Re: [PATCH] S/390: Disable prediction of indirect branches
On Thu, Feb 8, 2018 at 11:57 AM, H.J. Lu wrote: > On Thu, Feb 8, 2018 at 4:17 AM, Andreas Krebbel > wrote: >> On 02/08/2018 12:33 PM, Richard Biener wrote: >>> On Wed, Feb 7, 2018 at 1:01 PM, Andreas Krebbel >>> wrote: This patch implements GCC support for mitigating vulnerability CVE-2017-5715 known as Spectre #2 on IBM Z. In order to disable prediction of indirect branches the implementation makes use of an IBM Z specific feature - the execute instruction. Performing an indirect branch via execute prevents the branch from being subject to dynamic branch prediction. The implementation tries to stay close to the x86 solution regarding user interface. x86 style options supported (without thunk-inline): -mindirect-branch=(keep|thunk|thunk-extern) -mfunction-return=(keep|thunk|thunk-extern) IBM Z specific options: -mindirect-branch-jump=(keep|thunk|thunk-extern|thunk-inline) -mindirect-branch-call=(keep|thunk|thunk-extern) -mfunction-return-reg=(keep|thunk|thunk-extern) -mfunction-return-mem=(keep|thunk|thunk-extern) These options allow us to enable/disable the branch conversion at a finer granularity. -mindirect-branch sets the value of -mindirect-branch-jump and -mindirect-branch-call. -mfunction-return sets the value of -mfunction-return-reg and -mfunction-return-mem. All these options are supported on GCC command line as well as function attributes. 'thunk' triggers the generation of out of line thunks (expolines) and replaces the formerly indirect branch with a direct branch to the thunk. Depending on the -march= setting two different types of thunks are generated. With -march=z10 or higher exrl (execute relative long) is being used while targeting older machines makes use of larl/ex instead. From a security perspective the exrl variant is preferable. 'thunk-extern' does the branch replacement like 'thunk' but does not emit the thunks. 'thunk-inline' is only available for indirect jumps. It should be used in environments where correct CFI is important - known as user space. Additionally the patch introduces the -mindirect-branch-table option which generates tables pointing to the locations which have been modified. This is supposed to allow reverting the changes without re-compilation in situations where it isn't required. The sections are split up into one section per option. I plan to commit the patch tomorrow. >>> >>> Do you also plan to backport this to the GCC 7 branch? >> >> Yes, I'm working on it. >> > > This breaks glibc build: > > /export/gnu/import/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu/libc_pic.os: > In function `__cmsg_nxthdr': > /export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/socket/../sysdeps/unix/sysv/linux/cmsg_nxthdr.c:39: > undefined reference to `__s390_indirect_jump_r1use_r14' > /export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/socket/../sysdeps/unix/sysv/linux/cmsg_nxthdr.c:39: > undefined reference to `__s390_indirect_jump_r1use_r14' > collect2: error: ld returned 1 exit status > make[4]: *** [../Makerules:765: > /export/gnu/import/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu/libc.so] > Error 1 > make[4]: Leaving directory > '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/elf' > make[3]: *** [Makefile:215: elf/subdir_lib] Error 2 > make[3]: Leaving directory > '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu' > make[2]: *** [Makefile:9: all] Error 2 > make[2]: Leaving directory > '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu' I opened: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84295 -- H.J.
Re: [PATCH] S/390: Disable prediction of indirect branches
On Thu, Feb 8, 2018 at 4:17 AM, Andreas Krebbel wrote: > On 02/08/2018 12:33 PM, Richard Biener wrote: >> On Wed, Feb 7, 2018 at 1:01 PM, Andreas Krebbel >> wrote: >>> This patch implements GCC support for mitigating vulnerability >>> CVE-2017-5715 known as Spectre #2 on IBM Z. >>> >>> In order to disable prediction of indirect branches the implementation >>> makes use of an IBM Z specific feature - the execute instruction. >>> Performing an indirect branch via execute prevents the branch from >>> being subject to dynamic branch prediction. >>> >>> The implementation tries to stay close to the x86 solution regarding >>> user interface. >>> >>> x86 style options supported (without thunk-inline): >>> >>> -mindirect-branch=(keep|thunk|thunk-extern) >>> -mfunction-return=(keep|thunk|thunk-extern) >>> >>> IBM Z specific options: >>> >>> -mindirect-branch-jump=(keep|thunk|thunk-extern|thunk-inline) >>> -mindirect-branch-call=(keep|thunk|thunk-extern) >>> -mfunction-return-reg=(keep|thunk|thunk-extern) >>> -mfunction-return-mem=(keep|thunk|thunk-extern) >>> >>> These options allow us to enable/disable the branch conversion at a >>> finer granularity. >>> >>> -mindirect-branch