From owner-freebsd-hackers@freebsd.org Sat Jan 6 16:31:44 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8751BEC0B77 for ; Sat, 6 Jan 2018 16:31:44 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 52D2475733 for ; Sat, 6 Jan 2018 16:31:44 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-io0-x22c.google.com with SMTP id f6so8812425ioh.8 for ; Sat, 06 Jan 2018 08:31:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=h6OI70j7BH1CsMhyDXPLWMy6nSQUdJa1qNrd5c24qZU=; b=p26tdeuP4XDdEjuSXCUSaY+ZFRObPgLfslUFrIWHAU8u2infsVe/NcJIIRVymGl0Wj TV8iuhHNAZsqfOPJu4xKEYo8crMHxgSerOcnyW58JCyPWucGlB6bj/TB9gZmQ5yxIRKn gA/yJSW27om3lSRsHbApzq1FxcCabugMK2I9XALcjOJe0kCZN+Zls2FEv0+cXDAtPa50 zWNb1HQWURQ24W+UOJxmBgIHdWf9duqe+5da7P2zz+8IcRwc/n5i5O5cyE8HOk2kXWlw 9Mkvft/ml5RFWzxxuYBck2emzQXiI+WhjvEtJl3yCkobOQOlByWGaQu1jwER7JwWWnkL 5MWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=h6OI70j7BH1CsMhyDXPLWMy6nSQUdJa1qNrd5c24qZU=; b=rwCJwIt/8l0XUDPSoREX3i6VNqOmDIbRBDYKaWoJUKAuSoUyHu4jSD2NK/tsD/mTU4 o7hziqscotpcuTtbn9sWo3NK3YlQCU1G3B+CWtJlhEfUwokhGDqLJ+AtoAY7Rnr7YmoT MtbZvQkV2VuhampFZEzQbvhEA0hZjbNouRjshMkO5TKT9u9PaCw34HAWc0ISaxjVV7U9 HwQc/+0+XlXW5xZSQmf4yVciMMkjkYCpnnzM4zlBzcDEmmYZGU6mFMPaNiLdAoWg7Pir WF6a9xXBDjBc5fqpMwkoZGxuPZNrL1tgRFpw8bLi3V/EE7ufG6wwwCZWo2exFFlUJki4 70GQ== X-Gm-Message-State: AKwxytckHHw24wIlY6g06BXwXLEb+l//AUs+aS4/ybSNx7ImedY4os9Y UKWXOg14+sVrjoE+DA8KxtdjTERcWE88we09oNsX8w== X-Google-Smtp-Source: ACJfBosH70NxeKd9hGga//yXlTQA1lxCtwfiWMsBVfVjJSZZr2qxLI6XxpuTew9HIDFzHb6HYoE9OL7Ck6gMBlPHYs0= X-Received: by 10.107.78.12 with SMTP id c12mr6278684iob.63.1515256303292; Sat, 06 Jan 2018 08:31:43 -0800 (PST) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 10.79.160.217 with HTTP; Sat, 6 Jan 2018 08:31:42 -0800 (PST) X-Originating-IP: [2603:300b:6:5100:1052:acc7:f9de:2b6d] In-Reply-To: <73d2f1a5-55f7-0ae7-7660-3e680ba3d32e@metricspace.net> References: <33bcd281-4018-7075-1775-4dfcd58e5a48@metricspace.net> <73d2f1a5-55f7-0ae7-7660-3e680ba3d32e@metricspace.net> From: Warner Losh Date: Sat, 6 Jan 2018 09:31:42 -0700 X-Google-Sender-Auth: dqnExtGmM5mYdYak8_Ly-fGxTuQ Message-ID: Subject: Re: Fwd: A more general possible meltdown/spectre countermeasure To: Eric McCorkle Cc: Wojciech Puchar , "freebsd-hackers@freebsd.org" , "freebsd-arch@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 16:31:44 -0000 On Sat, Jan 6, 2018 at 9:12 AM, Eric McCorkle wrote: > On 01/06/2018 11:07, Wojciech Puchar wrote: > > sorry for stupid question but for my understanding these attacks works > > as below: > > > > 1) perform access to byte not allowed virtual address and use next > > instruction to store relative to private space so cache is filled > > depending on value that one shouldn't be able to access. > > > > 2) as kernel get trap on access violation it will generate SIGSEGV or > > SIGBUS which is directed by application using signal(2) so it can be > > ignored. > > > > 3) other part of code perform some timing magic and detects this way > > where cache is filled - so byte value can be guessed properly. > > > > > > My question is - why simply any access attempts to kernel space cannot > > generate SIGKILL? Of course it would harm program development, but as > > today developers doesn't usually use timesharing machine but have > > private computers, simple sysctl variable would suffice. > > I'd thought of this myself. The problem is that the cache effects could > still be observed by another process. > > While is doesn't defeat the attack, tt does still complicate attacks, so > I think it's worth considering. The problem is that the attempts to access kernel space are speculative. There's no way to get the 'speculative trap' that would have been generated had the code actually executed. There literally is no signal to the kernel this just happened. Warner