On Thu, Jan 04, 2018 at 07:06:39PM -0500, Joshua Kinard wrote: > > Regarding the KAISER/KASLR/KPTI work to mitigate the recently-announced > "Spectre" and "Meltdown" issues in x86/x64 and some Arm processors, does anyone > know how vulnerable MIPS processors might be? > > My initial guess is Spectre might apply, since MIPS CPUs have supported > speculative execution as far back as the R10000, and even the R10K manual > contained an entire section on "The side-effects of speculative execution", for > SGI's non-coherent platforms (IP28, IP32). But MIPS is a varied ecosystem of > CPUs, so if the arch is vulnerable, there might be specific MIPS CPU types that > are not vulnerable. > > I am also uncertain if the way MIPS lays out its address space, with specific > ranges for kernel mode, supervisor mode (unused), and user mode, makes this a > non-issue. > > Thoughts? I'm not a hardware engineer so don't quote me on this, and have only briefly tried to detect leaked kernel data on a couple of recent cores, but I'd be surprised if any MIPS cores are vulnerable to kernel data leak, simply because the static segments (ignoring EVA) encode the minimum privilege. Hardware should be able to test privilege very easily compared to when that data comes from the TLB/page tables, hopefully before anything can be done speculatively depending on the data that would be read (but of course that doesn't mean individual cores can't be broken). The MIPS segment layout won't help with any leakage of speculative execution within a privilege level though (e.g. eBPF or javascript bounds checks). Cheers James
