> -----Original Message-----
> From: Liran Alon [mailto:[email protected]]
> Sent: Thursday, January 25, 2018 6:50 PM
> To: Hansen, Dave <[email protected]>
> Cc: [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; Mallick, Asit K
> <[email protected]>; [email protected]; [email protected];
> [email protected]; [email protected]; Nakajima, Jun
> <[email protected]>; [email protected]; Raj, Ashok <[email protected]>;
> Van De Ven, Arjan <[email protected]>; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; Williams, Dan J <[email protected]>;
> [email protected]; [email protected]; [email protected]
> Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
> Indirect
> Branch Speculation
>
>
> Google P0 blog-post
> (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory-
> with-side.html) claims that BTB & BHB only use <31 low bits of the address of
> the source instruction to lookup into the BTB. In addition, it claims that the
> higher bits of the predicated destination change together with the higher
> bits of
> the source instruction.
>
> Therefore, it should be possible to leak the low bits of high predicition-mode
> code BTB/BHB entries from low prediction-mode code. Because the predicted
> destination address will reside in user-space.
>
> What am I missing?
I thought this email thread was about the RSB...
