Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel

From: Peter Zijlstra
Date: Tue Oct 25 2022 - 16:32:09 EST

Next message: Luiz Augusto von Dentz: "Re: [PATCH v4 1/1] virtio_bt: Fix alignment in configuration struct"
Previous message: Jami Kettunen: "Re: [PATCH] net: ipa: don't configure IDLE_INDICATION on v3.1"
In reply to: Pawan Gupta: "Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel"
Next in thread: Dave Hansen: "Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 25, 2022 at 12:38:45PM -0700, Pawan Gupta wrote:

> > I think the focus should be on finding the source sites, not protecting
> > the target sites. Where can an attacker control the register content and
> > have an indirect jump/call.
>
> That is an interesting approach. I am wondering what mitigation can
> be applied at source?

Limiting the value ranges for example. Or straight up killing the values
if they go unused -- like how we clear the registers in entry.

> LFENCE before an indirect branch can greatly
> reduce the speculation window, but will not completely eliminate it.

Depends on the part; there's a whole bunch of parts where LFENCE is
sufficient.

Next message: Luiz Augusto von Dentz: "Re: [PATCH v4 1/1] virtio_bt: Fix alignment in configuration struct"
Previous message: Jami Kettunen: "Re: [PATCH] net: ipa: don't configure IDLE_INDICATION on v3.1"
In reply to: Pawan Gupta: "Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel"
Next in thread: Dave Hansen: "Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]