Two approaches to x86 memory encryption

Posted May 12, 2016 3:19 UTC (Thu) by TRS-80 (guest, #1804)
Parent article: Two approaches to x86 memory encryption

Does SME protect against Rowhammer?

Two approaches to x86 memory encryption

Posted May 12, 2016 4:33 UTC (Thu) by dlang (guest, #313) [Link] (2 responses)

not really (although it makes it a bit harder)

rowhammer is a hardware bug where repeated access at one address can flip a bit at another address. the fixes are to make it harder to know the exact alignment of important memory

encrypting the memory makes such attacks harder because you don't know what bits are being stored (without some other way of watching from the outside, which may exist)

but there are only so 256 possible bit patterns, so it doesn't block it entirely.

Two approaches to x86 memory encryption

Posted May 12, 2016 8:00 UTC (Thu) by pbonzini (subscriber, #60935) [Link] (1 responses)

Alteration of the ciphertext will completely randomize the plaintext. So if you use rowhammer to flip a bit of ciphertext, the contents of the other location will change randomly.

So rowhammer can still be used with SME (e.g. you could affect a key generation operation and produce non-prime p and q), but the result is much less controlled and thus the applicability is smaller.

Two approaches to x86 memory encryption

Posted May 12, 2016 16:11 UTC (Thu) by ballombe (subscriber, #9523) [Link]

If p or q is not prime, then standard RSA signature check/decryption will not work either, so it is not so easy.