cvs commit: src/sys/amd64/amd64 mp_machdep.c src/sys/i386/i386
cperciva at freebsd.org
Fri Nov 9 00:29:02 PST 2007
Nate Lawson wrote:
> I'm still waiting for what will be done to prevent the attack on
> uniprocessor or multi-core machines (shared L2). Continuing to focus on
> hyperthreading is like locking the screen door on your submarine.
Exploiting the a cache collision channel through the L2 cache is much harder
than through the L1 cache, and is likely impossible under many circumstances
(OpenSSL has been fixed to prevent the most easily exploitable cache side
channel). In addition, there are other attacks, e.g., using shared branch
prediction tables, to which hyperthreaded processors are vulnerable but which
do not affect multicore systems at all.
Rather than locking the screen door on a submarine, I'd say that a more apt
comparison would be turning off a fire hydrant even though a garden hose is
still running. I recommend the use of more sophisticated countermeasures
against side channel attacks where highly sensitive keying material is
concerned; but this does not invalidate the utility of applying such a very
simple countermeasure which prevents a very easy attack.
More information about the cvs-src