Developer Guide and Reference

Contents

mconditional-branch, Qconditional-branch

Lets you identify and fix code that may be vulnerable to speculative execution side-channel attacks, which can leak your secure data as a result of bad speculation of a conditional branch direction.

Syntax

Linux:
-mconditional-branch
=
keyword
macOS:
-mconditional-branch
=
keyword
Windows:
/Qconditional-branch
:
keyword
Arguments
keyword
Indicates to the compiler what action to take. Possible values are:
keep
Tells the compiler to not attempt any vulnerable code detection or fixing. This is equivalent to not specifying the
-mconditional-branch
option.
pattern-report
Tells the compiler to perform a search of vulnerable code patterns in the compilation and report all occurrences to stderr.
pattern-fix
Tells the compiler to perform a search of vulnerable code patterns in the compilation and generate code to ensure that the identified data accesses are not executed speculatively. It will also report any fixed patterns to stderr.
This setting does not guarantee total mitigation, it only fixes cases where all components of the vulnerability can be seen or determined by the compiler. The pattern detection will be more complete if advanced optimization options are specified or are in effect, such as option
O3
and option
-ipo
(or
/Qipo
).
all-fix
Tells the compiler to fix all of the vulnerable code so that it is either not executed speculatively, or there is no observable side-channel created from their speculative execution. Since it is a complete mitigation against Spectre variant 1 attacks, this setting will have the most run-time performance cost.
In contrast to the
pattern-fix
setting, the compiler will not attempt to identify the exact conditional branches that may have led to the mis-speculated execution.
all-fix-lfence
This is the same as specifying setting
all-fix
.
all-fix-cmov
Tells the compiler to treat any path where speculative execution of a memory load creates vulnerability (if mispredicted). The compiler automatically adds mitigation code along any vulnerable paths found, but it uses a different method then the one used for
all-fix
(or
all-fix-lfence
).
This method uses CMOVcc instruction execution, which constrains speculative execution. Thus, it is used for keeping track of the predicate value, which is updated on each conditional branch.
To prevent Spectre v.1 attack, each memory load that is potentially vulnerable is bitwise ORed with the predicate to mask out the loaded value if the code is on a mispredicted path.
This is analogous to the Clang compiler's option to do Speculative Load Hardening.
This setting is only supported on Intel® 64 architecture-based systems.
Default
-mconditional-branch=keep
and
/Qconditional-branch:keep
The compiler does not attempt any vulnerable code detection or fixing.
Description
This option lets you identify code that may be vulnerable to speculative execution side-channel attacks, which can leak your secure data as a result of bad speculation of a conditional branch direction. Depending on the setting you choose, vulnerabilities may be detected and code may be generated to attempt to mitigate the security risk.
Alternate Options
None

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804