From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tony.luck@intel.com>
Received: from mail.linutronix.de (146.0.238.70:993) by
  crypto-ml.lab.linutronix.de with IMAP4-SSL for <speck@linutronix.de>; 11 Dec
  2018 00:46:27 -0000
Received: from mga06.intel.com ([134.134.136.31])
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <tony.luck@intel.com>)
	id 1gWWBt-0000Ob-J0
	for speck@linutronix.de; Tue, 11 Dec 2018 01:46:26 +0100
Date: Mon, 10 Dec 2018 16:46:22 -0800
From: "Luck, Tony" <tony.luck@intel.com>
Subject: [MODERATED] Re: [PATCH v2 6/8] MDSv2 3
Message-ID: <20181211004622.GA24945@agluck-desk>
References: <cover.1544464266.git.ak@linux.intel.com>
 <4c82eebb25381317499b1a92b7c6d516df265536.1544464266.git.ak@linux.intel.com>
 <fa1f5b14-1f23-a762-b508-072b09b68fff@citrix.com>
MIME-Version: 1.0
In-Reply-To: <fa1f5b14-1f23-a762-b508-072b09b68fff@citrix.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Tue, Dec 11, 2018 at 12:37:49AM +0000, speck for Andrew Cooper wrote:
> On 10/12/2018 17:53, speck for Andi Kleen wrote:
> > From: Andi Kleen <ak@linux.intel.com>
> Interrupting the middle of the software sequence is only one half of the
> problem.
> 
> The other half is when an NMI/#MC/etc hits on the return to guest path
> after executing VERW, at which point you've just refilled all the
> buffers between trying to clear them, and returning to userspace.

NMI would seem to be the only exploitable option (since user might
user perf to arrange an NMI in this window ... user can't force #MC
or SMI on command).

Would NMI fill the microarchitectural buffers with secrets?

-Tony