From patchwork Fri Jul 27 09:37:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Richard Earnshaw \(lists\)" X-Patchwork-Id: 143017 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp598459ljj; Fri, 27 Jul 2018 02:38:42 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfswgsPoRFZXoEALOQnnsz2xmyHRCNgfPHVZ8Ly80Jr7HNG99zW38fswIPMva6yLXNm9qI9 X-Received: by 2002:aa7:850b:: with SMTP id v11-v6mr5782866pfn.165.1532684322764; Fri, 27 Jul 2018 02:38:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532684322; cv=none; d=google.com; s=arc-20160816; b=DZ9mJz3kUDvZ8wOGhQcueXbOOuB2rLscalc+k5pA9ivH3x7vbufptp0yuz0hrHUbQ7 auIBltMUgKjQk7gNlEyngKDCkfeOw5+7HO0HnWkTuzb2N6u6ZiMgTDYQSTzmy9Ljo/5a f/ptRJNJmKkR64lsQq1a0jWHkvpLoCbDspIvj+ktfZz5u7o7H81IA3p4mQJvz2K4QiWz W1AX+lVbRDYqkiGhZOPmdxaonyboo8vuU+o9HVS+IhCIOXEnAXaStTHcV55D/sCCTpcc szNEVC0BHFXkYW6dSAXr9xA1uDC4k7Hr5ZNR7XCg2R8sw603BhrwUo7gXn0kmdjLzm/3 0FpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:delivered-to:sender:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:mailing-list:dkim-signature :domainkey-signature:arc-authentication-results; bh=VJjYIc/dmU9D8l9LdqAcjWVRvkundWPvo3tH1MQfvGI=; b=Z5COXSapnno7pVFqtbbAS9TMd2/KuzgCftvXmWDBAwRXCuMp9K4KS1UorGU5xytRgR VuH/S4RkuVGdjVzHjY9vErSqZGCaWUtv7qNJdyNjnbefCZht0oozWKmDZTSXfEBozDdC fLySmp1zd8RpmgNgdmF2vjg+Hf55gVO4Bmjylf3J4r/W668ouDjDRLAfqcss4Hyax2Q6 sv/s1u5UpO1sJwogxJQggnx47xBmp93NqtegTn1taFKtOThoBJUfWc+pshINif+G5yJq F9B4gUuyfFarld93PkIMcVo2kKqy/+z9VGsp7Xwkcz/P7Vg/TV1qhHm3SLE4uqH8vxbz a9rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=HuOZnWM2; spf=pass (google.com: domain of gcc-patches-return-482503-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom="gcc-patches-return-482503-patch=linaro.org@gcc.gnu.org" Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id x6-v6si3508671pgk.597.2018.07.27.02.38.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 02:38:42 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-return-482503-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=HuOZnWM2; spf=pass (google.com: domain of gcc-patches-return-482503-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom="gcc-patches-return-482503-patch=linaro.org@gcc.gnu.org" DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; q=dns; s=default; b=eBQxHS9TjXNKN9D4 kzZWvp+c1S/ZSJtcSx9ANE0l4uBIYO7NfvsVgHYX27IpQckv3XGwoEd9APS21Rss mcZVchCMTHooLrNI1ZFFtw6Mu6bE+9qbRcCSkbB56nlbqEHjjgTsCThABzAWMqw+ fC1rSTNouE/ZvLd4smMp2UnP518= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; s=default; bh=jsRw9vnjDPdLGLH+Ge6GHK bJ9Iw=; b=HuOZnWM2/KeUPZ1BGaMvcacBHqZVbQcaJx1ohItQiOy0gKsTmAMDJx QoxU6Y/kydrph9OoqlUoBrkKFgQqXzXLILMzP9XaQbyeFL3uywj8U7gbc/Ge7gyl O5DwghMX1lj79r6e+QNL2ooGf9SYYPkd+bmKllJHXdJAt0sxMVnq4= Received: (qmail 46600 invoked by alias); 27 Jul 2018 09:38:28 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 46572 invoked by uid 89); 27 Jul 2018 09:38:28 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.9 required=5.0 tests=BAYES_00, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.2 spammy=criticism, attracted, mitigating, H*Ad:U*rth X-HELO: foss.arm.com Received: from foss.arm.com (HELO foss.arm.com) (217.140.101.70) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 27 Jul 2018 09:38:25 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 662B715A2; Fri, 27 Jul 2018 02:38:22 -0700 (PDT) Received: from e120077-lin.cambridge.arm.com (e120077-lin.cambridge.arm.com [10.2.207.