LLVM Lands Performance-Hitting Mitigation For Intel LVI Vulnerability
Made public in March was the Load Value Injection (LVI) attack affecting Intel CPUs with SGX capabilities. LVI combines Spectre-style code gadgets with Meltdown-type illegal data flows to bypass existing defenses and allow injecting data into a victim's transient execution. While mitigations on the GNU side quickly landed, the LLVM compiler mitigations were just merged today.
Intel quickly provided LVI mitigations for the GNU Assembler as new opt-in flags. These assembler mitigations end up introducing many more load fences (LFENCE) to mitigate and cause quite some performance hits but is not enabled by default.
Intel and other developers in the LLVM community have been working on their respective mitigations for LVI. In fact, a Google engineer proposed a new "SESES" technique for helping address LVI and speculative execution in general. But with Google's own benchmark that only left 7% the original performance (as in down 93%) for the company's BoringSSL workload as their internal fork of OpenSSL.
Merged today to LLVM was not the SESES technique but another mitigation approach worked on by Intel and the other upstream LLVM developers. This mitigation is adding indirect thunk support that replaces each indirect call/jump with a direct call to a thunk that has a load fence (LFENCE) and then JMPQ. This LLVM approach is less invasive than the GNU Assembler options that can allow for adding an LFENCE after all loads, before indirect branches, and before return (RET) instructions, but as these benchmarks are about to show the LLVM mitigation can still take a measurable penalty.
This LLVM mitigation for LVI, similar to on the GNU side, is not enabled by default. Those wanting to mitigate their software for LVI while compiling can use the new Clang compiler flag of "-mlvi-cfi". This new option is short for control-flow mitigation (Control Flow Integrity) for the Load Value Injection vulnerability.
With today's LLVM 11 Git state after this was merged I ran some benchmarks of that compiler out-of-the-box and then another run through the benchmarks after re-building the software under test with "-mlvi-cfi" added. This round of benchmarks was done with an Intel Core i9 9900K as one of the affected Intel processors that span from Broadwell through Cascade Lake Server, Ice Lake, and even future Tremont-based Atom CPUs. Additional LLVM LVI benchmarks on other CPUs may be coming in the days ahead if there is sufficient reader interest.
Between the two runs for this Core i9 9900K testing on Ubuntu Linux, the only change was the presence of "-mlvi-cfi" within the CFLAGS/CXXFLAGS. Via the Phoronix Test Suite a variety of different C/C++ open-source benchmarks were tested.