183 lines
7.0 KiB
C++
183 lines
7.0 KiB
C++
|
//===-- X86SpeculativeExecutionSideEffectSuppression.cpp ------------------===//
|
||
|
//
|
||
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
||
|
// See https://llvm.org/LICENSE.txt for license information.
|
||
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
||
|
//
|
||
|
//===----------------------------------------------------------------------===//
|
||
|
/// \file
|
||
|
///
|
||
|
/// This file contains the X86 implementation of the speculative execution side
|
||
|
/// effect suppression mitigation.
|
||
|
///
|
||
|
/// This must be used with the -mlvi-cfi flag in order to mitigate indirect
|
||
|
/// branches and returns.
|
||
|
//===----------------------------------------------------------------------===//
|
||
|
|
||
|
#include "X86.h"
|
||
|
#include "X86InstrInfo.h"
|
||
|
#include "X86Subtarget.h"
|
||
|
#include "llvm/ADT/Statistic.h"
|
||
|
#include "llvm/CodeGen/MachineFunction.h"
|
||
|
#include "llvm/CodeGen/MachineFunctionPass.h"
|
||
|
#include "llvm/CodeGen/MachineInstrBuilder.h"
|
||
|
#include "llvm/Pass.h"
|
||
|
#include "llvm/Target/TargetMachine.h"
|
||
|
using namespace llvm;
|
||
|
|
||
|
#define DEBUG_TYPE "x86-seses"
|
||
|
|
||
|
STATISTIC(NumLFENCEsInserted, "Number of lfence instructions inserted");
|
||
|
|
||
|
static cl::opt<bool> EnableSpeculativeExecutionSideEffectSuppression(
|
||
|
"x86-seses-enable-without-lvi-cfi",
|
||
|
cl::desc("Force enable speculative execution side effect suppression. "
|
||
|
"(Note: User must pass -mlvi-cfi in order to mitigate indirect "
|
||
|
"branches and returns.)"),
|
||
|
cl::init(false), cl::Hidden);
|
||
|
|
||
|
static cl::opt<bool> OneLFENCEPerBasicBlock(
|
||
|
"x86-seses-one-lfence-per-bb",
|
||
|
cl::desc(
|
||
|
"Omit all lfences other than the first to be placed in a basic block."),
|
||
|
cl::init(false), cl::Hidden);
|
||
|
|
||
|
static cl::opt<bool> OnlyLFENCENonConst(
|
||
|
"x86-seses-only-lfence-non-const",
|
||
|
cl::desc("Only lfence before groups of terminators where at least one "
|
||
|
"branch instruction has an input to the addressing mode that is a "
|
||
|
"register other than %rip."),
|
||
|
cl::init(false), cl::Hidden);
|
||
|
|
||
|
static cl::opt<bool>
|
||
|
OmitBranchLFENCEs("x86-seses-omit-branch-lfences",
|
||
|
cl::desc("Omit all lfences before branch instructions."),
|
||
|
cl::init(false), cl::Hidden);
|
||
|
|
||
|
namespace {
|
||
|
|
||
|
class X86SpeculativeExecutionSideEffectSuppression
|
||
|
: public MachineFunctionPass {
|
||
|
public:
|
||
|
X86SpeculativeExecutionSideEffectSuppression() : MachineFunctionPass(ID) {}
|
||
|
|
||
|
static char ID;
|
||
|
StringRef getPassName() const override {
|
||
|
return "X86 Speculative Execution Side Effect Suppression";
|
||
|
}
|
||
|
|
||
|
bool runOnMachineFunction(MachineFunction &MF) override;
|
||
|
};
|
||
|
} // namespace
|
||
|
|
||
|
char X86SpeculativeExecutionSideEffectSuppression::ID = 0;
|
||
|
|
||
|
// This function returns whether the passed instruction uses a memory addressing
|
||
|
// mode that is constant. We treat all memory addressing modes that read
|
||
|
// from a register that is not %rip as non-constant. Note that the use
|
||
|
// of the EFLAGS register results in an addressing mode being considered
|
||
|
// non-constant, therefore all JCC instructions will return false from this
|
||
|
// function since one of their operands will always be the EFLAGS register.
|
||
|
static bool hasConstantAddressingMode(const MachineInstr &MI) {
|
||
|
for (const MachineOperand &MO : MI.uses())
|
||
|
if (MO.isReg() && X86::RIP != MO.getReg())
|
||
|
return false;
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
bool X86SpeculativeExecutionSideEffectSuppression::runOnMachineFunction(
|
||
|
MachineFunction &MF) {
|
||
|
|
||
|
const auto &OptLevel = MF.getTarget().getOptLevel();
|
||
|
const X86Subtarget &Subtarget = MF.getSubtarget<X86Subtarget>();
|
||
|
|
||
|
// Check whether SESES needs to run as the fallback for LVI at O0, whether the
|
||
|
// user explicitly passed an SESES flag, or whether the SESES target feature
|
||
|
// was set.
