Mitigate MMIO stale data vulnerability #98126
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
rustbot
added
the
T-libs
|
(rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
raoulstrackx
force-pushed
the
raoul/mitigate_stale_data_vulnerability
branch
from
0ce2a06
to
776766f
Compare
This comment has been minimized.
This comment has been minimized.
raoulstrackx
force-pushed
the
raoul/mitigate_stale_data_vulnerability
branch
from
776766f
to
a27aace
Compare
cuviper
reviewed
Jun 21, 2022
| /// Copies `len` bytes of data from enclave pointer `src` to userspace `dst` | ||
| /// | ||
| /// This function mitigates stale data vulnerabilities | ||
| /// https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html |
There was a problem hiding this comment.
I think we need at least a summary of how the mitigation works. I don't have domain knowledge about SGX, but I see the bytewise function is using segments and fences while the quadword just copies, which seems very mysterious. I also wonder why the alignment matters for dst, while src alignment is not checked at all.
The link does not make any of this this clear either, though maybe it would if I dug deeper... but even still it would be good to have some local explanation.
There was a problem hiding this comment.
This link makes it a little clearer that the vulnerability is specifically about partial writes ("Any write that is smaller than 8 bytes or is not 8-byte aligned."), which explains why we're only looking at dst alignment, and why the aligned chunks remain so simple. Could we let the aligned part go back to a normal ptr::copy?
There was a problem hiding this comment.
Could we let the aligned part go back to a normal ptr::copy?
Actually, I guess that's a bad idea because we need to guarantee that all of those writes are full 8-bytes at a time.
There was a problem hiding this comment.
Agreed! I've extended the documentation and added the reference
| let seg_sel: u16 = 0; | ||
| for off in 0..len { | ||
| asm!(" | ||
| mov %ds, ({seg_sel}) |
There was a problem hiding this comment.
This is writing to *&seg_sel, no? Seems like that parameter should be &mut seg_sel, or perhaps out(reg) seg_sel to let the compiler give you a scratch register instead.
There was a problem hiding this comment.
Good catch! I've updated the reference to be mut.
There was a problem hiding this comment.
In general I'd agree that moving to a scratch register would be cleaner. Here I'm more hesitant as so much happens at a micro architectural level that I'm feeling much more at ease by following the Intel example code. Performance overhead is negligent anyway.
There was a problem hiding this comment.
According to Intel, you have to use the memory-operand version of verw.
the memory-operand variant of VERW (for example, VERW m16) has been extended to also overwrite buffers affected by MMIO Stale Data vulnerabilities
raoulstrackx
force-pushed
the
raoul/mitigate_stale_data_vulnerability
branch
from
5871d56
to
6a6910e
Compare
|
LGTM, although I'm not an expert here, so I'm trusting you two (@raoulstrackx and @jethrogb) as informal target owners for tier-2 SGX. It would be great if one or both of you signed up to be formal maintainers per the target tier policy! @bors r+ |
|
📌 Commit 6a6910e has been approved by |
|
🌲 The tree is currently closed for pull requests below priority 1000. This pull request will be tested once the tree is reopened. |
bors
added
S-waiting-on-bors
|
The policy doesn't really specify how maintainers are recorded and I'm also not aware of such a mechanism being in place. But I'm happy to be enlightened in this respect. |
|
@jethrogb note this part:
That template includes a section to list target maintainers. Many targets lack this documentation, including SGX, as they were grandfathered in from before the policy was in place. |
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this pull request
Jun 24, 2022
…vulnerability, r=cuviper Mitigate MMIO stale data vulnerability Intel publicly disclosed the MMIO stale data vulnerability on June 14. To mitigate this vulnerability, compiler changes are required for the `x86_64-fortanix-unknown-sgx` target. cc: `@jethrogb`
compiler-errors
added a commit
to compiler-errors/rust
that referenced
this pull request
Jun 25, 2022
…vulnerability, r=cuviper Mitigate MMIO stale data vulnerability Intel publicly disclosed the MMIO stale data vulnerability on June 14. To mitigate this vulnerability, compiler changes are required for the `x86_64-fortanix-unknown-sgx` target. cc: ``@jethrogb``
