mconditional-branch, Qconditional-branch
Lets you identify and fix code that may
be vulnerable to speculative execution side-channel attacks, which can leak
your secure data as a result of bad speculation of a conditional branch
direction.
This content is specific to C++; it does not apply to
DPC++
.Syntax
Linux:
-mconditional-branch
=
keyword
Windows:
/Qconditional-branch
:
keyword
Arguments
- keyword
- Tells the compiler the action to take. Possible values are:
- keep
- Tells the compiler to not attempt any vulnerable code detection or fixing. This is equivalent to not specifying the-mconditional-branchoption.
- pattern-report
- Tells the compiler to perform a search of vulnerable code patterns in the compilation and report all occurrences to stderr.
- pattern-fix
- Tells the compiler to perform a search of vulnerable code patterns in the compilation and generate code to ensure that the identified data accesses are not executed speculatively. It will also report any fixed patterns to stderr.This setting does not guarantee total mitigation, it only fixes cases where all components of the vulnerability can be seen or determined by the compiler. The pattern detection will be more complete if advanced optimization options are specified or are in effect, such as optionO3and option-ipo(or/Qipo).
- all-fix
- Tells the compiler to fix all of the vulnerable code so that it is either not executed speculatively, or there is no observable side-channel created from their speculative execution. Since it is a complete mitigation against Spectre variant 1 attacks, this setting will have the most run-time performance cost.In contrast to thepattern-fixsetting, the compiler will not attempt to identify the exact conditional branches that may have led to the mis-speculated execution.
- all-fix-lfence
- This is the same as specifying settingall-fix.
- all-fix-cmov
- Tells the compiler to treat any path where speculative execution of a memory load creates vulnerability (if mispredicted). The compiler automatically adds mitigation code along any vulnerable paths found, but it uses a different method then the one used forall-fix(orall-fix-lfence).This method uses CMOVcc instruction execution, which constrains speculative execution. Thus, it is used for keeping track of the predicate value, which is updated on each conditional branch.To prevent Spectre v.1 attack, each memory load that is potentially vulnerable is bitwise ORed with the predicate to mask out the loaded value if the code is on a mispredicted path.This is analogous to the Clang compiler's option to do Speculative Load Hardening.This setting is only supported on Intel® 64 architecture-based systems.
Default
- -mconditional-branch=keepand/Qconditional-branch:keep
- The compiler does not attempt any vulnerable code detection or fixing.
Description
This option lets you identify code that may be vulnerable
to speculative execution side-channel attacks, which can leak your secure data
as a result of bad speculation of a conditional branch direction. Depending on
the setting you choose, vulnerabilities may be detected and code may be
generated to attempt to mitigate the security risk.
IDE Equivalent
Visual Studio:
Code Generation [Intel C++]
> Spectre Variant 1 Mitigation
Eclipse:
None
Alternate Options
None