|
||
|
if (!EnableSpeculativeExecutionSideEffectSuppression &&
|
||
|
!(Subtarget.useLVILoadHardening() && OptLevel == CodeGenOpt::None) &&
|
||
|
!Subtarget.useSpeculativeExecutionSideEffectSuppression())
|
||
|
return false;
|
||
|
|
||
|
LLVM_DEBUG(dbgs() << "********** " << getPassName() << " : " << MF.getName()
|
||
|
<< " **********\n");
|
||
|
bool Modified = false;
|
||
|
const X86InstrInfo *TII = Subtarget.getInstrInfo();
|
||
|
for (MachineBasicBlock &MBB : MF) {
|
||
|
MachineInstr *FirstTerminator = nullptr;
|
||
|
// Keep track of whether the previous instruction was an LFENCE to avoid
|
||
|
// adding redundant LFENCEs.
|
||
|
bool PrevInstIsLFENCE = false;
|
||
|
for (auto &MI : MBB) {
|
||
|
|
||
|
if (MI.getOpcode() == X86::LFENCE) {
|
||
|
PrevInstIsLFENCE = true;
|
||
|
continue;
|
||
|
}
|
||
|
// We want to put an LFENCE before any instruction that
|
||
|
// may load or store. This LFENCE is intended to avoid leaking any secret
|
||
|
// data due to a given load or store. This results in closing the cache
|
||
|
// and memory timing side channels. We will treat terminators that load
|
||
|
// or store separately.
|
||
|
if (MI.mayLoadOrStore() && !MI.isTerminator()) {
|
||
|
if (!PrevInstIsLFENCE) {
|
||
|
BuildMI(MBB, MI, DebugLoc(), TII->get(X86::LFENCE));
|
||
|
NumLFENCEsInserted++;
|
||
|
Modified = true;
|
||
|
}
|
||
|
if (OneLFENCEPerBasicBlock)
|
||
|
break;
|
||
|
}
|
||
|
// The following section will be LFENCEing before groups of terminators
|
||
|
// that include branches. This will close the branch prediction side
|
||
|
// channels since we will prevent code executing after misspeculation as
|
||
|
// a result of the LFENCEs placed with this logic.
|
||
|
|
||
|
// Keep track of the first terminator in a basic block since if we need
|
||
|
// to LFENCE the terminators in this basic block we must add the
|
||
|
// instruction before the first terminator in the basic block (as
|
||
|
// opposed to before the terminator that indicates an LFENCE is
|
||
|
// required). An example of why this is necessary is that the
|
||
|
// X86InstrInfo::analyzeBranch method assumes all terminators are grouped
|
||
|
// together and terminates it's analysis once the first non-termintor
|
||
|
// instruction is found.
|
||
|
if (MI.isTerminator() && FirstTerminator == nullptr)
|
||
|
FirstTerminator = &MI;
|
||
|
|
||
|
// Look for branch instructions that will require an LFENCE to be put
|
||
|
// before this basic block's terminators.
|
||
|
if (!MI.isBranch() || OmitBranchLFENCEs) {
|
||
|
// This isn't a branch or we're not putting LFENCEs before branches.
|
||
|
PrevInstIsLFENCE = false;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
if (OnlyLFENCENonConst && hasConstantAddressingMode(MI)) {
|
||
|
// This is a branch, but it only has constant addressing mode and we're
|
||
|
// not adding LFENCEs before such branches.
|
||
|
PrevInstIsLFENCE = false;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
// This branch requires adding an LFENCE.
|
||
|
if (!PrevInstIsLFENCE) {
|
||
|
assert(FirstTerminator && "Unknown terminator instruction");
|
||
|
BuildMI(MBB, FirstTerminator, DebugLoc(), TII->get(X86::LFENCE));
|
||
|
NumLFENCEsInserted++;
|
||
|
Modified = true;
|
||
|
}
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return Modified;
|
||
|
}
|
||
|
|
||
|
FunctionPass *llvm::createX86SpeculativeExecutionSideEffectSuppression() {
|
||
|
return new X86SpeculativeExecutionSideEffectSuppression();
|
||
|
}
|
||
|
|
||
|
INITIALIZE_PASS(X86SpeculativeExecutionSideEffectSuppression, "x86-seses",
|
||
|
"X86 Speculative Execution Side Effect Suppression", false,
|
||
|
false)
|