[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Do we need to do anything about "dead µops?"
- To: Andy Lutomirski <luto@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, David Kaplan <David.Kaplan@xxxxxxx>, David Woodhouse <dwmw2@xxxxxxxxxxxxx>, Josh Poimboeuf <jpoimboe@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Sat, 1 May 2021 18:35:23 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3/NoANt+taqccTC45DALsn9ApX51yqV1E6cW+kH/+jQ=; b=SDuYgtJQvNATio6x905kbwLYsFdqdN0KKiixBzVTgE3OqFbw4fPdQrHb+c6rxHNnv2BqTaZd24PsFM38ci8YOSfDaHGkJe3WGgCC9RP0eeTO7IXfxg9RXMmOr5BjeYrXONJkIsUy0fdctmA/s+g1HXSs1duR/Q9evax5Qp8QCSSQyQmI2HOel05kn9rszRBjsLv5B+BxswJnuxnvwH3ncGAzuNSIqhRIQ1UyoRi4jbCgmWa9xO8/WUtFrwb6/M47b+nhU8UepC9OjLgiUx9SJzKxhedXABkHWtEkCqOPDkpOGQqEK+vxhaIjHwGL1zc/j/SSaakVVebnHNIL9JV9QA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jh+lbZbQpSV53Wn/QYyxw6kJBGFNiGxKEr3F8C49PIIaS/aRByjp8DqgDFiYjZ35s7c+U9jv0c6i2w34/Q7iarjSqK3y4DQ+9UqHnLPoOUNQMsQlp3Rmu1nb5qfPDxo7WKbAaxNgP5qUmNsminKRfyD7k1qltYgULVkOObQ10ZAbIHctPU8D1pEzzxHOwZhGYCA1kTmYsxWVvrH3SxwirzgWdXmGzNdnrhFG5TCxREEumbCCoTOa2uCH89o2Ec8gJ09N8zjTku7Hx0DVUOz3zuvfBiHqdUwB2eD0wZT90/ZolF23FL3b3bTh4hJ6Ij6KJE3b2jXkIIKv5rbLpwjxTA==
- Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Delivery-date: Sat, 01 May 2021 17:35:45 +0000
- Ironport-hdrordr: A9a23:RPjf0ag09XVyN21wyEc4Uy1Ui3BQX0tw3DAbvn1ZSRFFG/Gwv/ uF2NwGyB75jysQUnk8mdaGfJKNW2/Y6IQd2+YsFJ+Ydk3DtHGzJI9vqbHjzTrpBjHk+odmuZ tIW5NVTOf9BV0St6vHySGlDtctx8SG+qi0heHYi0xgVx1udrsI1WZEIyycFVB7QxQDIJI/Go aV6MYvnUvdRV08aMOnCn4ZG9XZr9rQm578JTIADRgr6A6B5AnYlYLSOR6ewxsYTndz0a4vmF K16TDRy4eCl7WAyhHa33LO9Jg+orXc4/ZKGcDksLltFhzCkQCtDb4RP4GqnDdwm+237UZvrd +kmWZaA+1Wy1f8Ol64ugHs3Q6I6kdf11bHxUWDiXXu5ezVLQhKbfZpvo5SfhvH50dIhrgVu8 gqrgHpxaZ/Nh/OkD/w4NLFTXhR5y+JiEEvjPIJiDhnWZYeAYUh3LA3xl9fE5sLAUvBmecaOd RpZfushsp+TUmXdDTwsGVp3bWXLwwONybDaE0DtsuJ6iNRjXB0wmAJrfZv4EsoxdYTTYJJ6P /DNbktvLZSTtUOZaY4P+sZR9CrY1a9DC7kASa3GxDKBasHM3XCp9re56g03vijfNgtwIEpkJ rMfVtEvQcJCg7TIPzL+KcO3gHGQW27Uzio4NpZ/YJFtrr1Q6euGTGfSXg1+vHQ4sk3M4n+Yb KeKZhWC/jsIS/FAoBSxTDzXJFUND03TNAVgNAmQFiDy/i7ZLHCh6j+SrL+NbDtGTErVifUGX 0YRgX+I81G8wSFQXn9rB/NW278W0D28J5qeZKqvNQ7+cwoDMlhowIVgVO26oWgMjtZqJE7e0 N4PffGn8qA1CuL1FeNy18sFgtWD05T7rmleWhNvxU2P0T9dqtGn92efGtVzUaWPxMXdbKSLC dv43BMvY6nJZ2Zwi4vT/i9NHiBsncVrHWWC7ARh7OE/sWgXp8jFJ4pVOhQGGzwZlNIsDcvjF 0GRB4PR0fZGD+ro76iloYoCObWcMQ5phyqL85SoXf2rl6duskre3seU1eVII6qqDdrYwARqk x68qcZjrbFsy2oM3EDjOMxN0AJVH6aG4tcDAOOZJxdn5fifA0YdxbPuRWqzzUIPkb6/UQbgW LsaQmZY+vCDFZmtndE6ary619vemKBf0V/V2BiveRGZBf7k0c29dXOSru40mOXZFdH+O0bPT 3fSRY5Iw9lxbmMpVaosQfHMU9j6oQlP+TbArhmTqra3Wm1LpaU0YscGeVPwZpjPNfyk+MCXO 6FYTWJJDfgB+5B4X3Tml8VfA1P7F8qnvPj1Ee7sCyW3HsjDeHTJ1ojbbcBON2Y53XlQfHN8J gRt6NAgcKAdkHKLviBwuXrShQGDDX5i2u/VfspppBZprhajso7I7DrFR/zkEha1xA/JvrunE wQQK5H8KnMU7UfCvA6SmZ8xB4Vj9yBI0sgjxzuDsI/dV8riWXHP9nh2cu+lZMfRmmArhD3I1 +R7ml0+OrERTKK0dcheukNCFUTTEg383J5+uyeM6XWFQWxbulGuH63KGW0frMYaK+LH9wr31 xHyuDNu++cbCzj3g/M+RN9P6JV6m6iBfqIPzjkI58/z/WKfXKWgqWr58avjDD4DRuDAn5o+r FtRAg3dcRMij4rkYst9DO9I5aH5H4Yrw==
