Announcement

Collapse
No announcement yet.

Kernel Address Space Isolation Still Baking To Limit Data Leaks From Foreshadow & Co

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    Alex/AT
    Senior Member

  • Alex/AT
    replied
    I already wrote it somewhere: faulty hardware should be 1) fixed; 2) called back & replaced.
    No other solution works, and the whole effort to make workarounds for the faulty hardware that will become obsolete in 5 years anyways is totally fruitless and futile.
    I clearly understand that this is also an attempt to prevent future vulnerabilities like this from having more impact, but.:
    1) there are no guarantees new one vulnerabilities will not avoid this mechanism;
    2) the cost of making such amendments is ultimately high, performance- effort- manageability- complexity- and supportability- wise.

    Leave a comment:

  • tildearrow
    Senior Member

  • tildearrow
    replied
    Typo:

    Originally posted by phoronix View Post
    about at this week's Linux Plumbers Conference in Lisbon, Portgual.
    Se llama "Portugal".

    Leave a comment:

  • dweigert
    Phoronix Member

  • dweigert
    replied
    This is how hyperthreading got started, they bolted on a second execution unit in front of the very deep P4 pipeline. I think they forgot about context switches, because you have to flush the pipeline. and that is a very expensive operation.

    Leave a comment:

  • cybertraveler
    Senior Member

  • cybertraveler
    replied
    Originally posted by dweigert View Post
    How about a "pair of execution units"
    That just rolls off the tongue /s

    It works though! "execution units".

    Though... make sure you're on the right website when you're ordering "execution units" for yourself or your Earthly experience might come to a sudden, untimely and unexpected end.

    Leave a comment:

  • dweigert
    Phoronix Member

  • dweigert
    replied
    How about a "pair of execution units"

    Leave a comment:

  • cybertraveler
    Senior Member

  • cybertraveler
    replied
    Originally posted by skeevy420 View Post

    For that matter, they could still sell one core as long as the two threads they sell stay isolated to just that core.
    Yeah, that's what I mean. It's hard to write about this because I've noticed the term "core" is used by the hardware guys to refer to a physical core (which can run 2 simultanious threads), but it's often used by the server hosting guys to refer to a "thread".

    I guess I could say "sell threads in multiples of 2". "thread" sounds wrong to me though, because that word is often used to refer to process threads, of which you could have potentially thousands running on only a quad core system.

    Is there even an unambiguous word for a core which may be a physical core or may be a hyperthread, fake-core?

    Leave a comment:

  • skeevy420
    Senior Member

  • skeevy420
    replied
    Originally posted by cybertraveler View Post
    A shortterm partial-solution for these cloud virtual server providers would be to always sell customers an entire core. IE you buy cores in multiples of 2. This way, you never have 2 customers sharing a core and potentially being able to cross privilege boundaries via these HT vulnerabilities.
    For that matter, they could still sell one core as long as the two threads they sell stay isolated to just that core.

    From a layman's perspective, seems like running a VM or whatever with taskset or numactl limiting the process to specific threads/cores would be good enough for this/that.

    Leave a comment:

  • cybertraveler
    Senior Member

  • cybertraveler
    replied
    A shortterm partial-solution for these cloud virtual server providers would be to always sell customers an entire core. IE you buy cores in multiples of 2. This way, you never have 2 customers sharing a core and potentially being able to cross privilege boundaries via these HT vulnerabilities.

    Leave a comment:

  • phoronix
    Administrator

  • Kernel Address Space Isolation Still Baking To Limit Data Leaks From Foreshadow & Co

    Phoronix: Kernel Address Space Isolation Still Baking To Limit Data Leaks From Foreshadow & Co

    In addition to the work being led by DigitalOcean on core scheduling to make Hyper Threading safer in light of security vulnerabilities, IBM and Oracle engineers continue working on Kernel Address Space Isolation to help prevent data leaks during attacks...

    http://www.phoronix.com/scan.php?pag...el-ASI-LPC2019
Working...
X