sets the value of -mindirect-branch-jump and >>> -mindirect-branch-call. >>> >>> -mfunction-return sets the value of -mfunction-return-reg and >>> -mfunction-return-mem. >>> >>> All these options are supported on GCC command line as well as >>> function attributes. >>> >>> 'thunk' triggers the generation of out of line thunks (expolines) and >>> replaces the formerly indirect branch with a direct branch to the >>> thunk. Depending on the -march= setting two different types of thunks >>> are generated. With -march=z10 or higher exrl (execute relative long) >>> is being used while targeting older machines makes use of larl/ex >>> instead. From a security perspective the exrl variant is preferable. >>> >>> 'thunk-extern' does the branch replacement like 'thunk' but does not >>> emit the thunks. >>> >>> 'thunk-inline' is only available for indirect jumps. It should be used >>> in environments where correct CFI is important - known as user space. >>> >>> Additionally the patch introduces the -mindirect-branch-table option >>> which generates tables pointing to the locations which have been >>> modified. This is supposed to allow reverting the changes without >>> re-compilation in situations where it isn't required. The sections are >>> split up into one section per option. >>> >>> I plan to commit the patch tomorrow. >> >> Do you also plan to backport this to the GCC 7 branch? > > Yes, I'm working on it. > This breaks glibc build: /export/gnu/import/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu/libc_pic.os: In function `__cmsg_nxthdr': /export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/socket/../sysdeps/unix/sysv/linux/cmsg_nxthdr.c:39: undefined reference to `__s390_indirect_jump_r1use_r14' /export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/socket/../sysdeps/unix/sysv/linux/cmsg_nxthdr.c:39: undefined reference to `__s390_indirect_jump_r1use_r14' collect2: error: ld returned 1 exit status make[4]: *** [../Makerules:765: /export/gnu/import/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu/libc.so] Error 1 make[4]: Leaving directory '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu/elf' make[3]: *** [Makefile:215: elf/subdir_lib] Error 2 make[3]: Leaving directory '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc-src/s390x-linux-gnu' make[2]: *** [Makefile:9: all] Error 2 make[2]: Leaving directory '/export/ssd/git/toolchain/build/compilers/s390x-linux-gnu/glibc/s390x-linux-gnu' -- H.J.
Re: [PATCH] S/390: Disable prediction of indirect branches
On 02/08/2018 12:33 PM, Richard Biener wrote: > On Wed, Feb 7, 2018 at 1:01 PM, Andreas Krebbel > wrote: >> This patch implements GCC support for mitigating vulnerability >> CVE-2017-5715 known as Spectre #2 on IBM Z. >> >> In order to disable prediction of indirect branches the implementation >> makes use of an IBM Z specific feature - the execute instruction. >> Performing an indirect branch via execute prevents the branch from >> being subject to dynamic branch prediction. >> >> The implementation tries to stay close to the x86 solution regarding >> user interface. >> >> x86 style options supported (without thunk-inline): >> >> -mindirect-branch=(keep|thunk|thunk-extern) >> -mfunction-return=(keep|thunk|thunk-extern) >> >> IBM Z specific options: >> >> -mindirect-branch-jump=(keep|thunk|thunk-extern|thunk-inline) >> -mindirect-branch-call=(keep|thunk|thunk-extern) >> -mfunction-return-reg=(keep|thunk|thunk-extern) >> -mfunction-return-mem=(keep|thunk|thunk-extern) >> >> These options allow us to enable/disable the branch conversion at a >> finer granularity. >> >> -mindirect-branch sets the value of -mindirect-branch-jump and >> -mindirect-branch-call. >> >> -mfunction-return sets the value of -mfunction-return-reg and >> -mfunction-return-mem. >> >> All these options are supported on GCC command line as well as >> function attributes. >> >> 'thunk' triggers the generation of out of line thunks (expolines) and >> replaces the formerly indirect branch with a direct branch to the >> thunk. Depending on the -march= setting two different types of thunks >> are generated. With -march=z10 or higher exrl (execute relative long) >> is being used while targeting older machines makes use of larl/ex >> instead. From a security perspective the exrl variant is preferable. >> >> 'thunk-extern' does the branch replacement like 'thunk' but does not >> emit the thunks. >> >> 'thunk-inline' is only available for indirect jumps. It should be used >> in environments where correct CFI is important - known as user space. >> >> Additionally the patch introduces the -mindirect-branch-table option >> which generates tables pointing to the locations which have been >> modified. This is supposed to allow reverting the changes without >> re-compilation in situations where it isn't required. The sections are >> split up into one section per option. >> >> I plan to commit the patch tomorrow. > > Do you also plan to backport this to the GCC 7 branch? Yes, I'm working on it. -Andreas-
