Fork us on GitHub Follow us on Google+ Follow us on Facebook Follow us on Twitter

Opened 7 months ago

Last modified 7 months ago

#718 new enhancement

Implement mitigations for Meltdown and Spectre

Reported by: Jiří Zárevúcky Owned by:
Priority: minor Milestone:
Component: helenos/kernel/amd64 Version: mainline
Keywords: Cc:
Blocker for: Depends on:
See also:

Description

Note: To my knowledge, HelenOS is not used as part of any important infrastructure, so this has low priority.

https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

Change History (5)

comment:1 Changed 7 months ago by Jiří Zárevúcky

Component: helenos/unspecifiedhelenos/kernel/amd64
Owner: set to Jakub Jermář

comment:2 Changed 7 months ago by Jiří Zárevúcky

Owner: changed from Jakub Jermář to Jiří Zárevúcky
Status: newassigned

comment:3 Changed 7 months ago by Jiří Zárevúcky

Owner: Jiří Zárevúcky deleted
Status: assignednew

comment:4 Changed 7 months ago by Jakub Jermář

I suggest we first collect and analyze information regarding which architectures / vendor combinations are exactly affected by each of the two / three attacks. We also need to understand what kind of information can leak for each of these cases (e.g. the entire memory vs. limited portions of user memory temporarily mapped / copied into the kernel, such as contents of IPC buffers before the other side manages to answer the call or the contents of pages during page fault handling, etc.).

One option to consider, especially wrt. your note above, is to treat this merely as a bug in the "simulator" (a.k.a. the CPU) and wait for a fixed version (microcode updates already started appearing) instead of providing a short-term, possibly incomplete mitigations that have negative impact on performance.

comment:5 Changed 7 months ago by Jiří Zárevúcky

Yeah. One of the mitigation is simply using a newer (as of now unreleased?) version of GCC, and adding a compiler switch. I agree it's best for us to wait and see what action is still necessary when all the CPU and compiler updates are done.

Note: See TracTickets for help on using tickets.