|
LLVM 20.0.0git
|
Provide a pass which mitigates speculative execution attacks which operate by speculating incorrectly past some predicate (a type check, bounds check, or other condition) to reach a load with invalid inputs and leak the data accessed by that load using a side channel out of the speculative domain. More...
#include "X86.h"#include "X86InstrInfo.h"#include "X86Subtarget.h"#include "llvm/ADT/ArrayRef.h"#include "llvm/ADT/DenseMap.h"#include "llvm/ADT/STLExtras.h"#include "llvm/ADT/SmallPtrSet.h"#include "llvm/ADT/SmallSet.h"#include "llvm/ADT/SmallVector.h"#include "llvm/ADT/SparseBitVector.h"#include "llvm/ADT/Statistic.h"#include "llvm/CodeGen/MachineBasicBlock.h"#include "llvm/CodeGen/MachineConstantPool.h"#include "llvm/CodeGen/MachineFunction.h"#include "llvm/CodeGen/MachineFunctionPass.h"#include "llvm/CodeGen/MachineInstr.h"#include "llvm/CodeGen/MachineInstrBuilder.h"#include "llvm/CodeGen/MachineModuleInfo.h"#include "llvm/CodeGen/MachineOperand.h"#include "llvm/CodeGen/MachineRegisterInfo.h"#include "llvm/CodeGen/MachineSSAUpdater.h"#include "llvm/CodeGen/TargetInstrInfo.h"#include "llvm/CodeGen/TargetRegisterInfo.h"#include "llvm/CodeGen/TargetSchedule.h"#include "llvm/CodeGen/TargetSubtargetInfo.h"#include "llvm/IR/DebugLoc.h"#include "llvm/MC/MCSchedule.h"#include "llvm/Pass.h"#include "llvm/Support/CommandLine.h"#include "llvm/Support/Debug.h"#include "llvm/Support/raw_ostream.h"#include "llvm/Target/TargetMachine.h"#include <cassert>#include <iterator>#include <optional>#include <utility>Go to the source code of this file.
Macros | |
| #define | PASS_KEY "x86-slh" |
| #define | DEBUG_TYPE PASS_KEY |
Functions | |
| STATISTIC (NumCondBranchesTraced, "Number of conditional branches traced") | |
| STATISTIC (NumBranchesUntraced, "Number of branches unable to trace") | |
| STATISTIC (NumAddrRegsHardened, "Number of address mode used registers hardaned") | |
| STATISTIC (NumPostLoadRegsHardened, "Number of post-load register values hardened") | |
| STATISTIC (NumCallsOrJumpsHardened, "Number of calls or jumps requiring extra hardening") | |
| STATISTIC (NumInstsInserted, "Number of instructions inserted") | |
| STATISTIC (NumLFENCEsInserted, "Number of lfence instructions inserted") | |
| static MachineBasicBlock & | splitEdge (MachineBasicBlock &MBB, MachineBasicBlock &Succ, int SuccCount, MachineInstr *Br, MachineInstr *&UncondBr, const X86InstrInfo &TII) |
| static void | canonicalizePHIOperands (MachineFunction &MF) |
| Removing duplicate PHI operands to leave the PHI in a canonical and predictable form. | |
| static bool | hasVulnerableLoad (MachineFunction &MF) |
| Helper to scan a function for loads vulnerable to misspeculation that we want to harden. | |
| static const TargetRegisterClass * | getRegClassForUnfoldedLoad (MachineFunction &MF, const X86InstrInfo &TII, unsigned Opcode) |
| Compute the register class for the unfolded load. | |
| static bool | isEFLAGSDefLive (const MachineInstr &MI) |
| static bool | isEFLAGSLive (MachineBasicBlock &MBB, MachineBasicBlock::iterator I, const TargetRegisterInfo &TRI) |
| INITIALIZE_PASS_BEGIN (X86SpeculativeLoadHardeningPass, PASS_KEY, "X86 speculative load hardener", false, false) INITIALIZE_PASS_END(X86SpeculativeLoadHardeningPass | |
Variables | |
| static cl::opt< bool > | EnableSpeculativeLoadHardening ("x86-speculative-load-hardening", cl::desc("Force enable speculative load hardening"), cl::init(false), cl::Hidden) |
| static cl::opt< bool > | HardenEdgesWithLFENCE (PASS_KEY "-lfence", cl::desc("Use LFENCE along each conditional edge to harden against speculative " "loads rather than conditional movs and poisoned pointers."), cl::init(false), cl::Hidden) |
| static cl::opt< bool > | EnablePostLoadHardening (PASS_KEY "-post-load", cl::desc("Harden the value loaded *after* it is loaded by " "flushing the loaded bits to 1. This is hard to do " "in general but can be done easily for GPRs."), cl::init(true), cl::Hidden) |
| static cl::opt< bool > | FenceCallAndRet (PASS_KEY "-fence-call-and-ret", cl::desc("Use a full speculation fence to harden both call and ret edges " "rather than a lighter weight mitigation."), cl::init(false), cl::Hidden) |
| static cl::opt< bool > | HardenInterprocedurally (PASS_KEY "-ip", cl::desc("Harden interprocedurally by passing our state in and out of " "functions in the high bits of the stack pointer."), cl::init(true), cl::Hidden) |
| static cl::opt< bool > | HardenLoads (PASS_KEY "-loads", cl::desc("Sanitize loads from memory. When disable, no " "significant security is provided."), cl::init(true), cl::Hidden) |
| static cl::opt< bool > | HardenIndirectCallsAndJumps (PASS_KEY "-indirect", cl::desc("Harden indirect calls and jumps against using speculatively " "stored attacker controlled addresses. This is designed to " "mitigate Spectre v1.2 style attacks."), cl::init(true), cl::Hidden) |
| PASS_KEY | |
| X86 speculative load | hardener |
| X86 speculative load | false |
Provide a pass which mitigates speculative execution attacks which operate by speculating incorrectly past some predicate (a type check, bounds check, or other condition) to reach a load with invalid inputs and leak the data accessed by that load using a side channel out of the speculative domain.
