Announcement

Collapse
No announcement yet.

Linux Developers Discuss Flushing L1 Cache On Context Switches In Light Of Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Developers Discuss Flushing L1 Cache On Context Switches In Light Of Vulnerabilities

    Phoronix: Linux Developers Discuss Flushing L1 Cache On Context Switches In Light Of Vulnerabilities

    In light of data sampling vulnerabilities like MDS, engineers from Amazon, Google, and other organizations are discussing a proof-of-concept implementation that would optionally flush the L1 data cache on context switches...

    http://www.phoronix.com/scan.php?pag...Context-Switch

  • #2
    This seems like a good option if a vuln is disclosed before an appropriate fix has been developed.

    Comment


    • #3
      Hmmm... Why not prefetch the new context and save time ? Maybe mark a prefetch function in some code to help find the important data ?

      Comment


      • #4
        Oh come on, not another performance crippling change.
        I'm tired of these "In the name of security..."
        I bet there are 1000 more things we can do here, clear / erase every cache after each instruction, encrypt / decrypt, but come one not everyone has supercomputers or Threadrippers at home that can handle everything you throw at it.

        In my opinion. do all the security enhancement you want, but stop enabling them by default !
        Just leave the people who need NASA level security to enable them themselves.

        Comment


        • #5
          What is the reason that not as many vulnerabilities targeting AMD have yet been published? Even thought I've only been buying AMD hardware for the past 5+ years, I have a hard time believing that AMD's products are just that much more fundamentally secure?

          Is it simply a question of market share at this point, in the sense that it is more valuable to undertake vulnerability research on intel products?
          Last edited by ermo; 03-19-2020, 08:38 AM.

          Comment


          • #6
            Originally posted by ermo View Post
            What is the reason that not as many vulnerabilities targeting AMD has yet been published? Even thought I've only been buying AMD hardware for the past 5+ years, I have a hard time believing that AMD's products are just that much more fundamentally secure?

            Is it simply a question of market share at this point, in the sense that it is more valuable to undertake vulnerability research on intel products?
            Intel sponsors the German university that has discovered most of the vulnerabilities - AMD kinda sorta doesn't sponsor anyone and these vulnerabilities are very hard to find.

            Despite that I still believe AMD CPUs are inherently more secure since the most blatant vulnerability (meltdown/LVI) doesn't affect them in any shape of form. In the meantime all OoOE CPUs are affected by both Spectre (1/2) attacks but at least they are not that expensive to mitigate and they are less critical.
            Last edited by birdie; 03-19-2020, 08:41 AM.

            Comment


            • #7
              Why do I get the feeling that there's yet another horrible vulnerabilty that's known by a few insiders who are quickly working to patch it and that this is some of the early fruits of that effort?

              Comment


              • #8
                Originally posted by Danny3 View Post
                Oh come on, not another performance crippling change.
                I'm tired of these "In the name of security..."
                I bet there are 1000 more things we can do here, clear / erase every cache after each instruction, encrypt / decrypt, but come one not everyone has supercomputers or Threadrippers at home that can handle everything you throw at it.

                In my opinion. do all the security enhancement you want, but stop enabling them by default !
                Just leave the people who need NASA level security to enable them themselves.
                As I understand it, the final implementation (if it ever reach this stage) would require a specific process to call prctl() to set the bit that will force a L1D flush on context swtiches. So in this case it seems that you'll get what you want: the slowdown will only impact the applications that requires it (so it should be barely noticeable).

                Comment


                • #9
                  Originally posted by Danny3 View Post
                  Oh come on, not another performance crippling change.
                  I'm tired of these "In the name of security..."
                  I bet there are 1000 more things we can do here, clear / erase every cache after each instruction, encrypt / decrypt, but come one not everyone has supercomputers or Threadrippers at home that can handle everything you throw at it.

                  In my opinion. do all the security enhancement you want, but stop enabling them by default !
                  Just leave the people who need NASA level security to enable them themselves.
                  I'm gonna assume you meant NSA, not NASA

                  Comment


                  • #10
                    Originally posted by ermo View Post
                    What is the reason that not as many vulnerabilities targeting AMD have yet been published? Even thought I've only been buying AMD hardware for the past 5+ years, I have a hard time believing that AMD's products are just that much more fundamentally secure?

                    Is it simply a question of market share at this point, in the sense that it is more valuable to undertake vulnerability research on intel products?
                    I'd say at a certain point Intel lagged in performance and started seeing market share diminution (AMD Athlon, and the 64-bits race), so they had to find "a way back". And BAM, "HyperThreading came"... This was just simple cheating from my Point Of View.

                    I'm a computing researcher (in biology) and for many years I'm told that in large computing centers they always disable HT (since 2007-8 or so) so my guess is that some of these vulnerabilites are known "for years", but know the public audience is wider, that's all.

                    Why AMD is less affected? by design, I'd say :-)

                    Comment

                    Working...
                    X