This is an archive of the discontinued LLVM Phabricator instance.

Differential D75944

[x86][seses] Don't LFENCE data invariant insts
Needs ReviewPublic

Authored by zbrid on Mar 10 2020, 10:13 AM.

Details

Reviewers
craig.topper
jyknight
george.burgess.iv
Summary

Add a flag to the x86 Speculative Execution Side Effect Suppression Pass
that allows users to turn off LFENCEing data invariant instructions.

Note that the list currently used by this flag does not include
information about vector instructions. That information can be added in
the future with no issues. The fact those instructions have not been
added to this list mean that it's also likely that the improvements
shown in the following performance data is understated.

This is a part of a set of flags that can be used to experiment with
optimizing this mitigation for Load Value Injection.

One pager on Load Value Injection:
https://software.intel.com/security-software-guidance/software-guidance/load-value-injection

Deep dive on Load Value Injection:
https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection

Performance Testing Results

I ran the BoringSSL benchmarks which run many cryptographic operations
and reports the number of operations per second completed in a given
time.

Modified Mitigation vs Baseline
Geometric mean
0.129 (This can be read as the geomean ops/s of the mitigated program
was 12.9% of the ops/s of the unmitigated program. Similar below.)
Minimum
0.058
Quartile 1
0.104
Median
0.112
Quartile 3
0.139
Maximum
0.459

Fully Mitigated vs Baseline
Geometric mean
0.071
Minimum
0.041
Quartile 1
0.060
Median
0.063
Quartile 3
0.077
Maximum
0.230

Diff Detail

Event Timeline

zbrid created this revision.Mar 10 2020, 10:13 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 10 2020, 10:13 AM
Herald added subscribers: llvm-commits, jfb, hiraditya. · View Herald Transcript
zbrid added a comment.Mar 10 2020, 10:15 AM

I'll note that this patch doesn't have a test because I couldn't figure out how to write some LLVM IR that lowered to MIR that included a function in the list of data invariant functions in X86InstrInfo. Any tips there would be appreciated!

zbrid added a reviewer: craig.topper.Mar 10 2020, 10:15 AM
zbrid added reviewers: jyknight, george.burgess.iv.Mar 10 2020, 10:24 AM
Harbormaster completed remote builds in B48715: Diff 249438.Mar 10 2020, 10:53 AM
craig.topper added inline comments.Mar 11 2020, 3:34 PM
llvm/lib/Target/X86/X86SpeculativeExecutionSideEffectSuppression.cpp
129

Don't the instructions that match isDataInvariantLoad still pull things into the cache?

sconstab mentioned this in D75939: [x86][seses] Introduce SESES pass for LVI.Mar 12 2020, 8:32 AM
zbrid added a parent revision: D75942: [x86][seses] No lfences in bb w/ 1 load and 0 stores.Mar 12 2020, 2:51 PM
zbrid marked an inline comment as done.Mar 16 2020, 11:15 AM
zbrid added inline comments.
llvm/lib/Target/X86/X86SpeculativeExecutionSideEffectSuppression.cpp
129

This may be true. I don't know. Data invariant instructions were supposed to be a stand in for a more specific "instructions that don't release info to side channels" and perhaps that's a very different thing. I think someone with better expertise than I have would need to evaluate whether this is a secure flag to set.

craig.topper added inline comments.Mar 16 2020, 1:02 PM
llvm/lib/Target/X86/X86SpeculativeExecutionSideEffectSuppression.cpp
129

I think this was only meant to capture instructions whose execution latency doesn't vary based on the data value. For example divide by a power of 2 takes a different number of cycles than division by other values.

