| blob | ce5a1bce5b107fbd5cbba7c87e137b2ea95fe0be |
1 //====- X86SpeculativeLoadHardening.cpp - A Spectre v1 mitigation ---------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 /// \file
9 ///
10 /// Provide a pass which mitigates speculative execution attacks which operate
11 /// by speculating incorrectly past some predicate (a type check, bounds check,
12 /// or other condition) to reach a load with invalid inputs and leak the data
13 /// accessed by that load using a side channel out of the speculative domain.
14 ///
15 /// For details on the attacks, see the first variant in both the Project Zero
16 /// writeup and the Spectre paper:
17 /// https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
18 /// https://spectreattack.com/spectre.pdf
19 ///
20 //===----------------------------------------------------------------------===//
54 #include <cassert>
55 #include <iterator>
56 #include <optional>
57 #include <utility>
62 #define DEBUG_TYPE PASS_KEY
83 "Use LFENCE along each conditional edge to harden against speculative "
90 "flushing the loaded bits to 1. This is hard to do "
115 "stored attacker controlled addresses. This is designed to "
127 }
131 /// Pass identification, replacement for typeid.
135 /// The information about a block's conditional terminators needed to trace
136 /// our predicate state through the exiting edges.
140 // We mostly have one conditional branch, and in extremely rare cases have
141 // two. Three and more are so rare as to be unimportant for compile time.
145 };
147 /// Manages the predicate state traced through the program.
153 MachineSSAUpdater SSA;
157 };
185 Register Reg);
194 void
198 MachineInstr *
211 };
220 }
232 // We have to insert the new block immediately after the current one as we
233 // don't know what layout-successor relationships the successor has and we
234 // may not be able to (and generally don't want to) try to fix those up.
237 // Update the branch instruction if necessary.
243 // If this successor was reached through a branch rather than fallthrough,
244 // we might have *broken* fallthrough and so need to inject a new
245 // unconditional branch.
250 "Without an unconditional branch, the old layout successor should "
254 // Update the unconditional branch now that we've added one.
256 }
258 // Insert unconditional "jump Succ" instruction in the new block if
259 // necessary.
263 }
268 "A non-branch successor must have been a layout successor before "
270 }
272 // If this is the only edge to the successor, we can just replace it in the
273 // CFG. Otherwise we need to add a new entry in the CFG for the new
274 // successor.
279 }
281 // Hook up the edge from the new basic block to the old successor in the CFG.
284 // Fix PHI nodes in Succ so they refer to NewMBB instead of MBB.
296 // If this is the last edge to the succesor, just replace MBB in the PHI
300 }
302 // Otherwise, append a new pair of operands for the new incoming edge.
306 }
307 }
309 // Inherit live-ins from the successor
316 }
318 /// Removing duplicate PHI operands to leave the PHI in a canonical and
319 /// predictable form.
320 ///
321 /// FIXME: It's really frustrating that we have to do this, but SSA-form in MIR
322 /// isn't what you might expect. We may have multiple entries in PHI nodes for
323 /// a single predecessor. This makes CFG-updating extremely complex, so here we
324 /// simplify all PHI nodes to a model even simpler than the IR's model: exactly
325 /// one entry per predecessor, regardless of how many edges there are.
334 // First we scan the operands of the PHI looking for duplicate entries
335 // a particular predecessor. We retain the operand index of each duplicate
336 // entry found.
342 // Now walk the duplicate indices, removing both the block and value. Note
343 // that these are stored as a vector making this element-wise removal
344 // :w
345 // potentially quadratic.
346 //
347 // FIXME: It is really frustrating that we have to use a quadratic
348 // removal algorithm here. There should be a better way, but the use-def
349 // updates required make that impossible using the public API.
350 //
351 // Note that we have to process these backwards so that we don't
352 // invalidate other indices with each removal.
355 // Remove both the block and value operand, again in reverse order to
356 // preserve indices.
359 }
362 }
363 }
365 /// Helper to scan a function for loads vulnerable to misspeculation that we
366 /// want to harden.
367 ///
368 /// We use this to avoid making changes to functions where there is nothing we
369 /// need to do to harden against misspeculation.
373 // Loads within this basic block after an LFENCE are not at risk of
374 // speculatively executing with invalid predicates from prior control
375 // flow. So break out of this block but continue scanning the function.
379 // Looking for loads only.
383 // An MFENCE is modeled as a load but isn't vulnerable to misspeculation.
387 // We found a load.
389 }
390 }
392 // No loads found.
394 }
401 // Only run if this pass is forced enabled or we detect the relevant function
402 // attribute requesting SLH.
412 // FIXME: Support for 32-bit.
416 // Nothing to do for a degenerate empty function...
419 // We support an alternative hardening technique based on a debug flag.
423 }
425 // Create a dummy debug loc to use for all the generated code here.
426 DebugLoc Loc;
431 // Do a quick scan to see if we have any checkable loads.