For details on the attacks, see the first variant in both the Project Zero writeup and the Spectre paper: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://spectreattack.com/spectre.pdf
Definition in file X86SpeculativeLoadHardening.cpp.
| #define DEBUG_TYPE PASS_KEY |
Definition at line 62 of file X86SpeculativeLoadHardening.cpp.
| #define PASS_KEY "x86-slh" |
Definition at line 61 of file X86SpeculativeLoadHardening.cpp.
|
static |
Removing duplicate PHI operands to leave the PHI in a canonical and predictable form.
FIXME: It's really frustrating that we have to do this, but SSA-form in MIR isn't what you might expect. We may have multiple entries in PHI nodes for a single predecessor. This makes CFG-updating extremely complex, so here we simplify all PHI nodes to a model even simpler than the IR's model: exactly one entry per predecessor, regardless of how many edges there are.
Definition at line 326 of file X86SpeculativeLoadHardening.cpp.
References llvm::SmallPtrSetImplBase::clear(), llvm::SmallVectorBase< Size_T >::empty(), llvm::SmallPtrSetImpl< PtrType >::insert(), MBB, MI, llvm::SmallVectorImpl< T >::pop_back_val(), and llvm::SmallVectorTemplateBase< T, bool >::push_back().
|
static |
Compute the register class for the unfolded load.
FIXME: This should probably live in X86InstrInfo, potentially by adding a way to unfold into a newly created vreg rather than requiring a register input.
Definition at line 839 of file X86SpeculativeLoadHardening.cpp.
References TII.
|
static |
Helper to scan a function for loads vulnerable to misspeculation that we want to harden.
We use this to avoid making changes to functions where there is nothing we need to do to harden against misspeculation.
Definition at line 370 of file X86SpeculativeLoadHardening.cpp.
| INITIALIZE_PASS_BEGIN | ( | X86SpeculativeLoadHardeningPass | , |
| PASS_KEY | , | ||
| "X86 speculative load hardener" | , | ||
| false | , | ||
| false | |||
| ) |
|
static |
Definition at line 1203 of file X86SpeculativeLoadHardening.cpp.
References MI.
|
static |
Definition at line 1211 of file X86SpeculativeLoadHardening.cpp.
References llvm::MachineBasicBlock::begin(), I, llvm::MachineBasicBlock::isLiveIn(), llvm::make_range(), MBB, MI, llvm::reverse(), and TRI.
|
static |
Definition at line 222 of file X86SpeculativeLoadHardening.cpp.
References llvm::MachineBasicBlock::addLiveIn(), llvm::MachineInstrBuilder::addMBB(), llvm::MachineBasicBlock::addSuccessor(), assert(), llvm::BuildMI(), Cond, llvm::MachineFunction::CreateMachineBasicBlock(), llvm::MachineOperand::CreateMBB(), llvm::dbgs(), llvm::MachineInstr::getDebugLoc(), llvm::MachineOperand::getMBB(), llvm::MachineBasicBlock::getName(), llvm::MachineInstr::getOperand(), llvm::MachineBasicBlock::getParent(), llvm::MachineFunction::insert(), llvm::HexagonInstrInfo::insertBranch(), llvm::MachineBasicBlock::isEHPad(), llvm::MachineBasicBlock::isLayoutSuccessor(), llvm::MachineOperand::isMBB(), llvm::MachineBasicBlock::isSuccessor(), llvm::MachineBasicBlock::liveins(), LLVM_DEBUG, MBB, MI, llvm::MachineBasicBlock::replaceSuccessor(), llvm::MachineOperand::setMBB(), llvm::MachineBasicBlock::splitSuccessor(), and TII.
| STATISTIC | ( | NumAddrRegsHardened | , |
| "Number of address mode used registers hardaned" | |||
| ) |
| STATISTIC | ( | NumBranchesUntraced | , |
| "Number of branches unable to trace" | |||
| ) |
| STATISTIC | ( | NumCallsOrJumpsHardened | , |
| "Number of calls or jumps requiring extra hardening" | |||
| ) |
| STATISTIC | ( | NumCondBranchesTraced | , |
| "Number of conditional branches traced" | |||
| ) |
| STATISTIC | ( | NumInstsInserted | , |
| "Number of instructions inserted" | |||
| ) |
| STATISTIC | ( | NumLFENCEsInserted | , |
| "Number of lfence instructions inserted" | |||
| ) |
|
static |
|
static |
| X86 speculative load false |
Definition at line 2265 of file X86SpeculativeLoadHardening.cpp.
|
static |
|
static |
| X86 speculative load hardener |
Definition at line 2265 of file X86SpeculativeLoadHardening.cpp.
|
static |
|
static |
|
static |
| PASS_KEY |
Definition at line 2264 of file X86SpeculativeLoadHardening.cpp.
1.9.6