[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180104021553.32084de3@alans-desktop>
Date: Thu, 4 Jan 2018 02:15:53 +0000
From: Alan Cox <gnomes@...rguk.ukuu.org.uk>
To: Jiri Kosina <jikos@...nel.org>
Cc: Dan Williams <dan.j.williams@...el.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Mark Rutland <mark.rutland@....com>,
linux-arch@...r.kernel.org, Peter Zijlstra <peterz@...radead.org>,
Greg KH <gregkh@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Elena Reshetova <elena.reshetova@...el.com>
Subject: Re: [RFC PATCH] asm/generic: introduce if_nospec and nospec_barrier
> Disagreed, violently. CPU has to execute the instructions I ask it to
> execute, and if it executes *anything* else that reveals any information
> about the instructions that have *not* been executed, it's flawed.
Then stick to in order processors. Just don't be in a hurry to get your
computation finished.
> > Elena has done the work of auditing static analysis reports to a dozen
> > or so locations that need some 'nospec' handling.
>
> How exactly is that related (especially in longer-term support terms) to
> BPF anyway?
If you read the papers you need a very specific construct in order to not
only cause a speculative load of an address you choose but also to then
manage to cause a second operation that in some way reveals bits of data
or allows you to ask questions.
BPF allows you to construct those sequences relatively easily and it's
the one case where a user space application can fairly easily place code
it wants to execute in the kernel. Without BPF you have to find the right
construct in the kernel, prime all the right predictions and measure the
result without getting killed off. There are places you can do that but
they are not so easy and we don't (at this point) think there are that
many.
The same situation occurs in user space with interpreters and JITs,hence
the paper talking about javascript. Any JIT with the ability to do timing
is particularly vulnerable to versions of this specific attack because
the attacker gets to create the code pattern rather than have to find it.
Alan
Powered by blists - more mailing lists