434 // See if we have any conditional branching blocks that we will need to trace
435 // predicate state through.
438 // If we have no interesting conditions or loads, nothing to do here.
442 // The poison value is required to be an all-ones value for many aspects of
443 // this mitigation.
450 // If we have loads being hardened and we've asked for call and ret edges to
451 // get a full fence-based mitigation, inject that fence.
453 // We need to insert an LFENCE at the start of the function to suspend any
454 // incoming misspeculation from the caller. This helps two-fold: the caller
455 // may not have been protected as this code has been, and this code gets to
456 // not take any specific action to protect across calls.
457 // FIXME: We could skip this for functions which unconditionally return
458 // a constant.
462 }
464 // If we guarded the entry with an LFENCE and have no conditionals to protect
465 // in blocks, then we're done.
467 // We may have changed the function's code at this point to insert fences.
470 // For every basic block in the function which can b
472 // Set up the predicate state by extracting it from the incoming stack
473 // pointer so we pick up any misspeculation in our caller.
476 // Otherwise, just build the predicate state itself by zeroing a register
477 // as we don't need any initial state.
481 PredStateSubReg);
493 }
495 // We're going to need to trace predicate state throughout the function's
496 // CFG. Prepare for this by setting up our initial state of PHIs with unique
497 // predecessor entries and all the initial predicate state.
500 // Track the updated values in an SSA updater to rewrite into SSA form at the
501 // end.
505 // Trace through the CFG.
508 // We may also enter basic blocks in this function via exception handling
509 // control flow. Here, if we are hardening interprocedurally, we need to
510 // re-capture the predicate state from the throwing code. In the Itanium ABI,
511 // the throw will always look like a call to __cxa_throw and will have the
512 // predicate state in the stack pointer, so extract fresh predicate state from
513 // the stack pointer and make it available in SSA.
514 // FIXME: Handle non-itanium ABI EH models.
525 }
526 }
529 // If we are going to harden calls and jumps we need to unfold their memory
530 // operands.
533 // Then we trace predicate state through the indirect branches.
536 }
538 // Now that we have the predicate state available at the start of each block
539 // in the CFG, trace it through each block, hardening vulnerable instructions
540 // as we go.
543 // Now rewrite all the uses of the pred state using the SSA updater to insert
544 // PHIs connecting the state between blocks along the CFG edges.
551 }
556 }
558 /// Implements the naive hardening approach of putting an LFENCE after every
559 /// potentially mis-predicted control flow construct.
560 ///
561 /// We include this as an alternative mostly for the purpose of comparison. The
562 /// performance impact of this is expected to be extremely severe and not
563 /// practical for any real-world users.
566 // First, we scan the function looking for blocks that are reached along edges
567 // that we might want to harden.
570 // If there are no or only one successor, nothing to do here.
574 // Skip blocks unless their terminators start with a branch. Other
575 // terminators don't seem interesting for guarding against misspeculation.
580 // Add all the non-EH-pad succossors to the blocks we want to harden. We
581 // skip EH pads because there isn't really a condition of interest on
582 // entering.
586 }
593 }
594 }
600 // Walk the function and build up a summary for each block's conditions that
601 // we need to trace through.
603 // If there are no or only one successor, nothing to do here.
607 // We want to reliably handle any conditional branch terminators in the
608 // MBB, so we manually analyze the branch. We can handle all of the
609 // permutations here, including ones that analyze branch cannot.
610 //
611 // The approach is to walk backwards across the terminators, resetting at
612 // any unconditional non-indirect branch, and track all conditional edges
613 // to basic blocks as well as the fallthrough or unconditional successor
614 // edge. For each conditional edge, we track the target and the opposite
615 // condition code in order to inject a "no-op" cmov into that successor
616 // that will harden the predicate. For the fallthrough/unconditional
617 // edge, we inject a separate cmov for each conditional branch with
618 // matching condition codes. This effectively implements an "and" of the
619 // condition flags, even if there isn't a single condition flag that would
620 // directly implement that. We don't bother trying to optimize either of
621 // these cases because if such an optimization is possible, LLVM should
622 // have optimized the conditional *branches* in that way already to reduce
623 // instruction count. This late, we simply assume the minimal number of
624 // branch instructions is being emitted and use that to guide our cmov
625 // insertion.
629 // Now walk backwards through the terminators and build up successors they
630 // reach and the conditions.
632 // Once we've handled all the terminators, we're done.
636 // If we see a non-branch terminator, we can't handle anything so bail.
640 }
642 // If we see an unconditional branch, reset our state, clear any
643 // fallthrough, and set this is the "else" successor.
648 }
650 // If we get an invalid condition, we have an indirect branch or some
651 // other unanalyzable "fallthrough" case. We model this as a nullptr for
652 // the destination so we can still guard any conditional successors.