Revision Contents

PathSize
llvm/
lib/
Target/
X86/
12 lines

Diff 249438

llvm/lib/Target/X86/X86SpeculativeExecutionSideEffectSuppression.cpp

Show First 20 LinesShow All 54 Lines▼ Show 20 Lines OmitLFENCEInBasicBlocksWithoutLoads("x86-seses-omit-lfence-in-bb-without-loads",
cl::desc("Omit LFENCE in basic blocks without any loads even if there are stores."), cl::desc("Omit LFENCE in basic blocks without any loads even if there are stores."),
cl::init(false), cl::Hidden); cl::init(false), cl::Hidden);
static cl::opt<bool> static cl::opt<bool>
OmitLFENCEInBasicBlocksWithOneLoadAndNoStores("x86-seses-omit-lfence-in-bb-with-one-load-no-stores", OmitLFENCEInBasicBlocksWithOneLoadAndNoStores("x86-seses-omit-lfence-in-bb-with-one-load-no-stores",
cl::desc("Don't LFENCE in basic blocks with one load and no stores."), cl::desc("Don't LFENCE in basic blocks with one load and no stores."),
cl::init(false), cl::Hidden); cl::init(false), cl::Hidden);
static cl::opt<bool> LFENCEDataInvariantInstructions(
"x86-seses-lfence-data-invariant-inst",
cl::desc("LFENCE before instructions that are data invariant."),
cl::init(true), cl::Hidden);
static bool hasConstantAddressingMode(const MachineInstr &MI); static bool hasConstantAddressingMode(const MachineInstr &MI);
namespace { namespace {
class X86SpeculativeExecutionSideEffectSuppressionPass class X86SpeculativeExecutionSideEffectSuppressionPass
: public MachineFunctionPass { : public MachineFunctionPass {
public: public:
X86SpeculativeExecutionSideEffectSuppressionPass() : MachineFunctionPass(ID) {} X86SpeculativeExecutionSideEffectSuppressionPass() : MachineFunctionPass(ID) {}
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (OmitLFENCEInBasicBlocksWithoutLoads || OmitLFENCEInBasicBlocksWithOneLoadAndNoStores) {
if (OmitLFENCEInBasicBlocksWithOneLoadAndNoStores && StoreCount == 0 && LoadCount <= 1) { if (OmitLFENCEInBasicBlocksWithOneLoadAndNoStores && StoreCount == 0 && LoadCount <= 1) {
continue; continue;
} }
} }
MachineInstr *FirstTerminator = nullptr; MachineInstr *FirstTerminator = nullptr;
for (auto &MI : MBB) { for (auto &MI : MBB) {
// If the current instruction is data invariant and we are not LFENCEing
// data invariant instructions, then continue to the next instruction.
if (!LFENCEDataInvariantInstructions &&
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Don't the instructions that match isDataInvariantLoad still pull things into the cache?

craig.topper: Don't the instructions that match isDataInvariantLoad still pull things into the cache?
zbridAuthorUnsubmitted
Done
ReplyInline Actions

This may be true. I don't know. Data invariant instructions were supposed to be a stand in for a more specific "instructions that don't release info to side channels" and perhaps that's a very different thing. I think someone with better expertise than I have would need to evaluate whether this is a secure flag to set.

zbrid: This may be true. I don't know. Data invariant instructions were supposed to be a stand in for…
craig.topperUnsubmitted
Not Done
ReplyInline Actions

I think this was only meant to capture instructions whose execution latency doesn't vary based on the data value. For example divide by a power of 2 takes a different number of cycles than division by other values.

craig.topper: I think this was only meant to capture instructions whose execution latency doesn't vary based…
(TII->isDataInvariant(MI) || TII->isDataInvariantLoad(MI))) {
continue;
}
// We want to put an LFENCE before any instruction that // We want to put an LFENCE before any instruction that
// may load or store. This LFENCE is intended to avoid leaking any secret // may load or store. This LFENCE is intended to avoid leaking any secret
// data due to a given load or store. This results in closing the cache // data due to a given load or store. This results in closing the cache
// and memory timing side channels. We will treat terminators that load // and memory timing side channels. We will treat terminators that load
// or store separately. // or store separately.
if (MI.mayLoadOrStore() && !MI.isTerminator()) { if (MI.mayLoadOrStore() && !MI.isTerminator()) {
BuildMI(MBB, MI, DebugLoc(), TII->get(X86::LFENCE)); BuildMI(MBB, MI, DebugLoc(), TII->get(X86::LFENCE));
NumLFENCEsInserted++; NumLFENCEsInserted++;
▲ Show 20 LinesShow All 67 LinesShow Last 20 Lines