Re: Spectre on non-amd64
Hello, On Fri, 19 Jan 2018 21:55:12 +wrote: > > On Jan 19, 2018, at 4:47 PM, wrote: > > > > Hi folks. > > > > I think that the spectre variant 2 situation is a lot worse for: > > - Speculative CPU > > - Weak memory protection > > > > Then I don't need a JIT for gadgets. > > > > Architectures that fall into this: > > - default i386 netbsd, because it is missing NX bit (PAE is optional) > > - MIPS for us, because we don't use kseg2 and then it doesn't go through > > MMU. > > which MIPS do speculative execution? R1xk, Loongson ( at least since L2 ), probably quite a few modern ones. have fun Michael
Re: Spectre on non-amd64
> On Jan 19, 2018, at 4:47 PM,wrote: > > Hi folks. > > I think that the spectre variant 2 situation is a lot worse for: > - Speculative CPU > - Weak memory protection > > Then I don't need a JIT for gadgets. > > Architectures that fall into this: > - default i386 netbsd, because it is missing NX bit (PAE is optional) > - MIPS for us, because we don't use kseg2 and then it doesn't go through > MMU. which MIPS do speculative execution? paul
Re: Spectre on non-amd64
Spectre variant 2 also relies on me being able to poison the branch target buffer. loongson had a similar issue where errant BTB entries would cause hangs, and they then claimed this at kernel entry clears out their BTB:* jal 1f nop 1: jal 1f nop 1: jal 1f nop 1: jal 1f nop 1: A question is whether that works for other branch predictors, and how many we would need. * https://github.com/torvalds/linux/blob/2d6349944d967129c1da3c47287376f10121dbe1/arch/mips/include/asm/stackframe.h#L152-L164
Spectre on non-amd64
Hi folks. I think that the spectre variant 2 situation is a lot worse for: - Speculative CPU - Weak memory protection Then I don't need a JIT for gadgets. Architectures that fall into this: - default i386 netbsd, because it is missing NX bit (PAE is optional) - MIPS for us, because we don't use kseg2 and then it doesn't go through MMU. No NX bit: - Make a file, the contents of it is a spectre gadget - Put it in buffer cache - Poison branch predictor, which will speculatively execute the contents of this file No SMEP: - Locally create a spectre gadget and make it executable - Poison branch predictor to jump to my user-memory gadget - Enter kernel (Maybe helped by Meltdown fixes, if they are early enough) Now I am not sure how MMUs work, but I think that even if - Kernel has its own ASID - But... we haven't switched to it yet before performing a branch Then at the early branches I could speculate-execute some user code.