JohnTitor
added a commit
to JohnTitor/rust
that referenced
this pull request
Jun 25, 2022
…vulnerability, r=cuviper Mitigate MMIO stale data vulnerability Intel publicly disclosed the MMIO stale data vulnerability on June 14. To mitigate this vulnerability, compiler changes are required for the `x86_64-fortanix-unknown-sgx` target. cc: ```@jethrogb```
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jun 25, 2022
…askrgr Rollup of 9 pull requests Successful merges: - rust-lang#96412 (Windows: Iterative `remove_dir_all`) - rust-lang#98126 (Mitigate MMIO stale data vulnerability) - rust-lang#98149 (Set relocation_model to Pic on emscripten target) - rust-lang#98194 (Leak pthread_{mutex,rwlock}_t if it's dropped while locked.) - rust-lang#98298 (Point to type parameter definition when not finding variant, method and associated item) - rust-lang#98311 (Reverse folder hierarchy) - rust-lang#98401 (Add tracking issues to `--extern` option docs.) - rust-lang#98429 (Use correct substs in enum discriminant cast) - rust-lang#98431 (Suggest defining variable as mutable on `&mut _` type mismatch in pats) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
|
@rustbot labels +beta-nominated +stable-nomitated |
Mark-Simulacrum
added
beta-nominated
m-ou-se
added
beta-accepted
ehuss
removed
the
beta-nominated
ehuss
pushed a commit
to ehuss/rust
that referenced
this pull request
Jul 5, 2022
…vulnerability, r=cuviper Mitigate MMIO stale data vulnerability Intel publicly disclosed the MMIO stale data vulnerability on June 14. To mitigate this vulnerability, compiler changes are required for the `x86_64-fortanix-unknown-sgx` target. cc: ````@jethrogb````
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jul 6, 2022
[beta] Beta 1.63 backports * fix data race in thread::scope rust-lang#98503 * Mitigate MMIO stale data vulnerability rust-lang#98126 * Cargo: * [BETA-1.63] Fix zsh completions for add and locate-project (rust-lang/cargo#10811) * [BETA-1.63] Bump cargo-util version. (rust-lang/cargo#10805)
Mark-Simulacrum
removed
the
stable-nominated
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jul 16, 2022
…imulacrum [stable] 1.62.1 release This bundles: * Windows: Fallback for overlapped I/O rust-lang#98950 * don't succeed evaluate_obligation query if new opaque types were registered rust-lang#98614 * Mitigate MMIO stale data vulnerability rust-lang#98126 * Return a FxIndexSet in is_late_bound query. rust-lang#99219 Also bumps the version number to 1.62.1 and includes a short release notes section for the release. r? `@Mark-Simulacrum`
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Jul 20, 2022
Pkgsrc changes: * none. Upstream changes: Version 1.62.1 (2022-07-19) ========================== Rust 1.62.1 addresses a few recent regressions in the compiler and standard library, and also mitigates a CPU vulnerability on Intel SGX. * [The compiler fixed unsound function coercions involving `impl Trait` return types.][98608] * [The compiler fixed an incremental compilation bug with `async fn` lifetimes.][98890] * [Windows added a fallback for overlapped I/O in synchronous reads and writes.][98950] * [The `x86_64-fortanix-unknown-sgx` target added a mitigation for the MMIO stale data vulnerability][98126], advisory [INTEL-SA-00615]. [98608]: rust-lang/rust#98608 [98890]: rust-lang/rust#98890 [98950]: rust-lang/rust#98950 [98126]: rust-lang/rust#98126 [INTEL-SA-00615]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Aug 31, 2022
Pkgsrc changes: * Bump required GCC to 7 (same as LLVM) to avoid ABI issues Fixes native i386 and powerpc 8.x build w/pkgsrc LLVM 14 * Bump available bootstraps to 1.61.0. * Also unlimit stacksize * Sync patches over from wip/rust * Adjust line number in patches which had non-zero offsets. * no longer pass -I/usr/pkg/include through via gcc-wrap script when building natively. Attempt at fixing version skew with curl package vs. internal version of curl (may not work...) * The NetBSD bootstraps now use .xz compression. * Use mk/atomic64.mk. Still have conditional for libatomic-links. * Default to using the internal LLVM when cross-building. Upstream changes: Version 1.62.1 (2022-07-19) ========================== Rust 1.62.1 addresses a few recent regressions in the compiler and standard library, and also mitigates a CPU vulnerability on Intel SGX. * [The compiler fixed unsound function coercions involving `impl Trait` return