Conversation
Notices
-
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:00:00 UTC 
Hallå Kitteh
Heres some speculation on what that Intel and possibly also ARM flaw might be: MMU stuff not checked properly during speculative execution.
> Now combine these two things - when the Intel processors do speculative execution they don’t properly check the permissions so you can look at kernel memory by doing ‘if x then y else naughty_thing’ and check the page fault side effects.
http://gizmodo.com/1821729263-
Vertigo (vertigo@mastodon.social)'s status on Thursday, 04-Jan-2018 03:03:15 UTC 
Vertigo
@clacke A hardware-level fix for this would double the burden on the MMU, which would slow the instruction execution rate appreciably. This is the problem with super-long pipelines, and why you should never have a CPU with a pipeline longer than, say, 10 stages. And that's being generous; I *actually* can't see any reason for anything longer than 6.
Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:08:31 UTC
Hallå Kitteh
@vertigo I believe the PIV had something absolutely preposterous like 128 pipeline stages, so 31 sounds reasonable in comparison. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:14:35 UTC
Hallå Kitteh
@vertigo
I was wrong.
> The Core Stepping of D0 in late 2006 reduced this to 65 watts. It has a 65 nm core and features the same 31-stage pipeline as Prescott
https://en.wikipedia.org/wiki/Pentium_4
So it would seem that 31 is the upper bound on Intel pipelines. Probably contemporary cores are a bit shorter. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:19:36 UTC
Hallå Kitteh
@vertigo I've never even considered what a speculative branch should do on a page fault. It's not reasonable to go out and run an interrupt to page in memory for something that might not even happen (or even to just ask the MMU about access rights), so I guess it just needs to stall at that point. And maybe that's what they got wrong somehow. Maybe they just go "or if we assume we do have access, what would happen then" and then ask the MMU later ... and something can be observed from that. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:21:43 UTC
Hallå Kitteh
@vertigo I guess #riscv, being RISC, doesn't have much of a pipeline and probably didnt have to do this kind of optimization.
Lets just drop legacy and all move over to the future. -
Vertigo (vertigo@mastodon.social)'s status on Thursday, 04-Jan-2018 03:26:56 UTC
Vertigo
@clacke However, Spectre still works inside a completely user-space program (e.g., Javascript breaching its sandbox to read browser internal state). This is still a hardware-level bug that should not happen, and it's caused by the interaction between the memory hierarchy; this is actually not CPU specific (AMD, Intel, ARM, and most likely, RISC-V) all would/could suffer from it. It's caused by speculation leaving breadcrumbs of sorts in the cache controllers off-core.
Hallå Kitteh likes this.Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:32:09 UTC
Hallå Kitteh
@vertigo Thanks, thats what I ws trying to say. :-) -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:34:06 UTC
Hallå Kitteh
@vertigo Oh.
You have a name for this and seem to have more than speculation. Has something been made official? -
Vertigo (vertigo@mastodon.social)'s status on Thursday, 04-Jan-2018 03:40:07 UTC
Vertigo
@clacke I'm just reading the Google Project Zero page and as well https://meltdownattack.com/ .
Hallå Kitteh likes this.Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 03:41:51 UTC
Hallå Kitteh
@zaitcev @vertigo
If an instruction takes more than one cycle and you don't want to idle the cache, you need a pipeline. RISC aims to make every instruction one cycle, but for store/load it's impossible, and anything else that might interact with external I/O.
x86 has several preposterous addressing modes and such that break this, including highly variable instruction length.
The instruction set matters. -
Vertigo (vertigo@mastodon.social)'s status on Thursday, 04-Jan-2018 04:45:32 UTC
Vertigo
@jjg @clacke I feel the need to stand on a soap-box here. :)
We need to remember that RISC-V is an instruction set architecture. It's a specification, and therefore, has nothing to say about whether or not instructions are speculatively executed, in what order they're executed (within reason, of course), etc.
Specific implementations may or may not be affected. KCP53000, my own RV64I CPU, is not affected. Reports today confirm neither are cores built around Rocket. BOOM remains uncertain.
Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 05:50:23 UTC
Hallå Kitteh
@vertigo
> The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Nice. :-) -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 05:54:28 UTC
Hallå Kitteh
@vertigo @zaitcev Here's something that has been bugging me: where does one draw a distinction between processor-internal RiscOps and microcode?
Is the distinction mainly what year it was conceived? :-) -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 04-Jan-2018 08:28:50 UTC
Hallå Kitteh
@vertigo @zaitcev Right, so RiscOps is a special case of microcode.
I was going to say that the 68060 was cool because it had no microcode, everything was just gate logic, but it seems I got that wrong.
-
All Chirp! content and data are available under the