Support for Intel's LASS
Support for Intel's LASS
Posted Jan 14, 2023 6:50 UTC (Sat) by epa (subscriber, #39769)Parent article: Support for Intel's LASS
Posted Jan 14, 2023 11:00 UTC (Sat)
by matthias (subscriber, #94967)
[Link] (2 responses)
Posted Jan 15, 2023 12:11 UTC (Sun)
by ballombe (subscriber, #9523)
[Link] (1 responses)
Posted Jan 15, 2023 13:06 UTC (Sun)
by matthias (subscriber, #94967)
[Link]
Yes, this is not very clear. The data in paragraph 1 is different from the data in paragraph 3. I will sketch how meltdown works as an example.
Support for Intel's LASS
if (a != 0) {
if ((*b & 0x1) == 0) {
load c
} else {
load d
}
}
a is 0, but it is not in the cache and the CPU speculates that a is not 0. As the speculation is mostly statistics, one can enforce this speculation.
The pointer b points to non-accessible memory (e.g. kernel memory). Based on the value of *b, either c or d is loaded into the cache. Normally the access to *b would trigger a SEGFAULT, but as a is 0, the CPU detects at some point that this was all just speculation, it ignores the fault and continues as if nothing did happen.
Now one can access c and d, measure the time this takes and conclude which of the two has been loaded into the cache. This gives away one bit from *b.
So speculative execution does affect the cache. After all you can gain the most advantage if the value (c or d) is already on its way to the cache at the point of time when the value of a finally arrives at the CPU.
The data that is not in the cache and whose value is point of speculation is a. The data that discovered is (one bit of) *b, and the data that is loaded into the cache is either c or d. The presence of c or d is used to discover the value of *b.
Support for Intel's LASS
Then it computes *b, detect the fault, but still continue with load ?
Support for Intel's LASS