Page MenuHomePhabricator

[mips] Spectre variant two mitigation for MIPSR2
ClosedPublic

Authored by sdardis on Feb 19 2018, 2:52 PM.

Details

Summary

This patch provides mitigation for CVE-2017-5715, Spectre variant two,
which affects the P5600 and P6600. It implements the LLVM part of
-mindirect-jump=hazard. It is _not_ enabled by default for the P5600.

The migitation strategy suggested by MIPS for these processors is to use
hazard barrier instructions. 'jalr.hb' and 'jr.hb' are hazard
barrier variants of the 'jalr' and 'jr' instructions respectively.

These instructions impede the execution of instruction stream until
architecturally defined hazards (changes to the instruction stream,
privileged registers which may affect execution) are cleared. These
instructions in MIPS' designs are not speculated past.

These instructions are used with the attribute +use-indirect-jump-hazard
when branching indirectly and for indirect function calls.

These instructions are defined by the MIPS32R2 ISA, so this mitigation
method is not compatible with processors which implement an earlier
revision of the MIPS ISA.

Performance benchmarking of this option with -fpic and lld using
-z hazardplt shows a difference of overall 10%~ time increase
for the LLVM testsuite. Certain benchmarks such as methcall show a
substantially larger increase in time due to their nature.

Diff Detail

Repository
rL LLVM

Event Timeline

sdardis created this revision.Feb 19 2018, 2:52 PM
sdardis edited the summary of this revision. (Show Details)Feb 19 2018, 2:56 PM
atanasyan added inline comments.Feb 20 2018, 5:19 AM
lib/Target/Mips/MipsLongBranch.cpp
389 ↗(On Diff #134973)

Just to check that I understand the code above properly - in case of targeting mips32r6 and using the +use-indirect-jump-hazard feature we will emit the jr.hb instruction and fill up the dealt slot. Right?

sdardis added inline comments.Feb 20 2018, 5:34 AM
lib/Target/Mips/MipsLongBranch.cpp
389 ↗(On Diff #134973)

Yes. For mips32r6 and +use-indirect-jump-hazard we don't use a compact branch, we use a jr.hb and fill the delay slot.

Also, that JR_HB needs another check for mips32r6 to use the correct encoding.

This revision is now accepted and ready to land.Feb 20 2018, 6:11 AM
sdardis updated this revision to Diff 135046.Feb 20 2018, 6:48 AM

Fixed jump encodings used in the long branch pass.
Added -verify-machineinstrs to the relevant ll tests.

sdardis edited the summary of this revision. (Show Details)Feb 20 2018, 4:02 PM
This revision was automatically updated to reflect the committed changes.

Thanks for the review.