Page MenuHomePhabricator

Add Indirect Thunk Support to X86 to mitigate Load Value Injection (LVI) [by modifying X86RetpolineThunks.cpp]

Authored by sconstab on Mar 19 2020, 3:03 PM.



This patch is an alternate implementation of D75934 that mitigates LVI indirect calls/jumps by making changes to the existing X86RetpolineThunks pass, instead of introducing a new pass.

Diff Detail

Event Timeline

sconstab created this revision.Mar 19 2020, 3:03 PM
zbrid added a comment.EditedMar 19 2020, 3:23 PM

I commented on the other patch about this before I saw this patch. Thanks for putting this up!

I think it looks pretty good, but could you do a more full refactor of the retpolinethunks pass in an NFC patch? Then have the LVI functionality added on top of that refactored patch?


Probably can be changed to checking whether we are using indirect branch thunking, etc. I think there were a few other conditionals relating to retpolines that may also need to be changed. The renaming you did in the first indirect branch pass for some functions (ef EmitLoweredRetpoline -> EmitLoweredThunk) should perhaps also be preserved in whatever update you do.

zbrid added inline comments.Mar 19 2020, 4:25 PM

Also to follow up on the discussion earlier about SESES using the lvi-cfi subtarget feature for mitigating other issues as well.

Would it be possible to rename the subtarget specific to be more generic? I came up with a couple options: spex-cfi? speculative execution-cfi? se-cfi? side-channel-cfi? I don't know if that's too broad or not precise enough. The lvi-cfi flag should remain in Clang for sure, but I'd want to enable the subtarget feature for SESES which may not be used only for LVI.

sconstab abandoned this revision.Apr 23 2020, 2:57 PM

Superseded by D76810, D76811, and D76812.