Project Ortega BCM5719 LLVM https://git.raptorcs.com/git/bcm5719-llvm/atom?h=meklort-10.0.1 2020-07-07T16:21:37+00:00 2020-07-07T16:21:37+00:00 Hubert Tong hubert.reinterpretcast@gmail.com 2020-05-01T02:18:54+00:00 urn:sha1:ef32c611aa214dea855364efd7ba451ec5ec3f74 (cherry picked from commit 0e8608b3c38886c224d252c6b126c804645b7761) 2020-07-06T22:40:20+00:00 Hubert Tong hubert.reinterpretcast@gmail.com 2020-05-01T02:04:02+00:00 urn:sha1:70919a46facce7f232cf8bc1f2e4b6455abe01d5 (cherry picked from commit d73eed42d1dcba06a5b793346f6e3eed0c7f41ac) 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-06-18T03:02:08+00:00 urn:sha1:d24d5c8e308e689dcd83cbafd2e8bd32aa845a15 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-06-10T22:31:47+00:00 urn:sha1:72bff7855d8ce42b831922a51763f9a0732bd473 @nikic raised an issue on D75936 that the added complexity to the O0 pipeline was causing noticeable slowdowns for `-O0` builds. This patch addresses the issue by adding a pass with equal security properties, but without any optimizations (and more importantly, without the need for expensive analysis dependencies). Reviewers: nikic, craig.topper, mattdr Reviewed By: craig.topper, mattdr Differential Revision: https://reviews.llvm.org/D80964 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-05-11T18:30:55+00:00 urn:sha1:8aa8abae349dc1607884c24ca3b685d4c7d597d1 After finding all such gadgets in a given function, the pass minimally inserts LFENCE instructions in such a manner that the following property is satisfied: for all SOURCE+SINK pairs, all paths in the CFG from SOURCE to SINK contain at least one LFENCE instruction. The algorithm that implements this minimal insertion is influenced by an academic paper that minimally inserts memory fences for high-performance concurrent programs: http://www.cs.ucr.edu/~lesani/companion/oopsla15/OOPSLA15.pdf The algorithm implemented in this pass is as follows: 1. Build a condensed CFG (i.e., a GadgetGraph) consisting only of the following components: -SOURCE instructions (also includes function arguments) -SINK instructions -Basic block entry points -Basic block terminators -LFENCE instructions 2. Analyze the GadgetGraph to determine which SOURCE+SINK pairs (i.e., gadgets) are already mitigated by existing LFENCEs. If all gadgets have been mitigated, go to step 6. 3. Use a heuristic or plugin to approximate minimal LFENCE insertion. 4. Insert one LFENCE along each CFG edge that was cut in step 3. 5. Go to step 2. 6. If any LFENCEs were inserted, return true from runOnFunction() to tell LLVM that the function was modified. By default, the heuristic used in Step 3 is a greedy heuristic that avoids inserting LFENCEs into loops unless absolutely necessary. There is also a CLI option to load a plugin that can provide even better optimization, inserting fewer fences, while still mitigating all of the LVI gadgets. The plugin can be found here: https://github.com/intel/lvi-llvm-optimization-plugin, and a description of the pass's behavior with the plugin can be found here: https://software.intel.com/security-software-guidance/insights/optimized-mitigation-approach-load-value-injection. Differential Revision: https://reviews.llvm.org/D75937 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-05-11T17:25:35+00:00 urn:sha1:363720c2b0f60b512c5f5b8bfbf010f86d078152 Adds a new data structure, ImmutableGraph, and uses RDF to find LVI gadgets and add them to a MachineGadgetGraph. More specifically, a new X86 machine pass finds Load Value Injection (LVI) gadgets consisting of a load from memory (i.e., SOURCE), and any operation that may transmit the value loaded from memory over a covert channel, or use the value loaded from memory to determine a branch/call target (i.e., SINK). Also adds a new target feature to X86: +lvi-load-hardening The feature can be added via the clang CLI using -mlvi-hardening. Differential Revision: https://reviews.llvm.org/D75936 2020-06-24T16:31:04+00:00 Craig Topper craig.topper@intel.com 2020-04-03T23:54:38+00:00 urn:sha1:d758416a9152a9c7e41671493ae4f77a0dfc1993 This reverts commit c74dd640fd740c6928f66a39c7c15a014af3f66f. Reverting to address coding standard issues raised in post-commit review. 2020-06-24T16:31:04+00:00 Craig Topper craig.topper@intel.com 2020-04-03T23:54:04+00:00 urn:sha1:5bc4d476f344e39d80df1c6df01279523adb83ef This reverts commit 62c42e29ba43c9d79cd5bd2084b641fbff6a96d5 Reverting to address coding standard issues raised in post-commit review. 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-04-03T20:41:34+00:00 urn:sha1:2530f4e0ce44b5641ad00019dc946dba59adcf77 After finding all such gadgets in a given function, the pass minimally inserts LFENCE instructions in such a manner that the following property is satisfied: for all SOURCE+SINK pairs, all paths in the CFG from SOURCE to SINK contain at least one LFENCE instruction. The algorithm that implements this minimal insertion is influenced by an academic paper that minimally inserts memory fences for high-performance concurrent programs: http://www.cs.ucr.edu/~lesani/companion/oopsla15/OOPSLA15.pdf The algorithm implemented in this pass is as follows: 1. Build a condensed CFG (i.e., a GadgetGraph) consisting only of the following components: -SOURCE instructions (also includes function arguments) -SINK instructions -Basic block entry points -Basic block terminators -LFENCE instructions 2. Analyze the GadgetGraph to determine which SOURCE+SINK pairs (i.e., gadgets) are already mitigated by existing LFENCEs. If all gadgets have been mitigated, go to step 6. 3. Use a heuristic or plugin to approximate minimal LFENCE insertion. 4. Insert one LFENCE along each CFG edge that was cut in step 3. 5. Go to step 2. 6. If any LFENCEs were inserted, return true from runOnFunction() to tell LLVM that the function was modified. By default, the heuristic used in Step 3 is a greedy heuristic that avoids inserting LFENCEs into loops unless absolutely necessary. There is also a CLI option to load a plugin that can provide even better optimization, inserting fewer fences, while still mitigating all of the LVI gadgets. The plugin can be found here: https://github.com/intel/lvi-llvm-optimization-plugin, and a description of the pass's behavior with the plugin can be found here: https://software.intel.com/security-software-guidance/insights/optimized-mitigation-approach-load-value-injection. Differential Revision: https://reviews.llvm.org/D75937 2020-06-24T16:31:04+00:00 Scott Constable scott.d.constable@intel.com 2020-04-03T19:12:51+00:00 urn:sha1:e3ba468fc3c123880cfd03dfbc9d1ed61d5904c6 Adds a new data structure, ImmutableGraph, and uses RDF to find LVI gadgets and add them to a MachineGadgetGraph. More specifically, a new X86 machine pass finds Load Value Injection (LVI) gadgets consisting of a load from memory (i.e., SOURCE), and any operation that may transmit the value loaded from memory over a covert channel, or use the value loaded from memory to determine a branch/call target (i.e., SINK). Also adds a new target feature to X86: +lvi-load-hardening The feature can be added via the clang CLI using -mlvi-hardening. Differential Revision: https://reviews.llvm.org/D75936