> -----Original Message----- > From: Liran Alon [mailto:liran.alon@xxxxxxxxxx] > Sent: Thursday, January 25, 2018 6:50 PM > To: Hansen, Dave <dave.hansen@xxxxxxxxx> > Cc: labbott@xxxxxxxxxx; luto@xxxxxxxxxx; Janakarajan.Natarajan@xxxxxxx; > torvalds@xxxxxxxxxxxxxxxxxxxx; bp@xxxxxxx; Mallick, Asit K > <asit.k.mallick@xxxxxxxxx>; rkrcmar@xxxxxxxxxx; karahmed@xxxxxxxxx; > hpa@xxxxxxxxx; mingo@xxxxxxxxxx; Nakajima, Jun > <jun.nakajima@xxxxxxxxx>; x86@xxxxxxxxxx; Raj, Ashok <ashok.raj@xxxxxxxxx>; > Van De Ven, Arjan <arjan.van.de.ven@xxxxxxxxx>; tim.c.chen@xxxxxxxxxxxxxxx; > pbonzini@xxxxxxxxxx; ak@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; > dwmw2@xxxxxxxxxxxxx; peterz@xxxxxxxxxxxxx; tglx@xxxxxxxxxxxxx; > gregkh@xxxxxxxxxxxxxxxxxxx; mhiramat@xxxxxxxxxx; arjan@xxxxxxxxxxxxxxx; > thomas.lendacky@xxxxxxx; Williams, Dan J <dan.j.williams@xxxxxxxxx>; > joro@xxxxxxxxxx; kvm@xxxxxxxxxxxxxxx; aarcange@xxxxxxxxxx > Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect > Branch Speculation > > > Google P0 blog-post > (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory- > with-side.html) claims that BTB & BHB only use <31 low bits of the address of > the source instruction to lookup into the BTB. In addition, it claims that the > higher bits of the predicated destination change together with the higher bits of > the source instruction. > > Therefore, it should be possible to leak the low bits of high predicition-mode > code BTB/BHB entries from low prediction-mode code. Because the predicted > destination address will reside in user-space. > > What am I missing? I thought this email thread was about the RSB...