types.][98608] * [The compiler fixed an incremental compilation bug with `async fn` lifetimes.][98890] * [Windows added a fallback for overlapped I/O in synchronous reads and writes.][98950] * [The `x86_64-fortanix-unknown-sgx` target added a mitigation for the MMIO stale data vulnerability][98126], advisory [INTEL-SA-00615]. [98608]: rust-lang/rust#98608 [98890]: rust-lang/rust#98890 [98950]: rust-lang/rust#98950 [98126]: rust-lang/rust#98126 [INTEL-SA-00615]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html Version 1.62.0 (2022-06-30) ========================== Language -------- - [Stabilize `#[derive(Default)]` on enums with a `#[default]` variant][94457] - [Stop validating some checks in dead code after functions with uninhabited return types][93313] - [Fix constants not getting dropped if part of a diverging expression][94775] - [Support unit struct/enum variant in destructuring assignment][95380] - [Remove mutable_borrow_reservation_conflict lint and allow the code pattern][96268] Compiler -------- - [linker: Stop using whole-archive on dependencies of dylibs][96436] - [Make `unaligned_references` lint deny-by-default][95372] This lint is also a future compatibility lint, and is expected to eventually become a hard error. - [Only add codegen backend to dep info if -Zbinary-dep-depinfo is used][93969] - [Reject `#[thread_local]` attribute on non-static items][95006] - [Add tier 3 `aarch64-pc-windows-gnullvm` and `x86_64-pc-windows-gnullvm` targets\*][94872] - [Implement a lint to warn about unused macro rules][96150] - [Promote `x86_64-unknown-none` target to Tier 2\*][95705] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [Move `CStr` to libcore, and `CString` to liballoc][94079] - [Windows: Use a pipe relay for chaining pipes][95841] - [Replace Linux Mutex and Condvar with futex based ones.][95035] - [Replace RwLock by a futex based one on Linux][95801] - [std: directly use pthread in UNIX parker implementation][96393] Stabilized APIs --------------- - [`bool::then_some`] - [`f32::total_cmp`] - [`f64::total_cmp`] - [`Stdin::lines`] - [`windows::CommandExt::raw_arg`] - [`impl<T: Default> Default for AssertUnwindSafe<T>`] - [`From<Rc<str>> for Rc<[u8]>`][rc-u8-from-str] - [`From<Arc<str>> for Arc<[u8]>`][arc-u8-from-str] - [`FusedIterator for EncodeWide`] - [RDM intrinsics on aarch64][stdarch/1285] Clippy ------ - [Create clippy lint against unexpectedly late drop for temporaries in match scrutinee expressions][94206] Cargo ----- - Added the `cargo add` command for adding dependencies to `Cargo.toml` from the command-line. [docs](https://doc.rust-lang.org/nightly/cargo/commands/cargo-add.html) - Package ID specs now support `name@version` syntax in addition to the previous `name:version` to align with the behavior in `cargo add` and other tools. `cargo install` and `cargo yank` also now support this syntax so the version does not need to passed as a separate flag. - The `git` and `registry` directories in Cargo's home directory (usually `~/.cargo`) are now marked as cache directories so that they are not included in backups or content indexing (on Windows). - Added automatic `@` argfile support, which will use "response files" if the command-line to `rustc` exceeds the operating system's limit. Compatibility Notes ------------------- - `cargo test` now passes `--target` to `rustdoc` if the specified target is the same as the host target. [#10594](rust-lang/cargo#10594) - [rustdoc: Remove .woff font files][96279] - [Enforce Copy bounds for repeat elements while considering lifetimes][95819] Internal Changes ---------------- - [Unify ReentrantMutex implementations across all platforms][96042] These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. [93313]: rust-lang/rust#93313 [93969]: rust-lang/rust#93969 [94079]: rust-lang/rust#94079 [94206]: rust-lang/rust#94206 [94457]: rust-lang/rust#94457 [94775]: rust-lang/rust#94775 [94872]: rust-lang/rust#94872 [95006]: rust-lang/rust#95006 [95035]: rust-lang/rust#95035 [95372]: rust-lang/rust#95372 [95380]: rust-lang/rust#95380 [95431]: rust-lang/rust#95431 [95705]: rust-lang/rust#95705 [95801]: rust-lang/rust#95801 [95819]: rust-lang/rust#95819 [95841]: rust-lang/rust#95841 [96042]: rust-lang/rust#96042 [96150]: rust-lang/rust#96150 [96268]: rust-lang/rust#96268 [96279]: rust-lang/rust#96279 [96393]: rust-lang/rust#96393 [96436]: rust-lang/rust#96436 [96557]: rust-lang/rust#96557 [`bool::then_some`]: