On 23.3.2015 22:26, Pavel Machek wrote: > On Thu 2015-03-19 13:51:02, Vlastimil Babka wrote: >> On 03/17/2015 02:21 AM, Andy Lutomirski wrote: >>> On Mon, Mar 16, 2015 at 5:49 PM, Mark Seaborn <mseaborn@xxxxxxxxxxxx> wrote: >>> >>> The Intel people I asked last week weren't confident. For one thing, >>> I fully expect that rowhammer can be exploited using only reads and >>> writes with some clever tricks involving cache associativity. I don't >>> think there are any fully-associative caches, although the cache >>> replacement algorithm could make the attacks interesting. >> >> I've been thinking the same. But maybe having to evict e.g. 16-way cache would >> mean accessing 16x more lines which could reduce the frequency for a single line >> below dangerous levels. Worth trying, though :) > > How many ways do recent CPU L1 caches have? My i7 based desktop has 8-way L1, 8-way L2, 16-way L3. And it seems to be alarmingly vulnerable to the double-sided rowhammer variant. But to reliably miss L3 it seems I need at least 96 addresses colliding in L3, which are then also in different dram rows. Which naturally reduces frequency for the target pair of rows. I've been able so far to reduce/mask the overhead so that the target rows are accessed with 11x lower frequency than with clflush. Which doesn't seem enough to trigger bit flips. But maybe I can improve it further :) -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>