening

cl::opt< bool > EnableSpeculativeLoadHardening("x86-speculative-load-hardening", cl::desc("Force enable speculative load hardening"), cl::init(false), cl::Hidden) ( "x86-speculative-load-hardening"  ,
cl::desc("Force enable speculative load hardening")  ,
cl::init(false)  ,
cl::Hidden   
)
static

◆ false

X86 speculative load false

Definition at line 2265 of file X86SpeculativeLoadHardening.cpp.

◆ FenceCallAndRet

cl::opt< bool > FenceCallAndRet(PASS_KEY "-fence-call-and-ret", cl::desc("Use a full speculation fence to harden both call and ret edges " "rather than a lighter weight mitigation."), cl::init(false), cl::Hidden) ( PASS_KEY "-fence-call-and-ret"  ,
cl::desc("Use a full speculation fence to harden both call and ret edges " "rather than a lighter weight mitigation.")  ,
cl::init(false)  ,
cl::Hidden   
)
static

◆ HardenEdgesWithLFENCE

cl::opt< bool > HardenEdgesWithLFENCE(PASS_KEY "-lfence", cl::desc( "Use LFENCE along each conditional edge to harden against speculative " "loads rather than conditional movs and poisoned pointers."), cl::init(false), cl::Hidden) ( PASS_KEY "-lfence"  ,
cl::desc( "Use LFENCE along each conditional edge to harden against speculative " "loads rather than conditional movs and poisoned pointers.")  ,
cl::init(false)  ,
cl::Hidden   
)
static

◆ hardener

X86 speculative load hardener

Definition at line 2265 of file X86SpeculativeLoadHardening.cpp.

◆ HardenIndirectCallsAndJumps

cl::opt< bool > HardenIndirectCallsAndJumps(PASS_KEY "-indirect", cl::desc("Harden indirect calls and jumps against using speculatively " "stored attacker controlled addresses. This is designed to " "mitigate Spectre v1.2 style attacks."), cl::init(true), cl::Hidden) ( PASS_KEY "-indirect"  ,
cl::desc("Harden indirect calls and jumps against using speculatively " "stored attacker controlled addresses. This is designed to " "mitigate Spectre v1.2 style attacks.")  ,
cl::init(true ,
cl::Hidden   
)
static

◆ HardenInterprocedurally

cl::opt< bool > HardenInterprocedurally(PASS_KEY "-ip", cl::desc("Harden interprocedurally by passing our state in and out of " "functions in the high bits of the stack pointer."), cl::init(true), cl::Hidden) ( PASS_KEY "-ip"  ,
cl::desc("Harden interprocedurally by passing our state in and out of " "functions in the high bits of the stack pointer.")  ,
cl::init(true ,
cl::Hidden   
)
static

◆ HardenLoads

cl::opt< bool > HardenLoads(PASS_KEY "-loads", cl::desc("Sanitize loads from memory. When disable, no " "significant security is provided."), cl::init(true), cl::Hidden) ( PASS_KEY "-loads"  ,
cl::desc("Sanitize loads from memory. When disable, no " "significant security is provided.")  ,
cl::init(true ,
cl::Hidden   
)
static

◆ PASS_KEY

PASS_KEY

Definition at line 2264 of file X86SpeculativeLoadHardening.cpp.