The IBM Security/Integrity portal has the information you're seeking. Mark Jacobs
> David Crayford <mailto:[email protected]> > January 5, 2018 at 7:09 AM > > > Indeed. And there are Linux patches for AMD WRT RDSTC speculation > exploits > https://github.com/openSUSE/kernel/commit/6a334d96b8c8924357e2c692c305066f512ec1b8. > > > > IBM remain tight lipped about z/OS exploits but are releasing patches > for POWER which shares a similar DNA to Z, so I wonder if there are > vulnerabilities. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > Please be alert for any emails that may ask you for login information > or directs you to login via a link. If you believe this message is a > phish or aren't sure whether this message is trustworthy, please send > the original message as an attachment to '[email protected]'. > > Cannaerts, Jan <mailto:[email protected]> > January 5, 2018 at 4:53 AM > >Example code is already out there > >https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 > <https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6>. > I > >built this on my PC and it worked! Is there a zArch instruction to flush > >a cache line like the _mm_clflush() built-in for x86? If so it would be > >easy to compile and run spectre.c on z/OS and see what happens. > > Parts of Spectre consist of training the branch predictor to predict > that the > branch will go to an address you want it to perform speculative > execution on. > The research teams have targeted Intel's Haswell line in particular > for this. > > It also relies on the branch predictor masking the addresses in the branch > target buffer. The higher parts of the addresses are ignored, giving > much more > freedom to the attacker. Furthermore the entries in the BTB are not > linked to > an invididual address-space. The branch predictor will use a > prediction that > it was trained from in address space A, in address space B. I don't know > enough about branch prediction on z/Arch to tell you if it's as > trainable as > the Intel or AMD branch predictors. > > And as you said, you need some control over what lives in the cache > and what > does not. There are some z/Arch instructions to mark cached data as no > longer > important, but the PoP specifically mentions that the CPU does not > necessarily > remove the data from cache. You can trick the CPU in to filling the > cache with > junk that you're using in a dummy process though. > > The code in the example is still Intel specific. AMD is an "Intel > clone", as far > as instruction set and behavior goes, but they differ on a microcode > level. > x86 and z/Arch differ in many more ways. > > - > Jan > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > Please be alert for any emails that may ask you for login information > or directs you to login via a link. If you believe this message is a > phish or aren't sure whether this message is trustworthy, please send > the original message as an attachment to '[email protected]'. > -- Mark Jacobs Time Customer Service Global Technology Services The standard you walk past is the standard you accept. Lt. Gen. David Morrison ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
