Commit Graph

2 Commits

Author SHA1 Message Date
Chandler Carruth 219888d1b2 [x86/SLH] Teach SLH to harden against the "ret2spec" attack by
implementing the proposed mitigation technique described in the original
design document.

The idea is to check after calls that the return address used to arrive
at that location is in fact the correct address. In the event of
a mis-predicted return which reaches a *valid* return but not the
*correct* return, this will detect the mismatch much like it would
a mispredicted conditional branch.

This is the last published attack vector that I am aware of in the
Spectre v1 space which is not mitigated by SLH+retpolines. However,
don't read *too* much into that: this is an area of ongoing research
where we expect more issues to be discovered in the future, and it also
makes no attempt to mitigate Spectre v4. Still, this is an important
completeness bar for SLH.

The change here is of course delightfully simple. It was predicated on
cutting support for post-instruction symbols into LLVM which was not at
all simple. Many thanks to Hal Finkel, Reid Kleckner, and Justin Bogner
who helped me figure out how to do a bunch of the complex changes
involved there.

Differential Revision: https://reviews.llvm.org/D50837

llvm-svn: 341358
2018-09-04 10:59:10 +00:00
Chandler Carruth f244fada16 [x86/SLH] Add the design document for Speculative Load Hardening,
a Spectre v1 mitigation.

This was initially posted w/ the patch implementing this, got some basic
review there. Also, it is generated from a the Google doc that I shared
as part of the Speculative Load Hardening RFC and which has seen pretty
widespread review at this point.

However, as the patches are landing in LLVM, I wanted to land the docs
as well. But it seemed like a bad idea to have them in the same commit
in case of reverts or other things. So the docs are split out here.

Thanks for all the review so far, and further review and improvements to
the documentation here welcome. Please feel free to keep hammering on
the code review or Google document.

Note that this is a markdown document which Sphinx doesn't yet process.
But we can add support for that after and this should get picked up
(and I'm preparing patches for that). Also, this gets the document
itself into a nice shared place where we can iterate on it.

Differential Revision: https://reviews.llvm.org/D49433

llvm-svn: 337391
2018-07-18 14:05:14 +00:00