RE: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation

From: Van De Ven, Arjan
Date: Thu Jan 25 2018 - 21:55:15 EST






> -----Original Message-----
> From: Liran Alon [mailto:liran.alon@xxxxxxxxxx]
> Sent: Thursday, January 25, 2018 6:50 PM
> To: Hansen, Dave <dave.hansen@xxxxxxxxx>
> Cc: labbott@xxxxxxxxxx; luto@xxxxxxxxxx; Janakarajan.Natarajan@xxxxxxx;
> torvalds@xxxxxxxxxxxxxxxxxxxx; bp@xxxxxxx; Mallick, Asit K
> <asit.k.mallick@xxxxxxxxx>; rkrcmar@xxxxxxxxxx; karahmed@xxxxxxxxx;
> hpa@xxxxxxxxx; mingo@xxxxxxxxxx; Nakajima, Jun
> <jun.nakajima@xxxxxxxxx>; x86@xxxxxxxxxx; Raj, Ashok <ashok.raj@xxxxxxxxx>;
> Van De Ven, Arjan <arjan.van.de.ven@xxxxxxxxx>; tim.c.chen@xxxxxxxxxxxxxxx;
> pbonzini@xxxxxxxxxx; ak@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> dwmw2@xxxxxxxxxxxxx; peterz@xxxxxxxxxxxxx; tglx@xxxxxxxxxxxxx;
> gregkh@xxxxxxxxxxxxxxxxxxx; mhiramat@xxxxxxxxxx; arjan@xxxxxxxxxxxxxxx;
> thomas.lendacky@xxxxxxx; Williams, Dan J <dan.j.williams@xxxxxxxxx>;
> joro@xxxxxxxxxx; kvm@xxxxxxxxxxxxxxx; aarcange@xxxxxxxxxx
> Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect
> Branch Speculation
>
>

> Google P0 blog-post
> (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory-
> with-side.html) claims that BTB & BHB only use <31 low bits of the address of
> the source instruction to lookup into the BTB. In addition, it claims that the
> higher bits of the predicated destination change together with the higher bits of
> the source instruction.
>
> Therefore, it should be possible to leak the low bits of high predicition-mode
> code BTB/BHB entries from low prediction-mode code. Because the predicted
> destination address will reside in user-space.
>
> What am I missing?


I thought this email thread was about the RSB...