From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de ([195.135.220.15]) by Galois.linutronix.de with esmtps (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1fQzDI-00022C-LS for speck@linutronix.de; Thu, 07 Jun 2018 20:00:46 +0200 Received: from relay2.suse.de (charybdis-ext-too.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id D687CACC6 for ; Thu, 7 Jun 2018 18:00:37 +0000 (UTC) Date: Thu, 7 Jun 2018 20:00:35 +0200 (CEST) From: Jiri Kosina Subject: [MODERATED] Re: spectrev1+ In-Reply-To: Message-ID: References: <20180601171244.GA30216@char.us.oracle.com> <20180601212952.GA7354@char.us.oracle.com> <20180604153815.GU12198@hirez.programming.kicks-ass.net> <20180605175837.ry5tx3widl6hj5ob@treble> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Wed, 6 Jun 2018, speck for Jiri Kosina wrote: > > Can some Intel person explain how the processor could possibly > > speculatively do a 'ret' instruction that actually uses the value that > > the front-end doesn't even have (ie "not RSB/BTB")? > > I earlier today already asked for more details about exactly this back > through the official channel I've received the whitepaper from as well. > I'll relay any information I eventually receive to this list. So apparently due to multiple questions Intel received about this, there is going to be a more detailed version of the whitepaper with a more detailed walk-through of the stack/ret based attack and we should stay tuned ... that's unfortunately all the information I've received by now :/ Feels like they're still confident that the attack is somehow possible. -- Jiri Kosina SUSE Labs