Arm CPUs Hit By Straight Line Speculation Vulnerability, LLVM Adds Initial Mitigation
While Intel's CrossTalk/SRBDS vulnerability dominated the conversation on Tuesday, Arm quietly revealed a new speculative execution vulnerability of its own called Straight Line Speculation.
Google's SafeSide project discovered the possibility of ARMv8 CPUs speculatively executing instructions following a change in control flow such as through exception generating instructions exception returns, unconditional direct branches, unconditional indirect branches, or function returns. This Straight-Line Speculation vulnerability following an unconditional change in control flow is also known as CVE-2020-13844.
Arm is recommending the use of speculation barrier sequences following vulnerable instructions. For Arm CPUs supporting the SB (Speculation Barrier) instruction it can be used otherwise a DSB+ISB sequence as the barrier.
Arm announced Straight Line Speculation while compiler/toolchain developers are still in the "early stages of architecting, planning, and development" of said mitigation. Due to performance costs involved, Arm hasn't yet endorsed enabling such compiler mitigations by default and encourages compiler developers to look at the possibility of per-function overrides and similar options.
See this Arm whitepaper on Straight-Line Speculation.
LLVM today merged an AArch64 SLS hardening pass. This pass will add the speculation barrier instructions following RET/BR instructions. For now at least the mitigation is disabled by default but requires the harden-sls-retbr flag for enabling. No performance measurements were shared for the performance hit but I will be working on some benchmarks... Stay tuned for looking at the performance hit of Arm Straight-Line Speculation.
Google's SafeSide project discovered the possibility of ARMv8 CPUs speculatively executing instructions following a change in control flow such as through exception generating instructions exception returns, unconditional direct branches, unconditional indirect branches, or function returns. This Straight-Line Speculation vulnerability following an unconditional change in control flow is also known as CVE-2020-13844.
Arm is recommending the use of speculation barrier sequences following vulnerable instructions. For Arm CPUs supporting the SB (Speculation Barrier) instruction it can be used otherwise a DSB+ISB sequence as the barrier.
Arm announced Straight Line Speculation while compiler/toolchain developers are still in the "early stages of architecting, planning, and development" of said mitigation. Due to performance costs involved, Arm hasn't yet endorsed enabling such compiler mitigations by default and encourages compiler developers to look at the possibility of per-function overrides and similar options.
See this Arm whitepaper on Straight-Line Speculation.
LLVM today merged an AArch64 SLS hardening pass. This pass will add the speculation barrier instructions following RET/BR instructions. For now at least the mitigation is disabled by default but requires the harden-sls-retbr flag for enabling. No performance measurements were shared for the performance hit but I will be working on some benchmarks... Stay tuned for looking at the performance hit of Arm Straight-Line Speculation.
5 Comments