diff options
| author | Chandler Carruth <chandlerc@gmail.com> | 2018-09-04 12:38:00 +0000 |
|---|---|---|
| committer | Chandler Carruth <chandlerc@gmail.com> | 2018-09-04 12:38:00 +0000 |
| commit | 664aa868f57119e06dd56ad90625219ad1bb973a (patch) | |
| tree | 5205c5040e30542ca94c1c344cd8911b29d25d33 /llvm/docs/LangRef.rst | |
| parent | 9875ae48e4d32cdabfbc5d004b82cf854c53eddb (diff) | |
| download | bcm5719-llvm-664aa868f57119e06dd56ad90625219ad1bb973a.tar.gz bcm5719-llvm-664aa868f57119e06dd56ad90625219ad1bb973a.zip | |
[x86/SLH] Add a real Clang flag and LLVM IR attribute for Speculative
Load Hardening.
Wires up the existing pass to work with a proper IR attribute rather
than just a hidden/internal flag. The internal flag continues to work
for now, but I'll likely remove it soon.
Most of the churn here is adding the IR attribute. I talked about this
Kristof Beyls and he seemed at least initially OK with this direction.
The idea of using a full attribute here is that we *do* expect at least
some forms of this for other architectures. There isn't anything
*inherently* x86-specific about this technique, just that we only have
an implementation for x86 at the moment.
While we could potentially expose this as a Clang-level attribute as
well, that seems like a good question to defer for the moment as it
isn't 100% clear whether that or some other programmer interface (or
both?) would be best. We'll defer the programmer interface side of this
for now, but at least get to the point where the feature can be enabled
without relying on implementation details.
This also allows us to do something that was really hard before: we can
enable *just* the indirect call retpolines when using SLH. For x86, we
don't have any other way to mitigate indirect calls. Other architectures
may take a different approach of course, and none of this is surfaced to
user-level flags.
Differential Revision: https://reviews.llvm.org/D51157
llvm-svn: 341363
Diffstat (limited to 'llvm/docs/LangRef.rst')
| -rw-r--r-- | llvm/docs/LangRef.rst | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/llvm/docs/LangRef.rst b/llvm/docs/LangRef.rst index 167a33e7c3d..2aba2077653 100644 --- a/llvm/docs/LangRef.rst +++ b/llvm/docs/LangRef.rst @@ -1636,6 +1636,28 @@ example: This attribute indicates that HWAddressSanitizer checks (dynamic address safety analysis based on tagged pointers) are enabled for this function. +``speculative_load_hardening`` + This attribute indicates that + `Speculative Load Hardening <https://llvm.org/docs/SpeculativeLoadHardening.html>`_ + should be enabled for the function body. This is a best-effort attempt to + mitigate all known speculative execution information leak vulnerabilities + that are based on the fundamental principles of modern processors' + speculative execution. These vulnerabilities are classified as "Spectre + variant #1" vulnerabilities typically. Notably, this does not attempt to + mitigate any vulnerabilities where the speculative execution and/or + prediction devices of specific processors can be *completely* undermined + (such as "Branch Target Injection", a.k.a, "Spectre variant #2"). Instead, + this is a target-independent request to harden against the completely + generic risk posed by speculative execution to incorrectly load secret data, + making it available to some micro-architectural side-channel for information + leak. For a processor without any speculative execution or predictors, this + is expected to be a no-op. + + When inlining, the attribute is sticky. Inlining a function that carries + this attribute will cause the caller to gain the attribute. This is intended + to provide a maximally conservative model where the code in a function + annotated with this attribute will always (even after inlining) end up + hardened. ``speculatable`` This function attribute indicates that the function does not have any effects besides calculating its result and does not have undefined behavior. |