653 // Consider code sequences like:
654 // ```
655 // jCC L1
656 // jmpq *%rax
657 // ```
658 // We still want to harden the edge to `L1`.
663 }
665 // We have a vanilla conditional branch, add it to our list.
667 }
673 }
676 }
679 }
681 /// Trace the predicate state through the CFG, instrumenting each conditional
682 /// branch such that misspeculation through an edge will poison the predicate
683 /// state.
684 ///
685 /// Returns the list of inserted CMov instructions so that they can have their
686 /// uses of the predicate state rewritten into proper SSA form once it is
687 /// complete.
691 // Collect the inserted cmov instructions so we can rewrite their uses of the
692 // predicate state into SSA form.
695 // Now walk all of the basic blocks looking for ones that end in conditional
696 // jumps where we need to update this register along each edge.
706 // Compute the non-conditional successor as either the target of any
707 // unconditional branch or the layout successor.
714 // Count how many edges there are to any given successor.
721 // A lambda to insert cmov instructions into a block checking all of the
722 // condition codes in a sequence.
727 // First, we split the edge to insert the checking block into a safe
728 // location.
731 ? Succ
738 // Now insert the cmovs to implement the checks.
741 "Should never have a PHI in the initial checking block as it "
744 // We will wire each cmov to each other, but need to start with the
745 // incoming pred state.
753 // Note that we intentionally use an empty debug location so that
754 // this picks up the preceding location.
760 // If this is the last cmov and the EFLAGS weren't originally
761 // live-in, mark them as killed.
770 // The first one of the cmovs will be using the top level
771 // `PredStateReg` and need to get rewritten into SSA form.
775 // The next cmov should start from this one's def.
777 }
779 // And put the last one into the available values for SSA form of our
780 // predicate state.
782 };
796 // Decrement the successor count now that we've split one of the edges.
797 // We need to keep the count of edges to the successor accurate in order
798 // to know above when to *replace* the successor in the CFG vs. just
799 // adding the new successor.
801 }
803 // Since we may have split edges and changed the number of successors,
804 // normalize the probabilities. This avoids doing it each time we split an
805 // edge.
808 // Finally, we need to insert cmovs into the "fallthrough" edge. Here, we
809 // need to intersect the other condition codes. We can do this by just
810 // doing a cmov for each one.
812 // If we have no fallthrough to protect (perhaps it is an indirect jump?)
813 // just skip this and continue.
817 "We should never have more than one edge to the unconditional "
818 "successor at this point because every other edge must have been "
821 // Sort and unique the codes to minimize them.
825 // Build a checking version of the successor.
828 }
831 }
833 /// Compute the register class for the unfolded load.
834 ///
835 /// FIXME: This should probably live in X86InstrInfo, potentially by adding
836 /// a way to unfold into a newly created vreg rather than requiring a register
837 /// input.
846 }
851 // We use make_early_inc_range here so we can remove instructions if needed
852 // without disturbing the iteration.
854 // Must either be a call or a branch.
857 // We only care about loading variants of these instructions.
868 }
876 // We cannot mitigate far jumps or calls, but we also don't expect them
877 // to be vulnerable to Spectre v1.2 style attacks.
897 // Use the generic unfold logic now that we know we're dealing with
898 // expected instructions.
899 // FIXME: We don't have test coverage for all of these!
906 }
909 // If we were able to compute an unfolded reg class, any failure here
910 // is just a programming error so just assert.
917 // Now stitch the new instructions into place and erase the old one.
921 // Update the call site info.
931 }
932 });
934 }
935 }
937 }
938 }
940 /// Trace the predicate state through indirect branches, instrumenting them to
941 /// poison the state if a target is reached that does not match the expected
942 /// target.
943 ///
944 /// This is designed to mitigate Spectre variant 1 attacks where an indirect
945 /// branch is trained to predict a particular target and then mispredicts that
946 /// target in a way that can leak data. Despite using an indirect branch, this
947 /// is really a variant 1 style attack: it does not steer execution to an
948 /// arbitrary or attacker controlled address, and it does not require any
949 /// special code executing next to the victim. This attack can also be mitigated
950 /// through retpolines, but those require either replacing indirect branches
951 /// with conditional direct branches or lowering them through a device that
952 /// blocks speculation. This mitigation can replace these retpoline-style
953 /// mitigations for jump tables and other indirect branches within a function
954 /// when variant 2 isn't a risk while allowing limited speculation. Indirect
955 /// calls, however, cannot be mitigated through this technique without changing
956 /// the ABI in a fundamental way.
960 // We use the SSAUpdater to insert PHI nodes for the target addresses of
961 // indirect branches. We don't actually need the full power of the SSA updater
962 // in this particular case as we always have immediately available values, but
963 // this avoids us having to re-implement the PHI construction logic.
967 // Track which blocks were terminated with an indirect branch.
970 // We need to know what blocks end up reached via indirect branches. We
971 // expect this to be a subset of those whose address is taken and so track it
972 // directly via the CFG.
