Re: Spectre on non-amd64

2018-01-19 Thread Michael 
Hello,

On Fri, 19 Jan 2018 21:55:12 +
 wrote:

> > On Jan 19, 2018, at 4:47 PM,   wrote:
> > 
> > Hi folks.
> > 
> > I think that the spectre variant 2 situation is a lot worse for:
> > - Speculative CPU
> > - Weak memory protection
> > 
> > Then I don't need a JIT for gadgets.
> > 
> > Architectures that fall into this:
> > - default i386 netbsd, because it is missing NX bit (PAE is optional)
> > - MIPS for us, because we don't use kseg2 and then it doesn't go through
> >  MMU.  
> 
> which MIPS do speculative execution?

R1xk, Loongson ( at least since L2 ), probably quite a few modern ones.

have fun
Michael

Re: Spectre on non-amd64

2018-01-19 Thread Paul.Koning 


> On Jan 19, 2018, at 4:47 PM,   wrote:
> 
> Hi folks.
> 
> I think that the spectre variant 2 situation is a lot worse for:
> - Speculative CPU
> - Weak memory protection
> 
> Then I don't need a JIT for gadgets.
> 
> Architectures that fall into this:
> - default i386 netbsd, because it is missing NX bit (PAE is optional)
> - MIPS for us, because we don't use kseg2 and then it doesn't go through
>  MMU.

which MIPS do speculative execution?

paul

Re: Spectre on non-amd64

2018-01-19 Thread maya 
Spectre variant 2 also relies on me being able to poison the branch
target buffer. loongson had a similar issue where errant BTB entries
would cause hangs, and they then claimed this at kernel entry clears
out their BTB:*

jal 1f
 nop
1:  jal 1f
 nop
1:  jal 1f
 nop
1:  jal 1f
 nop
1: 

A question is whether that works for other branch predictors, and
how many we would need.

* 
https://github.com/torvalds/linux/blob/2d6349944d967129c1da3c47287376f10121dbe1/arch/mips/include/asm/stackframe.h#L152-L164

Spectre on non-amd64

2018-01-19 Thread maya 
Hi folks.

I think that the spectre variant 2 situation is a lot worse for:
- Speculative CPU
- Weak memory protection

Then I don't need a JIT for gadgets.

Architectures that fall into this:
- default i386 netbsd, because it is missing NX bit (PAE is optional)
- MIPS for us, because we don't use kseg2 and then it doesn't go through
  MMU.

No NX bit:
- Make a file, the contents of it is a spectre gadget
- Put it in buffer cache
- Poison branch predictor, which will speculatively execute the contents
  of this file

No SMEP:
- Locally create a spectre gadget and make it executable
- Poison branch predictor to jump to my user-memory gadget
- Enter kernel
(Maybe helped by Meltdown fixes, if they are early enough)

Now I am not sure how MMUs work, but I think that even if
- Kernel has its own ASID
- But... we haven't switched to it yet before performing a branch

Then at the early branches I could speculate-execute some user code.