>Example code is already out there >https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6. I >built this on my PC and it worked! Is there a zArch instruction to flush >a cache line like the _mm_clflush() built-in for x86? If so it would be >easy to compile and run spectre.c on z/OS and see what happens.
Parts of Spectre consist of training the branch predictor to predict that the branch will go to an address you want it to perform speculative execution on. The research teams have targeted Intel's Haswell line in particular for this. It also relies on the branch predictor masking the addresses in the branch target buffer. The higher parts of the addresses are ignored, giving much more freedom to the attacker. Furthermore the entries in the BTB are not linked to an invididual address-space. The branch predictor will use a prediction that it was trained from in address space A, in address space B. I don't know enough about branch prediction on z/Arch to tell you if it's as trainable as the Intel or AMD branch predictors. And as you said, you need some control over what lives in the cache and what does not. There are some z/Arch instructions to mark cached data as no longer important, but the PoP specifically mentions that the CPU does not necessarily remove the data from cache. You can trick the CPU in to filling the cache with junk that you're using in a dummy process though. The code in the example is still Intel specific. AMD is an "Intel clone", as far as instruction set and behavior goes, but they differ on a microcode level. x86 and z/Arch differ in many more ways. - Jan ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