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 89E893F575; Fri, 27 Jul 2018 02:38:15 -0700 (PDT) From: Richard Earnshaw To: gcc-patches@gcc.gnu.org Cc: Richard Earnshaw , andrew@codesourcery.com, andrew@sifive.com, aoliva@redhat.com, augustine.sterling@gmail.com, bernds_cb1@t-online.de, chertykov@gmail.com, cltang@codesourcery.com, dave.anglin@bell.net, davem@redhat.com, dje.gcc@gmail.com, eager@eagercon.com, ebotcazou@libertysurf.fr, gnu@amylaar.uk, green@moxielogic.com, hepenner@us.ibm.com, hp@axis.com, hp@bitrange.com, hubicka@ucw.cz, james.bowman@ftdichip.com, jasonwucj@gmail.com, jimw@sifive.com, jzhang918@gmail.com, kito.cheng@gmail.com, krebbel@linux.ibm.com, law@redhat.com, matt@3am-software.com, mfortune@gmail.com, ni1d@arrl.net, nickc@redhat.com, olegendo@gcc.gnu.org, palmer@sifive.com, rth@twiddle.net, sandra@codesourcery.com, schwab@linux-m68k.org, sebastien@milkymist.org, segher@kernel.crashing.org, shiva0217@gmail.com, tdevries@suse.de, trevor_smigiel@playstation.sony.com, ubizjak@gmail.com, uweigand@de.ibm.com, walt@tilera.com, wilson@tuliptree.org Subject: [PATCH 00/11] (v2) Mitigation against unsafe data speculation (CVE-2017-5753) Date: Fri, 27 Jul 2018 10:37:44 +0100 Message-Id: <1532684275-13041-1-git-send-email-Richard.Earnshaw@arm.com> In-Reply-To: <1531154299-28349-1-git-send-email-Richard.Earnshaw@arm.com> References: <1531154299-28349-1-git-send-email-Richard.Earnshaw@arm.com> MIME-Version: 1.0 Port Maintainers: You need to decide what action is required for your port to handle speculative execution, even if that action is to use the trivial no-speculation on this architecture. You must also consider whether or not a furture implementation of your architecture might need to deal with this in making that decision. The patches I posted earlier this year for mitigating against CVE-2017-5753 (Spectre variant 1) attracted some useful feedback, from which it became obvious that a rethink was needed. This mail, and the following patches attempt to address that feedback and present a new approach to mitigating against this form of attack surface. There were two major issues with the original approach: - The speculation bounds were too tightly constrained - essentially they had to represent and upper and lower bound on a pointer, or a pointer offset. - The speculation constraints could only cover the immediately preceding branch, which often did not fit well with the structure of the existing code. An additional criticism was that the shape of the intrinsic did not fit particularly well with systems that used a single speculation barrier that essentially had to wait until all preceding speculation had to be resolved. To address all of the above, these patches adopt a new approach, based in part on a posting by Chandler Carruth to the LLVM developers list (https://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html), but which we have extended to deal with inter-function speculation. The patches divide the problem into two halves. The first half is some target-specific code to track the speculation condition through the generated code to provide an internal variable which can tell us whether or not the CPU's control flow speculation matches the data flow calculations. The idea is that the internal variable starts with the value TRUE and if the CPU's control flow speculation ever causes a jump to the wrong block of code the variable becomes false until such time as the incorrect control flow speculation gets unwound. The second half is that a new intrinsic function is introduced that is much simpler than we had before. The basic version of the intrinsic is now simply: T var = __builtin_speculation_safe_value (T unsafe_var); Full details of the syntax can be found in the documentation patch, in patch 1. In summary, when not speculating the intrinsic returns unsafe_var; when speculating then if it can be shown that the speculative flow has diverged from the intended control flow then zero is returned. An optional second argument can be used to return an alternative value to zero. The builtin may cause execution to pause until the speculation state is resolved. There are eleven patches in this set, as follows. 