VAX + Spectre

Paul Koning paulkoning at comcast.net
Thu Oct 3 10:28:09 CDT 2019



> On Oct 3, 2019, at 10:55 AM, Stefan Skoglund <stefan.skoglund at agj.net> wrote:
> 
> tor 2019-10-03 klockan 09:45 -0400 skrev Paul Koning via cctalk:
>>> On Oct 3, 2019, at 8:25 AM, Maciej W. Rozycki <macro at linux-mips.org
>>>> wrote:
>>> 
>>> On Thu, 3 Oct 2019, Maciej W. Rozycki wrote:
>>> 
>>>>> You need an extremely high resolution timer to detect slight
>>>>> differences in
>>>>> execution time of speculatively-executed threads. The VAX
>>>>> 11/780 certainly did
>>>>> not do speculative execution, and my guess is that all VAXen
>>>>> did not, either.
>>>> 
>>>> The NVAX and NVAX+ implementations include a branch predictor in
>>>> their 
>>>> microarchitecture[1], so obviously they do execute speculatively.
>>> 
>>> For the record: in NVAX prediction does not extend beyond the
>>> instruction 
>>> fetch unit (I-box in VAX-speak), so there's actually no
>>> speculative 
>>> execution, but only speculative prefetch.
>> 
>> That's a key point.  These vulnerabilities are quite complex and
>> details matter.  They depend on speculation that goes far enough to
>> make data references that produce cache fills, and that those fills
>> persist after the speculative references have been voided.
>> 
>> Branch prediction is only the first step, and as you point out, that
>> alone is nowhere near enough.  For example, if a particular design
>> did speculative execution but not speculative memory references on
>> adresses that miss in the cache, you'd still have no issue.
>> 
> 
> Can the speculative pre-fetch of instruction trigger cache fills ?

I don't know, but that isn't relevant to the Spectre issue.  That one need speculative data loads, visible via a timing channel to user mode code.

	paul



More information about the cctalk mailing list