975 // Walk all the blocks which end in an indirect branch and make the
976 // target address available.
978 // Find the last terminator.
986 // No terminator or non-branch terminator.
993 // Direct branch or conditional branch (leading to fallthrough).
999 // We cannot mitigate far jumps or calls, but we also don't expect them
1000 // to be vulnerable to Spectre v1.2 or v2 (self trained) style attacks.
1009 // Mostly as documentation.
1021 }
1023 // We have definitely found an indirect branch. Verify that there are no
1024 // preceding conditional branches as we don't yet support that.
1027 })) {
1034 }
1035 });
1037 }
1039 // Make the target register an available value for this block.
1043 // Add all the successors to our target candidates.
1046 }
1048 // Keep track of the cmov instructions we insert so we can return them.
1051 // If we didn't find any indirect branches with targets, nothing to do here.
1055 // We found indirect branches and targets that need to be instrumented to
1056 // harden loads within them. Walk the blocks of the function (to get a stable
1057 // ordering) and instrument each target of an indirect branch.
1059 // Skip the blocks that aren't candidate targets.
1063 // We don't expect EH pads to ever be reached via an indirect branch. If
1064 // this is desired for some reason, we could simply skip them here rather
1065 // than asserting.
1069 // We should never end up threading EFLAGS into a block to harden
1070 // conditional jumps as there would be an additional successor via the
1071 // indirect branch. As a consequence, all such edges would be split before
1072 // reaching here, and the inserted block will handle the EFLAGS-based
1073 // hardening.
1077 // We can't handle having non-indirect edges into this block unless this is
1078 // the only successor and we can synthesize the necessary target address.
1080 // If we've already handled this by extracting the target directly,
1081 // nothing to do.
1085 // Otherwise, we have to be the only successor. We generally expect this
1086 // to be true as conditional branches should have had a critical edge
1087 // split already. We don't however need to worry about EH pad successors
1088 // as they'll happily ignore the target and their hardening strategy is
1089 // resilient to all ways in which they could be reached speculatively.
1092 })) {
1098 });
1101 }
1103 // Now we need to compute the address of this block and install it as a
1104 // synthetic target in the predecessor. We do this at the bottom of the
1105 // predecessor.
1110 // Directly materialize it into an immediate.
1120 TargetReg)
1130 }
1131 // And make this available.
1133 }
1135 // Materialize the needed SSA value of the target. Note that we need the
1136 // middle of the block as this block might at the bottom have an indirect
1137 // branch back to itself. We can do this here because at this point, every
1138 // predecessor of this block has an available value. This is basically just
1139 // automating the construction of a PHI node for this target.
1142 // Insert a comparison of the incoming target register with this block's
1143 // address. This also requires us to mark the block as having its address
1144 // taken explicitly.
1149 // Check directly against a relocated immediate when we can.
1157 // Otherwise compute the address into a register first.
1175 }
1177 // Now cmov over the predicate if the comparison wasn't equal.
1192 // And put the new value into the available values for SSA form of our
1193 // predicate state.
1195 }
1197 // Return all the newly inserted cmov instructions of the predicate state.
1199 }
1201 // Returns true if the MI has EFLAGS as a register def operand and it's live,
1202 // otherwise it returns false
1207 }
1209 }
1213 // Check if EFLAGS are alive by seeing if there is a def of them or they
1214 // live-in, and then seeing if that def is in turn used.
1218 // If the def is dead, then EFLAGS is not live.
1222 // Otherwise we've def'ed it, and it is live.
1224 }
1225 // While at this instruction, also check if we use and kill EFLAGS
1226 // which means it isn't live.
1229 }
1231 // If we didn't find anything conclusive (neither definitely alive or
1232 // definitely dead) return whether it lives into the block.
1234 }
1236 /// Trace the predicate state through each of the blocks in the function,
1237 /// hardening everything necessary along the way.
1238 ///
1239 /// We call this routine once the initial predicate state has been established
1240 /// for each basic block in the function in the SSA updater. This routine traces
1241 /// it through the instructions within each basic block, and for non-returning
1242 /// blocks informs the SSA updater about the final state that lives out of the
1243 /// block. Along the way, it hardens any vulnerable instruction using the
1244 /// currently valid predicate state. We have to do these two things together
1245 /// because the SSA updater only works across blocks. Within a block, we track
1246 /// the current predicate state directly and update it as it changes.
1247 ///
1248 /// This operates in two passes over each block. First, we analyze the loads in
1249 /// the block to determine which strategy will be used to harden them: hardening
1250 /// the address or hardening the loaded value when loaded into a register
1251 /// amenable to hardening. We have to process these first because the two
1252 /// strategies may interact -- later hardening may change what strategy we wish
1253 /// to use. We also will analyze data dependencies between loads and avoid
1254 /// hardening those loads that are data dependent on a load with a hardened
1255 /// address. We also skip hardening loads already behind an LFENCE as that is
1256 /// sufficient to harden them against misspeculation.