https://doc.rust-lang.org/stable/std/primitive.bool.html#method.then_some [`f32::total_cmp`]: https://doc.rust-lang.org/stable/std/primitive.f32.html#method.total_cmp [`f64::total_cmp`]: https://doc.rust-lang.org/stable/std/primitive.f64.html#method.total_cmp [`Stdin::lines`]: https://doc.rust-lang.org/stable/std/io/struct.Stdin.html#method.lines [`impl<T: Default> Default for AssertUnwindSafe<T>`]: https://doc.rust-lang.org/stable/std/panic/struct.AssertUnwindSafe.html#impl-Default [rc-u8-from-str]: https://doc.rust-lang.org/stable/std/rc/struct.Rc.html#impl-From%3CRc%3Cstr%3E%3E [arc-u8-from-str]: https://doc.rust-lang.org/stable/std/sync/struct.Arc.html#impl-From%3CArc%3Cstr%3E%3E [stdarch/1285]: rust-lang/stdarch#1285 [`windows::CommandExt::raw_arg`]: https://doc.rust-lang.org/stable/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg [`FusedIterator for EncodeWide`]: https://doc.rust-lang.org/stable/std/os/windows/ffi/struct.EncodeWide.html#impl-FusedIterator Version 1.61.0 (2022-05-19) ========================== Language -------- - [`const fn` signatures can now include generic trait bounds][93827] - [`const fn` signatures can now use `impl Trait` in argument and return position][93827] - [Function pointers can now be created, cast, and passed around in a `const fn`][93827] - [Recursive calls can now set the value of a function's opaque `impl Trait` return type][94081] Compiler -------- - [Linking modifier syntax in `#[link]` attributes and on the command line, as well as the `whole-archive` modifier specifically, are now supported][93901] - [The `char` type is now described as UTF-32 in debuginfo][89887] - The [`#[target_feature]`][target_feature] attribute [can now be used with aarch64 features][90621] - X86 [`#[target_feature = "adx"]` is now stable][93745] Libraries --------- - [`ManuallyDrop<T>` is now documented to have the same layout as `T`][88375] - [`#[ignore = "#"]` messages are printed when running tests][92714] - [Consistently show absent stdio handles on Windows as NULL handles][93263] - [Make `std::io::stdio::lock()` return `'static` handles.][93965] Previously, the creation of locked handles to stdin/stdout/stderr would borrow the handles being locked, which prevented writing `let out = std::io::stdout().lock();` because `out` would outlive the return value of `stdout()`. Such code now works, eliminating a common pitfall that affected many Rust users. - [`Vec::from_raw_parts` is now less restrictive about its inputs][95016] - [`std::thread::available_parallelism` now takes cgroup quotas into account.][92697] Since `available_parallelism` is often used to create a thread pool for parallel computation, which may be CPU-bound for performance, `available_parallelism` will return a value consistent with the ability to use that many threads continuously, if possible. For instance, in a container with 8 virtual CPUs but quotas only allowing for 50% usage, `available_parallelism` will return 4. Stabilized APIs --------------- - [`Pin::static_mut`] - [`Pin::static_ref`] - [`Vec::retain_mut`] - [`VecDeque::retain_mut`] - [`Write` for `Cursor<[u8; N]>`][cursor-write-array] - [`std::os::unix::net::SocketAddr::from_pathname`] - [`std::process::ExitCode`] and [`std::process::Termination`]. The stabilization of these two API s now makes it possible for programs to return errors from `main` with custom exit codes. - [`std::thread::JoinHandle::is_finished`] These APIs are now usable in const contexts: - [`<*const T>::offset` and `<*mut T>::offset`][ptr-offset] - [`<*const T>::wrapping_offset` and `<*mut T>::wrapping_offset`] [ptr-wrapping_offset] - [`<*const T>::add` and `<*mut T>::add`][ptr-add] - [`<*const T>::sub` and `<*mut T>::sub`][ptr-sub] - [`<*const T>::wrapping_add` and `<*mut T>::wrapping_add`][ptr-wrapping_add] - [`<*const T>::wrapping_sub` and `<*mut T>::wrapping_sub`][ptr-wrapping_sub] - [`<[T]>::as_mut_ptr`][slice-as_mut_ptr] - [`<[T]>::as_ptr_range`][slice-as_ptr_range] - [`<[T]>::as_mut_ptr_range`][slice-as_mut_ptr_range] Cargo ----- No feature changes, but see compatibility notes. Compatibility Notes ------------------- - Previously native static libraries were linked as `whole-archive` in some cases, but now rustc tries not to use `whole-archive` unless explicitly requested. This [change][93901] may result in linking errors in some cases. To fix such errors, native libraries linked from the command line, build scripts, or [`#[link]` attributes][link-attr] need to - (more common) either be reordered to respect