Retbleed (RSBA vs BTC)

From: Jim Mattson
Date: Thu Jul 14 2022 - 20:30:18 EST

Next message: kernel test robot: "Re: [PATCH] Input: tsc2007 - enable GPIO chips that can sleep"
Previous message: Song Liu: "Re: [PATCH bpf-next 1/3] mm/vmalloc: introduce vmalloc_exec which allocates RO+X memory"
Next in thread: Andrew Cooper: "Re: Retbleed (RSBA vs BTC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What is the value in conflating the Intel and AMD findings under the
same moniker (arch/x86/kernel/cpu/common.c)? The vulnerabilities seem
quite different to me.

The Intel CPUs tagged with RETBLEED should already report RSBA. The
paper just highlights this previously disclosed vulnerability. Or are
there Intel CPUs subject to Retbleed that don't report RSBA, and I'm
just confused?

On the AMD side, however, Branch Type Confusion is a much bigger deal.
All instructions are subject to steering by BTI, not just returns with
an empty RSB.

Don't these two vulnerabilities deserve separate names (and don't we
already have a name for the first one)?

Tangentially, I believe that the following line is wrong:
VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED),

Steppings 5, 6, and 7 are "Cascade Lake," with eIBRS, and I don't
think Cascade Lake suffers from RSBA.

Next message: kernel test robot: "Re: [PATCH] Input: tsc2007 - enable GPIO chips that can sleep"
Previous message: Song Liu: "Re: [PATCH bpf-next 1/3] mm/vmalloc: introduce vmalloc_exec which allocates RO+X memory"
Next in thread: Andrew Cooper: "Re: Retbleed (RSBA vs BTC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]