From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 11 Dec 2018 01:53:47 -0000 Received: from mga03.intel.com ([134.134.136.65]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gWXF2-0001YA-Oj for speck@linutronix.de; Tue, 11 Dec 2018 02:53:46 +0100 Date: Mon, 10 Dec 2018 17:53:39 -0800 From: Andi Kleen Subject: [MODERATED] Re: [PATCH v2 6/8] MDSv2 3 Message-ID: <20181211015339.GD16024@tassilo.jf.intel.com> References: <4c82eebb25381317499b1a92b7c6d516df265536.1544464266.git.ak@linux.intel.com> <20181211004622.GA24945@agluck-desk> MIME-Version: 1.0 In-Reply-To: <20181211004622.GA24945@agluck-desk> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Mon, Dec 10, 2018 at 04:46:22PM -0800, speck for Luck, Tony wrote: > On Tue, Dec 11, 2018 at 12:37:49AM +0000, speck for Andrew Cooper wrote: > > On 10/12/2018 17:53, speck for Andi Kleen wrote: > > > From: Andi Kleen > > Interrupting the middle of the software sequence is only one half of the > > problem. > > > > The other half is when an NMI/#MC/etc hits on the return to guest path > > after executing VERW, at which point you've just refilled all the > > buffers between trying to clear them, and returning to userspace. > > NMI would seem to be the only exploitable option (since user might > user perf to arrange an NMI in this window ... user can't force #MC > or SMI on command). > > Would NMI fill the microarchitectural buffers with secrets? The problem is not NMI filling (afaik it doesn't), but NMI preventing the proper clearing. -Andi