1257 ///
1258 /// Second, we actively trace the predicate state through the block, applying
1259 /// the hardening steps we determined necessary in the first pass as we go.
1260 ///
1261 /// These two passes are applied to each basic block. We operate one block at a
1262 /// time to simplify reasoning about reachability and sequencing.
1272 // Track the set of load-dependent registers through the basic block. Because
1273 // the values of these registers have an existing data dependency on a loaded
1274 // value which we would have checked, we can omit any checks on them.
1278 // The first pass over the block: collect all the loads which can have their
1279 // loaded value hardened and all the loads that instead need their address
1280 // hardened. During this walk we propagate load dependence for address
1281 // hardened loads and also look for LFENCE to stop hardening wherever
1282 // possible. When deciding whether or not to harden the loaded value or not,
1283 // we check to see if any registers used in the address will have been
1284 // hardened at this point and if so, harden any remaining address registers
1285 // as that often successfully re-uses hardened addresses and minimizes
1286 // instructions.
1287 //
1288 // FIXME: We should consider an aggressive mode where we continue to keep as
1289 // many loads value hardened even when some address register hardening would
1290 // be free (due to reuse).
1291 //
1292 // Note that we only need this pass if we are actually hardening loads.
1295 // We naively assume that all def'ed registers of an instruction have
1296 // a data dependency on all of their operands.
1297 // FIXME: Do a more careful analysis of x86 to build a conservative
1298 // model here.
1301 }))
1306 // Both Intel and AMD are guiding that they will change the semantics of
1307 // LFENCE to be a speculation barrier, so if we see an LFENCE, there is
1308 // no more need to guard things in this block.
1312 // If this instruction cannot load, nothing to do.
1316 // Some instructions which "load" are trivially safe or unimportant.
1320 // Extract the memory operand information about this instruction.
1327 }
1334 // If we have at least one (non-frame-index, non-RIP) register operand,
1335 // and neither operand is load-dependent, we need to check the load.
1344 // No register operands!
1347 // If any register operand is dependent, this load is dependent and we
1348 // needn't check it.
1349 // FIXME: Is this true in the case where we are hardening loads after
1350 // they complete? Unclear, need to investigate.
1355 // If post-load hardening is enabled, this load is compatible with
1356 // post-load hardening, and we aren't already going to harden one of the
1357 // address registers, queue it up to be hardened post-load. Notably,
1358 // even once hardened this won't introduce a useful dependency that
1359 // could prune out subsequent loads.
1369 }
1371 // Record this instruction for address hardening and record its register
1372 // operands as being address-hardened.
1382 }
1384 // Now re-walk the instructions in the basic block, and apply whichever
1385 // hardening strategy we have elected. Note that we do this in a second
1386 // pass specifically so that we have the complete set of instructions for
1387 // which we will do post-load hardening and can defer it in certain
1388 // circumstances.
1391 // We cannot both require hardening the def of a load and its address.
1395 // Check if this is a load whose address needs to be hardened.
1406 }
1408 // Test if this instruction is one of our post load instructions (and
1409 // remove it from the set if so).
1413 // If this is a data-invariant load and there is no EFLAGS
1414 // interference, we want to try and sink any hardening as far as
1415 // possible.
1417 // Sink the instruction we'll need to harden as far as we can down
1418 // the graph.
1421 // If we managed to sink this instruction, update everything so we
1422 // harden that instruction when we reach it in the instruction
1423 // sequence.
1425 // If in sinking there was no instruction needing to be hardened,
1426 // we're done.
1430 // Otherwise, add this to the set of defs we harden.
1433 }
1434 }
1438 // Mark the resulting hardened register as such so we don't re-harden.
1442 }
1444 // Check for an indirect call or branch that may need its input hardened
1445 // even if we couldn't find the specific load used, or were able to
1446 // avoid hardening it for some reason. Note that here we cannot break
1447 // out afterward as we may still need to handle any call aspect of this
1448 // instruction.
1451 }
1453 // After we finish hardening loads we handle interprocedural hardening if
1454 // enabled and relevant for this instruction.
1460 // If this is a direct return (IE, not a tail call) just directly harden
1461 // it.
1465 }
1467 // Otherwise we have a call. We need to handle transferring the predicate
1468 // state into a call and recovering it after the call returns (unless this
1469 // is a tail call).
1472 }
1479 // Currently, we only track data-dependent loads within a basic block.
1480 // FIXME: We should see if this is necessary or if we could be more
1481 // aggressive here without opening up attack avenues.
1483 }
1484 }
1486 /// Save EFLAGS into the returned GPR. This can in turn be restored with
1487 /// `restoreEFLAGS`.
1488 ///
1489 /// Note that LLVM can only lower very simple patterns of saved and restored
1490 /// EFLAGS registers. The restore should always be within the same basic block
1491 /// as the save so that no PHI nodes are inserted.
