On Thu, Jan 4, 2018 at 3:26 AM, Pavel Machek <pa...@ucw.cz> wrote: > On Wed 2018-01-03 15:51:35, Linus Torvalds wrote: >> >> A *competent* CPU engineer would fix this by making sure speculation >> doesn't happen across protection domains. Maybe even a L1 I$ that is >> keyed by CPL. > > Would that be enough?
No, you'd need to add the CPL to the branch target buffer itself, not the I$ L1. And as somebody pointed out, that only helps the user space messing with the kernel. It doesn't help the "one user context fools another user context to mispredict". (Where the user contexts might be a JIT'ed JS vs the rest of the web browser). So you really would want to just make sure the full address is used to index (or at least verify) the BTB lookup, and even then you'd then need to invalidate the BTB on context switches so that one context can't fill in data for another context. Linus