3 Oct
2019
3 Oct
'19
6:45 a.m.
On Oct 3, 2019, at 8:25 AM, Maciej W. Rozycki
<macro at linux-mips.org> wrote:
On Thu, 3 Oct 2019, Maciej W. Rozycki wrote:
For the record: in NVAX prediction does not extend beyond the instruction
fetch unit (I-box in VAX-speak), so there's actually no speculative
execution, but only speculative prefetch.
That's a key point. These vulnerabilities are quite complex and details matter. They
depend on speculation that goes far enough to make data references that produce cache
fills, and that those fills persist after the speculative references have been voided.
Branch prediction is only the first step, and as you point out, that alone is nowhere near
enough. For example, if a particular design did speculative execution but not speculative
memory references on adresses that miss in the cache, you'd still have no issue.
paul
You need
an extremely high resolution timer to detect slight differences in
execution time of speculatively-executed threads. The VAX 11/780 certainly did
not do speculative execution, and my guess is that all VAXen did not, either.
The NVAX and NVAX+ implementations include a branch predictor in their
microarchitecture[1], so obviously they do execute speculatively.