1495 // FIXME: Hard coding this to a 32-bit register class seems weird, but matches
1496 // what instruction selection does.
1498 // We directly copy the FLAGS register and rely on later lowering to clean
1499 // this up into the appropriate setCC instructions.
1503 }
1505 /// Restore EFLAGS from the provided GPR. This should be produced by
1506 /// `saveEFLAGS`.
1507 ///
1508 /// This must be done within the same basic block as the save in order to
1509 /// reliably lower.
1515 }
1517 /// Takes the current predicate state (in a register) and merges it into the
1518 /// stack pointer. The state is essentially a single bit, but we merge this in
1519 /// a way that won't form non-canonical pointers and also will be preserved
1520 /// across normal stack adjustments.
1525 // FIXME: This hard codes a shift distance based on the number of bits needed
1526 // to stay canonical on 64-bit. We should compute this somehow and support
1527 // 32-bit as part of that.
1538 }
1540 /// Extracts the predicate state stored in the high bits of the stack pointer.
1547 // We know that the stack pointer will have any preserved predicate state in
1548 // its high bit. We just want to smear this across the other bits. Turns out,
1549 // this is exactly what an arithmetic right shift does.
1560 }
1568 // Check if EFLAGS are alive by seeing if there is a def of them or they
1569 // live-in, and then seeing if that def is in turn used.
1575 // A frame index is never a dynamically controllable load, so only
1576 // harden it if we're covering fixed address loads as well.
1581 // Some idempotent atomic operations are lowered directly to a locked
1582 // OR with 0 to the top of stack(or slightly offset from top) which uses an
1583 // explicit RSP register as the base.
1590 // For both RIP-relative addressed loads or absolute loads, we cannot
1591 // meaningfully harden them because the address being loaded has no
1592 // dynamic component.
1593 //
1594 // FIXME: When using a segment base (like TLS does) we end up with the
1595 // dynamic address being the base plus -1 because we can't mutate the
1596 // segment register here. This allows the signed 32-bit offset to point at
1597 // valid segment-relative addresses and load them successfully.
1606 }
1619 // Remove any registers that have alreaded been checked.
1621 // See if this operand's register has already been checked.
1624 // Not checked, so retain this one.
1627 // Otherwise, we can directly update this operand and remove it.
1630 });
1631 // If there are none left, we're done.
1635 // Compute the current predicate state.
1640 // If EFLAGS are live and we don't have access to instructions that avoid
1641 // clobbering EFLAGS we need to save and restore them. This in turn makes
1642 // the EFLAGS no longer live.
1647 }
1654 // If this is a vector register, we'll need somewhat custom logic to handle
1655 // hardening it.
1661 // Move our state into a vector register.
1662 // FIXME: We could skip this at the cost of longer encodings with AVX-512
1663 // but that doesn't seem likely worth it.
1672 // Broadcast it across the vector register.
1677 VBStateReg)
1684 // Merge our potential poison state into the value with a vector or.
1702 // Broadcast our state into a vector register.
1715 // Merge our potential poison state into the value with a vector or.
1725 // FIXME: Need to support GR32 here for 32-bit code.
1730 // Merge our potential poison state into the value with an or.
1738 // We need to avoid touching EFLAGS so shift out all but the least
1739 // significant bit using the instruction that doesn't update flags.
1748 }
1749 }
1751 // Record this register as checked and update the operand.
1757 }
1759 // And restore the flags if needed.
1762 }
1769 "Cannot get here with a data invariant load "
1772 // See if we can sink hardening the loaded value.
1777 // We need to find a single use which we can sink the check. We can
1778 // primarily do this because many uses may already end up checked on their
1779 // own.
1782 // If we're already going to harden this use, it is data invariant, it
1783 // does not interfere with EFLAGS, and within our block.
1786 // If we've already decided to harden a non-load, we must have sunk
1787 // some other post-load hardened instruction to it and it must itself
1788 // be data-invariant.
1792 }
1794 // Otherwise, this is a load and the load component can't be data
1795 // invariant so check how this register is being used.
1806 // The load uses the register as part of its address making it not
1807 // invariant.
1811 }
1814 // We already have a single use, this would make two. Bail.
1817 // If this single use isn't data invariant, isn't in this block, or has
1818 // interfering EFLAGS, we can't sink the hardening to it.
1823 // If this instruction defines multiple registers bail as we won't harden
1824 // all of them.
1828 // If this register isn't a virtual register we can't walk uses of sanely,
1829 // just bail. Also check that its register class is one of the ones we
1830 // can harden.
1836 }
1838 // If SingleUseMI is still null, there is no use that needs its own
1839 // checking. Otherwise, it is the single use that needs checking.
1841 };
1845 // Update which MI we're checking now.
1849 }
1852 }
1855 // We only support hardening virtual registers.
