Spectre on non-amd64

To: tech-kern%netbsd.org@localhost
Subject: Spectre on non-amd64
From: maya%netbsd.org@localhost
Date: Fri, 19 Jan 2018 21:47:22 +0000

Hi folks.

I think that the spectre variant 2 situation is a lot worse for:
- Speculative CPU
- Weak memory protection

Then I don't need a JIT for gadgets.

Architectures that fall into this:
- default i386 netbsd, because it is missing NX bit (PAE is optional)
- MIPS for us, because we don't use kseg2 and then it doesn't go through
  MMU.

No NX bit:
- Make a file, the contents of it is a spectre gadget
- Put it in buffer cache
- Poison branch predictor, which will speculatively execute the contents
  of this file

No SMEP:
- Locally create a spectre gadget and make it executable
- Poison branch predictor to jump to my user-memory gadget
- Enter kernel
	(Maybe helped by Meltdown fixes, if they are early enough)

Now I am not sure how MMUs work, but I think that even if
- Kernel has its own ASID
- But... we haven't switched to it yet before performing a branch

Then at the early branches I could speculate-execute some user code.

Follow-Ups:
- Re: Spectre on non-amd64
  - From: Paul.Koning
- Re: Spectre on non-amd64
  - From: maya

Prev by Date: Re: Spectre
Next by Date: Re: Spectre on non-amd64
Previous by Thread: Spectre
Next by Thread: Re: Spectre on non-amd64
Indexes:

Home | Main Index | Thread Index | Old Index