- Ironport-sdr: K26K9yjlZmgN1Ui2Y+NlLpMjSfAfahAYpxM4H81xzw9ZL3/O3EUj1jP4grsYyihwj6sVaP/Sw/ ztYqxGkeXAGlyu/FVKZkxUfExgzYoTEEuGMRaZpHD1wuKbUaqgCUeKZC5rzCcLYZyVSLT2U9qb bmETza3qiW04+l8Fzv7sQi9kEjgS+uYNAZvlyWJ7zdPHS1N4Ui35Hu6brgsjzr2e96pCY432pH NiIK+Gh+ucHhKTV0Wx/NPZO7QibdBuvzTzzitP5aEJdISBa8O4O3JEDbsAsJroai+58apYtCgp snM=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 01/05/2021 17:26, Andy Lutomirski wrote:
> Hi all-
>
> The "I See Dead µops" paper that is all over the Internet right now is
> interesting, and I think we should discuss the extent to which we
> should do anything about it. I think there are two separate issues:
>
> First, should we (try to) flush the µop cache across privilege
> boundaries? I suspect we could find ways to do this, but I don't
> really see the point. A sufficiently capable attacker (i.e. one who
> can execute their own code in the dangerous speculative window or one
> who can find a capable enough string of gadgets) can put secrets into
> the TLB, various cache levels, etc. The µop cache is a nice piece of
> analysis, but I don't think it's qualitatively different from anything
> else that we don't flush. Am I wrong?
>
> Second, the authors claim that their attack works across LFENCE. I
> think that this is what's happening:
>
> load secret into %rax
> lfence
> call/jmp *%rax
>
> As I understand it, on CPUs from all major vendors, the call/jmp will
> gladly fetch before lfence retires, but the address from which it
> fetches will come from the branch predictors, not from the
> speculatively computed value in %rax.
The vendor-provided literature on pipelines (primarily, the optimisation
guides) has the register file down by the execute units, and not near
the frontend. Letting the frontend have access to the register value is
distinctly non-trivial.
> So this is nothing new. If the
> kernel leaks a secret into the branch predictors, we have already
> mostly lost, although we have a degree of protection from the various
> flushes we do. In other words, if we do:
>
> load secret into %rax
> <-- non-speculative control flow actually gets here
> lfence
> call/jmp *%rax
>
> then we will train our secret into the predictors but also leak it
> into icache, TLB, etc, and we already lose. We shouldn't be doing
> this in a way that matters. But, if we do:
>
> mispredicted branch
> load secret into %rax
> <-- this won't retire because the branch was mispredicted
> lfence
> <-- here we're fetching but not dispatching
> call/jmp *%rax
>
> then the leak does not actually occur unless we already did the
> problematic scenario above.
>
> So my tentative analysis is that no action on Linux's part is required.
>
> What do you all think?
Everything here seems to boil down to managing to encode the secret in
the branch predictor state, then managing to recover it via the uop
cache sidechannel.
It is well known and generally understood that once your secret is in
the branch predictor, YHAL. Code with that property was broken before
this paper, is still broken after this paper, and needs fixing irrespective.
Viewed in these terms, I don't see what security improvement is gained
from trying to flush the uop cache.
I tentatively agree with your conclusion, that no specific action
concerning the uop cache is required.
~Andrew
|