1862 // We don't support post-load hardening of vectors.
1868 // If this register class is explicitly constrained to a class that doesn't
1869 // require REX prefix, we may not be able to satisfy that constraint when
1870 // emitting the hardening instructions, so bail out here.
1871 // FIXME: This seems like a pretty lame hack. The way this comes up is when we
1872 // end up both with a NOREX and REX-only register as operands to the hardening
1873 // instructions. It would be better to fix that code to handle this situation
1874 // rather than hack around it in this way.
1885 }
1887 /// Harden a value in a register.
1888 ///
1889 /// This is the low-level logic to fully harden a value sitting in a register
1890 /// against leaking during speculative execution.
1891 ///
1892 /// Unlike hardening an address that is used by a load, this routine is required
1893 /// to hide *all* incoming bits in the register.
1894 ///
1895 /// `Reg` must be a virtual register. Currently, it is required to be a GPR no
1896 /// larger than the predicate state register. FIXME: We should support vector
1897 /// registers here by broadcasting the predicate state.
1898 ///
1899 /// The new, hardened virtual register is returned. It will have the same
1900 /// register class as `Reg`.
1912 // FIXME: Need to teach this about 32-bit mode.
1920 }
1940 }
1942 /// Harden a load by hardening the loaded value in the defined register.
1943 ///
1944 /// We can harden a non-leaking load into a register without touching the
1945 /// address by just hiding all of the loaded bits during misspeculation. We use
1946 /// an `or` instruction to do this because we set up our poison value as all
1947 /// ones. And the goal is just for the loaded bits to not be exposed to
1948 /// execution and coercing them to one is sufficient.
1949 ///
1950 /// Returns the newly hardened register.
1959 // Because we want to completely replace the uses of this def'ed value with
1960 // the hardened value, create a dedicated new register that will only be used
1961 // to communicate the unhardened value to the hardening.
1965 // Now harden this register's value, getting a hardened reg that is safe to
1966 // use. Note that we insert the instructions to compute this *after* the
1967 // defining instruction, not before it.
1971 // Finally, replace the old register (which now only has the uses of the
1972 // original def) with the hardened register.
1977 }
1979 /// Harden a return instruction.
1980 ///
1981 /// Returns implicitly perform a load which we need to harden. Without hardening
1982 /// this load, an attacker my speculatively write over the return address to
1983 /// steer speculation of the return to an attacker controlled address. This is
1984 /// called Spectre v1.1 or Bounds Check Bypass Store (BCBS) and is described in
1985 /// this paper:
1986 /// https://people.csail.mit.edu/vlk/spectre11.pdf
1987 ///
1988 /// We can harden this by introducing an LFENCE that will delay any load of the
1989 /// return address until prior instructions have retired (and thus are not being
1990 /// speculated), or we can harden the address used by the implicit load: the
1991 /// stack pointer.
1992 ///
1993 /// If we are not using an LFENCE, hardening the stack pointer has an additional
1994 /// benefit: it allows us to pass the predicate state accumulated in this
1995 /// function back to the caller. In the absence of a BCBS attack on the return,
1996 /// the caller will typically be resumed and speculatively executed due to the
1997 /// Return Stack Buffer (RSB) prediction which is very accurate and has a high
1998 /// priority. It is possible that some code from the caller will be executed
1999 /// speculatively even during a BCBS-attacked return until the steering takes
2000 /// effect. Whenever this happens, the caller can recover the (poisoned)
2001 /// predicate state from the stack pointer and continue to harden loads.
2008 // No need to fence here as we'll fence at the return site itself. That
2009 // handles more cases than we can handle here.
2012 // Take our predicate state, shift it to the high 17 bits (so that we keep
2013 // pointers canonical) and merge it into RSP. This will allow the caller to
2014 // extract it when we return (speculatively).
2016 }
2018 /// Trace the predicate state through a call.
2019 ///
2020 /// There are several layers of this needed to handle the full complexity of
2021 /// calls.
2022 ///
2023 /// First, we need to send the predicate state into the called function. We do
2024 /// this by merging it into the high bits of the stack pointer.
2025 ///
2026 /// For tail calls, this is all we need to do.
2027 ///
2028 /// For calls where we might return and resume the control flow, we need to
2029 /// extract the predicate state from the high bits of the stack pointer after
2030 /// control returns from the called function.
2031 ///
2032 /// We also need to verify that we intended to return to this location in the
2033 /// code. An attacker might arrange for the processor to mispredict the return
2034 /// to this valid but incorrect return address in the program rather than the
2035 /// correct one. See the paper on this attack, called "ret2spec" by the
2036 /// researchers, here:
2037 /// https://christian-rossow.de/publications/ret2spec-ccs2018.pdf
2038 ///
2039 /// The way we verify that we returned to the correct location is by preserving
2040 /// the expected return address across the call. One technique involves taking
2041 /// advantage of the red-zone to load the return address from `8(%rsp)` where it
2042 /// was left by the RET instruction when it popped `%rsp`. Alternatively, we can
2043 /// directly save the address into a register that will be preserved across the
2044 /// call. We compare this intended return address against the address
2045 /// immediately following the call (the observed return address). If these
2046 /// mismatch, we have detected misspeculation and can poison our predicate
2047 /// state.
