Fwd: A more general possible meltdown/spectre countermeasure
Warner Losh
imp at bsdimp.com
Sat Jan 6 17:04:56 UTC 2018
On Sat, Jan 6, 2018 at 9:53 AM, Wojciech Puchar <wojtek at puchar.net> wrote:
> While is doesn't defeat the attack, tt does still complicate
>> attacks, so
>> I think it's worth considering.
>>
>>
>> The problem is that the attempts to access kernel space are speculative.
>> There's no way to get the 'speculative trap' that would
>> have been generated had the code actually executed. There literally is no
>> signal to the kernel this just happened.
>>
>> Warner
>>
>>
>> f..k. so there are no real workarounds. Anyway - if CPU companies would
> be honest they would replace at least all server CPUs that are on warranty
The only workaround that's completely effective is to unmap all of kernel
memory when running in userland. It's a bit tricky because there's small
parts that have to stay mapped for various architectural reasons. This
means KASLR on these CPUs likely can never be effective since meltdown will
let you find what the trap address is and from that find the kernel (though
there's some rumblings that the indirection Linux is doing will suffice).
Warner
More information about the freebsd-arch
mailing list