Re: [PATCH] S/390: Disable prediction of indirect branches
On Wed, Feb 7, 2018 at 1:01 PM, Andreas Krebbel wrote: > This patch implements GCC support for mitigating vulnerability > CVE-2017-5715 known as Spectre #2 on IBM Z. > > In order to disable prediction of indirect branches the implementation > makes use of an IBM Z specific feature - the execute instruction. > Performing an indirect branch via execute prevents the branch from > being subject to dynamic branch prediction. > > The implementation tries to stay close to the x86 solution regarding > user interface. > > x86 style options supported (without thunk-inline): > > -mindirect-branch=(keep|thunk|thunk-extern) > -mfunction-return=(keep|thunk|thunk-extern) > > IBM Z specific options: > > -mindirect-branch-jump=(keep|thunk|thunk-extern|thunk-inline) > -mindirect-branch-call=(keep|thunk|thunk-extern) > -mfunction-return-reg=(keep|thunk|thunk-extern) > -mfunction-return-mem=(keep|thunk|thunk-extern) > > These options allow us to enable/disable the branch conversion at a > finer granularity. > > -mindirect-branch sets the value of -mindirect-branch-jump and > -mindirect-branch-call. > > -mfunction-return sets the value of -mfunction-return-reg and > -mfunction-return-mem. > > All these options are supported on GCC command line as well as > function attributes. > > 'thunk' triggers the generation of out of line thunks (expolines) and > replaces the formerly indirect branch with a direct branch to the > thunk. Depending on the -march= setting two different types of thunks > are generated. With -march=z10 or higher exrl (execute relative long) > is being used while targeting older machines makes use of larl/ex > instead. From a security perspective the exrl variant is preferable. > > 'thunk-extern' does the branch replacement like 'thunk' but does not > emit the thunks. > > 'thunk-inline' is only available for indirect jumps. It should be used > in environments where correct CFI is important - known as user space. > > Additionally the patch introduces the -mindirect-branch-table option > which generates tables pointing to the locations which have been > modified. This is supposed to allow reverting the changes without > re-compilation in situations where it isn't required. The sections are > split up into one section per option. > > I plan to commit the patch tomorrow. Do you also plan to backport this to the GCC 7 branch? > gcc/ChangeLog: > > 2018-02-07 Andreas Krebbel > > * config/s390/s390-opts.h (enum indirect_branch): Define. > * config/s390/s390-protos.h (s390_return_addr_from_memory) > (s390_indirect_branch_via_thunk) > (s390_indirect_branch_via_inline_thunk): Add function prototypes. > (enum s390_indirect_branch_type): Define. > * config/s390/s390.c (struct s390_frame_layout, struct > machine_function): Remove. > (indirect_branch_prez10thunk_mask, indirect_branch_z10thunk_mask) > (indirect_branch_table_label_no, indirect_branch_table_name): > Define variables. > (INDIRECT_BRANCH_NUM_OPTIONS): Define macro. > (enum s390_indirect_branch_option): Define. > (s390_return_addr_from_memory): New function. > (s390_handle_string_attribute): New function. > (s390_attribute_table): Add new attribute handler. > (s390_execute_label): Handle UNSPEC_EXECUTE_JUMP patterns. > (s390_indirect_branch_via_thunk): New function. > (s390_indirect_branch_via_inline_thunk): New function. > (s390_function_ok_for_sibcall): When jumping via thunk disallow > sibling call optimization for non z10 compiles. > (s390_emit_call): Force indirect branch target to be a single > register. Add r1 clobber for non-z10 compiles. > (s390_emit_epilogue): Emit return jump via return_use expander. > (s390_reorg): Handle JUMP_INSNs as execute targets. > (s390_option_override_internal): Perform validity checks for the > new command line options. > (s390_indirect_branch_attrvalue): New function. > (s390_indirect_branch_settings): New function. > (s390_set_current_function): Invoke s390_indirect_branch_settings. > (s390_output_indirect_thunk_function): New function. > (s390_code_end): Implement target hook. > (s390_case_values_threshold): Implement target hook. > (TARGET_ASM_CODE_END, TARGET_CASE_VALUES_THRESHOLD): Define target > macros. > * config/s390/s390.h (struct s390_frame_layout) > (struct machine_function): Move here from s390.c. > (TARGET_INDIRECT_BRANCH_NOBP_RET) > (TARGET_INDIRECT_BRANCH_NOBP_JUMP) > (TARGET_INDIRECT_BRANCH_NOBP_JUMP_THUNK) > (TARGET_INDIRECT_BRANCH_NOBP_JUMP_INLINE_THUNK) > (TARGET_INDIRECT_BRANCH_NOBP_CALL) > (TARGET_DEFAULT_INDIRECT_BRANCH_TABLE) > (TARGET_INDIRECT_BRANCH_THUNK_NAME_EXRL) > (TARGET_INDIRECT_BRANCH_THUNK_NAME_EX) > (TARGET_INDIRECT_BRANCH_T