2057 // Tail call, we don't return to this function.
2058 // FIXME: We should also handle noreturn calls.
2061 // We don't need to fence before the call because the function should fence
2062 // in its entry. However, we do need to fence after the call returns.
2063 // Fencing before the return doesn't correctly handle cases where the return
2064 // itself is mispredicted.
2069 }
2071 // First, we transfer the predicate state into the called function by merging
2072 // it into the stack pointer. This will kill the current def of the state.
2076 // If this call is also a return, it is a tail call and we don't need anything
2077 // else to handle it so just return. Also, if there are no further
2078 // instructions and no successors, this call does not return so we can also
2079 // bail.
2083 // Create a symbol to track the return address and attach it to the call
2084 // machine instruction. We will lower extra symbols attached to call
2085 // instructions as label immediately following the call.
2094 // If we have no red zones or if the function returns twice (possibly without
2095 // using the `ret` instruction) like setjmp, we need to save the expected
2096 // return address prior to the call.
2099 // If we don't have red zones, we need to compute the expected return
2100 // address prior to the call and store it in a register that lives across
2101 // the call.
2102 //
2103 // In some ways, this is doubly satisfying as a mitigation because it will
2104 // also successfully detect stack smashing bugs in some cases (typically,
2105 // when a callee-saved register is used and the callee doesn't push it onto
2106 // the stack). But that isn't our primary goal, so we only use it as
2107 // a fallback.
2108 //
2109 // FIXME: It isn't clear that this is reliable in the face of
2110 // rematerialization in the register allocator. We somehow need to force
2111 // that to not occur for this particular instruction, and instead to spill
2112 // or otherwise preserve the value computed *prior* to the call.
2113 //
2114 // FIXME: It is even less clear why MachineCSE can't just fold this when we
2115 // end up having to use identical instructions both before and after the
2116 // call to feed the comparison.
2129 }
2130 }
2132 // Step past the call to handle when it returns.
2135 // If we didn't pre-compute the expected return address into a register, then
2136 // red zones are enabled and the return address is still available on the
2137 // stack immediately after the call. As the very first instruction, we load it
2138 // into a register.
2146 // the return address is 8-bytes past it.
2148 }
2150 // Now we extract the callee's predicate state from the stack pointer.
2153 // Test the expected return address against our actual address. If we can
2154 // form this basic block's address as an immediate, this is easy. Otherwise
2155 // we compute it.
2158 // FIXME: Could we fold this with the load? It would require careful EFLAGS
2159 // management.
2174 }
2176 // Now conditionally update the predicate state we just extracted if we ended
2177 // up at a different return address than expected.
2191 }
2193 /// An attacker may speculatively store over a value that is then speculatively
2194 /// loaded and used as the target of an indirect call or jump instruction. This
2195 /// is called Spectre v1.2 or Bounds Check Bypass Store (BCBS) and is described
2196 /// in this paper:
2197 /// https://people.csail.mit.edu/vlk/spectre11.pdf
2198 ///
2199 /// When this happens, the speculative execution of the call or jump will end up
2200 /// being steered to this attacker controlled address. While most such loads
2201 /// will be adequately hardened already, we want to ensure that they are
2202 /// definitively treated as needing post-load hardening. While address hardening
2203 /// is sufficient to prevent secret data from leaking to the attacker, it may
2204 /// not be sufficient to prevent an attacker from steering speculative
2205 /// execution. We forcibly unfolded all relevant loads above and so will always
2206 /// have an opportunity to post-load harden here, we just need to scan for cases
2207 /// not already flagged and add them.
2218 // We don't need to harden either far calls or far jumps as they are
2219 // safe from Spectre.
2224 }
2226 // We should never see a loading instruction at this point, as those should
2227 // have been unfolded.
2230 // If the first operand isn't a register, this is a branch or call
2231 // instruction with an immediate operand which doesn't need to be hardened.
2235 // For all of these, the target register is the first operand of the
2236 // instruction.
2240 // Try to lookup a hardened version of this register. We retain a reference
2241 // here as we want to update the map to track any newly computed hardened
2242 // register.
2245 // If we don't have a hardened register yet, compute one. Otherwise, just use
2246 // the already hardened register.
2247 //
2248 // FIXME: It is a little suspect that we use partially hardened registers that
2249 // only feed addresses. The complexity of partial hardening with SHRX
2250 // continues to pile up. Should definitively measure its value and consider
2251 // eliminating it.
2256 // Set the target operand to the hardened register.
2260 }
2269 }