[PATCH] D113685: [IR] Define "ptrauth" operand bundle.

[Kristof Beyls via Phabricator via llvm-commits]

kristof.beyls added a comment.

I just have 2 bike-sheddy comments on the documentation text.
My comments should not let you delay in getting this committed if they do not make sense to you.



================
Comment at: llvm/docs/PointerAuth.md:234-235
+[``llvm.ptrauth.resign``](#llvm-ptrauth-resign)).  To prevent that, the
+``ptrauth`` operand bundle may be used: it guarantees that the intermediate
+call target is never attackable (e.g., by being spilled to memory).
+
----------------
If you allow me to bikeshed on this sentence: "guaranteeing an intermediate call target is never attackable" seems like a very bold claim to me.
I wonder if it would (a) be better, and (b) be possible to more concretely define exactly what is guaranteed in more detail.
Is what is currently guaranteed "it guarantees that the intermediate call target is kept in a register and never stored to memory, e.g. by being spilled"?
If we want to relate this guarantee to reduced attackability, a sentence could be added saying something like "Not storing and reloading the unauthenticated pointer to/from memory removes an attack surface where an attacker would overwrite the unauthenticated pointer in memory".

I'm assuming that no other guarantees are implemented?
If in the future it becomes clear that more guarantees need to be implemented, the documentation here can be extended to list further guarantees?


================
Comment at: llvm/docs/PointerAuth.md:259
+but with the added guarantee that ``%fp_i``, ``%fp_auth``, and ``%fp_auth_p``
+are never attackable.
+
----------------
similarly to my other comment "are never attackable" seems a bit strong. Would "are never stored and reloaded to/from memory" be a more exact description of the added guarantee?


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D113685/new/

https://reviews.llvm.org/D113685