dependencies between them (if `a` depends on `b` then `a` should go first and `b` second) - (less common) or be updated to use the [`+whole-archive`] modifier. - [Catching a second unwind from FFI code while cleaning up from a Rust panic now causes the process to abort][92911] - [Proc macros no longer see `ident` matchers wrapped in groups][92472] - [The number of `#` in `r#` raw string literals is now required to be less than 256][95251] - [When checking that a dyn type satisfies a trait bound, supertrait bounds are now enforced][92285] - [`cargo vendor` now only accepts one value for each `--sync` flag] [cargo/10448] - [`cfg` predicates in `all()` and `any()` are always evaluated to detect errors, instead of short-circuiting.][94295] The compatibility considerations here arise in nightly-only code that used the short-circuiting behavior of `all` to write something like `cfg(all(feature = "nightly", syntax-requiring-nightly))`, which will now fail to compile. Instead, use either `cfg_attr(feature = "nightly", ...)` or nested uses of `cfg`. - [bootstrap: static-libstdcpp is now enabled by default, and can now be disabled when llvm-tools is enabled][94832] Internal Changes ---------------- These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. - [debuginfo: Refactor debuginfo generation for types][94261] - [Remove the everybody loops pass][93913] [88375]: rust-lang/rust#88375 [89887]: rust-lang/rust#89887 [90621]: rust-lang/rust#90621 [92285]: rust-lang/rust#92285 [92472]: rust-lang/rust#92472 [92697]: rust-lang/rust#92697 [92714]: rust-lang/rust#92714 [92911]: rust-lang/rust#92911 [93263]: rust-lang/rust#93263 [93745]: rust-lang/rust#93745 [93827]: rust-lang/rust#93827 [93901]: rust-lang/rust#93901 [93913]: rust-lang/rust#93913 [93965]: rust-lang/rust#93965 [94081]: rust-lang/rust#94081 [94261]: rust-lang/rust#94261 [94295]: rust-lang/rust#94295 [94832]: rust-lang/rust#94832 [95016]: rust-lang/rust#95016 [95251]: rust-lang/rust#95251 [`+whole-archive`]: https://doc.rust-lang.org/stable/rustc/command-line-arguments.html#linking-modifiers-whole-archive [`Pin::static_mut`]: https://doc.rust-lang.org/stable/std/pin/struct.Pin.html#method.static_mut [`Pin::static_ref`]: https://doc.rust-lang.org/stable/std/pin/struct.Pin.html#method.static_ref [`Vec::retain_mut`]: https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.retain_mut [`VecDeque::retain_mut`]: https://doc.rust-lang.org/stable/std/collections/struct.VecDeque.html#method.retain_mut [`std::os::unix::net::SocketAddr::from_pathname`]: https://doc.rust-lang.org/stable/std/os/unix/net/struct.SocketAddr.html#method.from_pathname [`std::process::ExitCode`]: https://doc.rust-lang.org/stable/std/process/struct.ExitCode.html [`std::process::Termination`]: https://doc.rust-lang.org/stable/std/process/trait.Termination.html [`std::thread::JoinHandle::is_finished`]: https://doc.rust-lang.org/stable/std/thread/struct.JoinHandle.html#method.is_finished [cargo/10448]: rust-lang/cargo#10448 [cursor-write-array]: https://doc.rust-lang.org/stable/std/io/struct.Cursor.html#impl-Write-4 [link-attr]: https://doc.rust-lang.org/stable/reference/items/external-blocks.html#the-link-attribute [ptr-add]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.add [ptr-offset]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset [ptr-sub]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.sub [ptr-wrapping_add]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.wrapping_add [ptr-wrapping_offset]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.wrapping_offset [ptr-wrapping_sub]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.wrapping_sub [slice-as_mut_ptr]: https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_mut_ptr [slice-as_mut_ptr_range]: https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_mut_ptr_range [slice-as_ptr_range]: https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_ptr_range [target_feature]: https://doc.rust-lang.org/reference/attributes/codegen.html#the-target_feature-attribute
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Oct 6, 2023
…copies, r=workingjubilee Clean up SGX user memory copies Follow-up on rust-lang#98126 and rust-lang#100383 r? `@cuviper` cc `@raoulstrackx`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intel publicly disclosed the MMIO stale data vulnerability on June 14. To mitigate this vulnerability, compiler changes are required for the
x86_64-fortanix-unknown-sgxtarget.cc: @jethrogb