> On Sep 4, 2020, at 10:43 AM, Segher Boessenkool <seg...@kernel.crashing.org>
> wrote:
>
> On Thu, Sep 03, 2020 at 10:13:35AM -0700, Kees Cook wrote:
>> On Thu, Sep 03, 2020 at 09:29:54AM -0500, Qing Zhao wrote:
>>> On average, all the options starting with “used_…” (i.e, only the
>>> registers that are used in the routine will be zeroed) have very low
>>> runtime overheads, at most 1.72% for integer benchmarks, and 1.17% for FP
>>> benchmarks.
>>> If all the registers will be zeroed, the runtime overhead is bigger,
>>> all_arg is 5.7%, all_gpr is 3.5%, and all is 17.56% for integer benchmarks
>>> on average.
>>> Looks like the overhead of zeroing vector registers is much bigger.
>>>
>>> For ROP mitigation, -fzero-call-used-regs=used-gpr-arg should be enough,
>>> the runtime overhead with this is very small.
>>
>> That looks great; thanks for doing those tests!
>>
>> (And it seems like these benchmarks are kind of a "worst case" scenario
>> with regard to performance, yes? As in it's mostly tight call loops?)
>
> I call this very expensive, already,
Yes, I think that 17.56% on average is quite expensive. That’s the data for
-fzero-call-used-regs=all, the worst case i.e, clearing all the call-used
registers at the return.
However, if we only clear USED registers, the worst case is 1.72% on average.
This overhead is very reasonable.
Furthermore, if we only clear used_gpr_arg, i.e used general purpose registers
that pass parameters, this should be enough to be used for mitigation ROP, the
overhead is even smaller, it’s 0.84% on average.
> and it is benchmarked on a target
> where this should be very cheap (it has few registers) :-/
It’s a tradeoff to improve the software security with some runtime overhead.
For compiler, we should provide such option to the users to satisfy their
security need even though the runtime overhead. Of course, during compiler
implementation, we will do our best to minimize the runtime overhead.
Qing
>
>
> Segher