1) Introduces the new intrinsic __builtin_sepculation_safe_value. 2) Adds a basic hard barrier implementation for AArch32 (arm) state. 3) Adds a basic hard barrier implementation for AArch64 state. 4) Adds a new command-line option -mtrack-speculation (currently a no-op). 5) Disables CB[N]Z and TB[N]Z when -mtrack-speculation. 6) Adds the new speculation tracking pass for AArch64 7) Uses the new speculation tracking pass to generate CSDB-based barrier sequences 8) Provides an alternative hook implementation for use on targets that never speculatively execute 9) Provides an trivial example of using that hook in the pdp11 backend. 10) Provides a possible implementation of the hard barrier for x86 11) Updates the PowerPC backend which already had a suitable barrier under a different name. I haven't added a speculation-tracking pass for AArch32 at this time. It is possible to do this, but would require quite a lot of rework for the arm backend due to the limited number of registers that are available. Although patch 6 is AArch64 specific, I'd appreciate a review from someone more familiar with the branch edge code than myself. There appear to be a number of tricky issues with more complex edges so I'd like a second opinion on that code in case I've missed an important case. R. Richard Earnshaw (11): Add __builtin_speculation_safe_value Arm - add speculation_barrier pattern AArch64 - add speculation barrier AArch64 - Add new option -mtrack-speculation AArch64 - disable CB[N]Z TB[N]Z when tracking speculation AArch64 - new pass to add conditional-branch speculation tracking AArch64 - use CSDB based sequences if speculation tracking is enabled targhooks - provide an alternative hook for targets that never execute speculatively pdp11 - example of a port not needing a speculation barrier x86 - add speculation_barrier pattern rs6000 - add speculation_barrier pattern gcc/builtin-attrs.def | 2 + gcc/builtin-types.def | 6 + gcc/builtins.c | 60 ++++ gcc/builtins.def | 22 ++ gcc/c-family/c-common.c | 164 +++++++++ gcc/c-family/c-cppbuiltin.c | 7 +- gcc/config.gcc | 2 +- gcc/config/aarch64/aarch64-passes.def | 1 + gcc/config/aarch64/aarch64-protos.h | 3 +- gcc/config/aarch64/aarch64-speculation.cc | 494 ++++++++++++++++++++++++++++ gcc/config/aarch64/aarch64.c | 94 +++++- gcc/config/aarch64/aarch64.md | 141 +++++++- gcc/config/aarch64/aarch64.opt | 4 + gcc/config/aarch64/iterators.md | 3 + gcc/config/aarch64/t-aarch64 | 10 + gcc/config/arm/arm.md | 21 ++ gcc/config/arm/unspecs.md | 1 + gcc/config/i386/i386.md | 10 + gcc/config/pdp11/pdp11.c | 3 + gcc/config/rs6000/rs6000.c | 2 +- gcc/config/rs6000/rs6000.md | 2 +- gcc/doc/cpp.texi | 4 + gcc/doc/extend.texi | 91 +++++ gcc/doc/invoke.texi | 10 +- gcc/doc/md.texi | 15 + gcc/doc/tm.texi | 36 ++ gcc/doc/tm.texi.in | 4 + gcc/target.def | 40 +++ gcc/targhooks.c | 39 +++ gcc/targhooks.h | 4 + gcc/testsuite/c-c++-common/spec-barrier-1.c | 38 +++ gcc/testsuite/c-c++-common/spec-barrier-2.c | 17 + gcc/testsuite/gcc.dg/spec-barrier-3.c | 13 + 33 files changed, 1350 insertions(+), 13 deletions(-) create mode 100644 gcc/config/aarch64/aarch64-speculation.cc create mode 100644 gcc/testsuite/c-c++-common/spec-barrier-1.c create mode 100644 gcc/testsuite/c-c++-common/spec-barrier-2.c create mode 100644 gcc/testsuite/gcc.dg/spec-barrier-3.c -- 2.7.4