From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 0751B3B29E for ; Fri, 5 Jan 2018 09:07:14 -0500 (EST) Received: by mail-lf0-x22c.google.com with SMTP id a12so5246833lfe.13 for ; Fri, 05 Jan 2018 06:07:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1IfG+LRMshuftezJMgNmCXmLxHjGWIQdn/7wauv+YBc=; b=LjxrVbkQ/AgUtVlPted+nl5T7jISZHfCS0RCOcmPAyiyYlXMZ9jW24t9cazK+NwOSS dqzzwfx2yBIU9xAZsjGgmIBV48CdUNBiQ8q3jjJ8wOh83SRVcnNLXe0VGOIgw8oHbvID ZY1uQMrjCr8u22ukq1AIsxWYX6Bukblc2VJHaiw1rGQ5MTXB1ubvCJudW7cNaQXcmbf1 CkP5nCoJund6h+2iQlERRS4FZgMvdsSJx8viwPLYMr/PzBIOGFZ214mq4QinYNFBLi83 arFBJFf7q9OTNS0zhLYfHOuL5PWakUihifEU4ylm/ZgjYXehBwdYYlwpNi7bpw7h+SLf LFYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1IfG+LRMshuftezJMgNmCXmLxHjGWIQdn/7wauv+YBc=; b=j0GbtDzd37ZGAtSbOI0seumWVOIjgt1kpk4OlZi44QtXfZH1+rGmHCPdyUccL/xnqq DSpG/X5B6Xmj6QVK/bkM2kJ/3FTLVPpvxKwg8buZlGe/xn8KBpmxcVaTRkhPNTZBr9lh qTcJKHaFAjad6cIaAYCqyr2t6wRqyL4YUSQxpWkuTbmOn8XM+nGdExWqPYFRiZQHOCi/ acq7FMLr5qwsUK9RXxccw2x8JsnXrzXKnJcGeo/kbh63fNLz5dqOddNz/7t/jCKy/2ex 4ytJRNk14yeIU5J54vhKUMZUhXJ3tXLLkxNXZQjfUGgadAuNehiBIEhXSSWhiAFZvg+C EaJw== X-Gm-Message-State: AKwxytcoztO1IVNQEyGjk6iaqiuyFv/+vwaOBru77Bn1BwkrT3q9uGhF gPSZO+QydbUXexG5hg/FDw4= X-Google-Smtp-Source: ACJfBouHx2fVl2UGqpG3ZnyN51UlFl8K1byEX3uwbYOEUdNKd6MORcezEDVTIfGa2ME2HqLgGo/JvQ== X-Received: by 10.46.5.3 with SMTP id 3mr1978558ljf.122.1515161232816; Fri, 05 Jan 2018 06:07:12 -0800 (PST) Received: from [192.168.239.216] (mobile-access-bceee7-52.dhcp.inet.fi. [188.238.231.52]) by smtp.gmail.com with ESMTPSA id e16sm1013935lja.29.2018.01.05.06.07.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jan 2018 06:07:11 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) From: Jonathan Morton In-Reply-To: Date: Fri, 5 Jan 2018 16:07:03 +0200 Cc: "dpreed@deepplum.com" , =?utf-8?Q?Joel_Wir=C4=81mu_Pauling?= , cerowrt-devel@lists.bufferbloat.net Content-Transfer-Encoding: quoted-printable Message-Id: References: <1515103048.715224709@apps.rackspace.com> <1515103759.340132151@apps.rackspace.com> <1515106728.430510671@apps.rackspace.com> To: Dave Taht X-Mailer: Apple Mail (2.3445.5.20) Subject: Re: [Cerowrt-devel] Spectre and EBPF JIT X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 14:07:14 -0000 > On 5 Jan, 2018, at 6:53 am, Dave Taht wrote: >=20 > It took me a long while to digest that one. The branch predictor > analysis of haswell was easiest to understand (and AMD claims to have > an AI based one), and perhaps scrambling that at random intervals > would help? (this stuff is now way above my pay grade) Software mitigations for all three attacks have been developed during = the "responsible disclosure" period. Spectre v1: adding an LFENCE instruction (memory load fence) to JIT code = performing a bounds-checked array read. This is basically a userspace = fix for a userspace attack. Firefox just got this, Chrome undoubtedly = will too, if it hasn't already. Spectre v2: three different mitigations are appropriate for different = families of CPU: https://lkml.org/lkml/2018/1/4/742 On AMD CPUs, the small risk actually existing (because AMD's BTB is much = less prone to poisoning than Intel's) is erased by adding LFENCE to = privileged indirect branches. This has only a very small cost. On Intel CPUs until Broadwell inclusive (and Silvermont onwards), a = "retpoline" structure is necessary and sufficient. This has a bigger = cost than LFENCE and is pretty ugly to look at, but it's still = relatively minor. On Skylake, Kaby Lake and Coffee Lake, something more exotic is required = - I think it involves temporarily disabling the BTB during privileged = indirect branches. That's *really* ugly, and involves tweaking = poorly-documented MSRs. Something similar in nature to the above should also work for affected = ARM cores. Meltdown: nothing is required for AMD CPUs. Unmapping the privileged = addresses when returning to userspace is sufficient for Intel, but = incurs a big performance overhead for syscalls. The same is likely true = for any other affected CPUs. - Jonathan Morton