Clang Picks Up Support For Per-Function Speculative Load Hardening (Spectre V1)

For several months now the mainline LLVM Clang compiler code has offered Speculative Load Hardening (SLH) for the compiler-based approach for Spectre Variant One protection for critical software that might not be mitigated by hand against Spectre V1 vulnerabilities that can be picked up by Smatch and other utilities. The Clang compiler now has support for SLH on a function-by-function basis.

Enabling Speculative Load Hardening can be done with LLVM/Clang 7.0+ via the "-mspeculative-load-hardening" flag, which enables SLH for all functions being compiled. But with this latest addition to Clang as of this week, an SLH attribute is now available for C/C++ functions and Objective-C methods for enabling the behavior on a function-by-function manner.

The speculative_load_hardening attribute now allows for developers to selectively opt into this Spectre Variant One protection on a per-function basis where protecting against data leaks would be of vital importance rather than introducing the overhead to all functions.

More details on this change for Clang 8.0 can be found via this commit. More details on the LLVM Speculative Load Hardening via the compiler documentation.