[GTALUG] more on Spectre v2

D. Hugh Redelmeier hugh at mimosa.com
Mon Feb 5 11:50:42 EST 2018


| From: David Collier-Brown via talk <talk at gtalug.org>

| There's also a race condition: the 6130 and DPS8m processors checked the
| permissions of the fetch before they fetched to the (then small) cache.

[These are Honeywell mainframe computers.]

Spectre V2 is about subverting branch target prediction.  Something
quite different.

BUT this subversion only matters because speculation of memory fetches
leaves a trace.  So what you mention is relevant, indirectly.

Checking permissions can be quite expensive: going through multi-level
page tables can involve several memory fetches (which you'd like to 
speculate past).

Obvious cure: keep permissions in each cache line.  The trouble is
that permissions can be bulky, forcing a reduction in the effective
size of the cache.  AMD may have done more of this than Intel
<https://www.amd.com/en/corporate/speculative-execution>

	GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not
	applicable to AMD processors.

	    We believe AMD processors are not susceptible due to our
	use of privilege level protections within paging architecture
	and no mitigation is required.

Intel seems to have added PCID to each cache line.  It is too small to
encode a process number but you could assign a PCID number to each
active process/thread and when you run out, do hard work.  It would be
kind of analogous to the way we allocate page frames (real memory) to
pages of processes (virtual memory).

Linux did not use PCID but it seems that Spectre and Meltdown are
stimulating interest in it.

| Simulating the same thing in the Multics emulator took some extra work but
| it was implemented well before the spectre attacks showed up.

I assume that we're not talking about a cycle-accurate emulator nor an
emulator done in hardware.

How would it be extra work in an emulator?  An emulator doesn't
normally do speculative execution.  For normal path execution, of
course you must emulate the permissions model of the hardware.


More information about the talk mailing list