Intel's Load Hardening Mitigation Merged Into LLVM 11 For LVI Protection
Intel's Load Value Injection mitigation has finally been merged into mainline LLVM.
LLVM was disclosed back in March and while the GNU Assembler mitigation was quickly merged, on the LLVM compiler toolchain side it took until yesterday for the patch to be squared away in full.
This Intel-developed mitigation is of similar nature to the GAS patch. When enabled, a load fence (LFENCE) is added after each instruction that may be vulnerable to LVI as well as warning over code that cannot be automatically mitigated.
Mitigating the LVI attack with this option will come with performance costs and on top of earlier LVI work for LLVM. There are our GNU Assembler mitigation benchmarks for LVI as additional reference. I'll have some new LLVM benchmarks soon.
With this commit adding the inline assembly load hardening mitigation for LVI, it's only enabled via the -x86-experimental-lvi-inline-asm-hardening flag. Code comments in that patch provide additional context on this mitigation approach.
This patch was merged on Monday shortly after SESES was merged as an even more performance-hitting mitigation the same day too for LVI and speculative execution side channel vulnerabilities at large.
LLVM 11 with these additional mitigation options and much more should debut around September as stable.
Those wanting a refresher on the LVI attack disclosed in March can visit LVIattack.eu for all the details.
LLVM was disclosed back in March and while the GNU Assembler mitigation was quickly merged, on the LLVM compiler toolchain side it took until yesterday for the patch to be squared away in full.
This Intel-developed mitigation is of similar nature to the GAS patch. When enabled, a load fence (LFENCE) is added after each instruction that may be vulnerable to LVI as well as warning over code that cannot be automatically mitigated.
Mitigating the LVI attack with this option will come with performance costs and on top of earlier LVI work for LLVM. There are our GNU Assembler mitigation benchmarks for LVI as additional reference. I'll have some new LLVM benchmarks soon.
With this commit adding the inline assembly load hardening mitigation for LVI, it's only enabled via the -x86-experimental-lvi-inline-asm-hardening flag. Code comments in that patch provide additional context on this mitigation approach.
This patch was merged on Monday shortly after SESES was merged as an even more performance-hitting mitigation the same day too for LVI and speculative execution side channel vulnerabilities at large.
LLVM 11 with these additional mitigation options and much more should debut around September as stable.
Those wanting a refresher on the LVI attack disclosed in March can visit LVIattack.eu for all the details.
6 Comments