Article <2024Jun17.082520@mips.complang.tuwien.ac.at>

Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <2024Jun17.082520@mips.complang.tuwien.ac.at>

Deutsch English Français Italiano

<2024Jun17.082520@mips.complang.tuwien.ac.at>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: ...!2.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: anton@mips.complang.tuwien.ac.at (Anton Ertl)
Newsgroups: comp.arch
Subject: Re: Qualcomm's Oryon boasts hardware "side-channel mitigations"
Date: Mon, 17 Jun 2024 06:25:20 GMT
Organization: Institut fuer Computersprachen, Technische Universitaet Wien
Lines: 41
Message-ID: <2024Jun17.082520@mips.complang.tuwien.ac.at>
References: <2024Jun14.174602@mips.complang.tuwien.ac.at> <v4o16o$a45a$1@dont-email.me>
Injection-Date: Mon, 17 Jun 2024 08:53:37 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="e0f2e6a4910bb025cd872434dd109c2c";
	logging-data="559707"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+YFyuAGHhAF5tVA9ydfQj/"
Cancel-Lock: sha1:zpEnvdYkEJ9Tv+HhUr33ravS1b8=
X-newsreader: xrn 10.11
Bytes: 3101

Lawrence D'Oliveiro <ldo@nz.invalid> writes:
>On Fri, 14 Jun 2024 15:46:02 GMT, Anton Ertl wrote:
>
>> ... "mitigation" has a weaker sound than "fix" to me ...
>
>“Mitigation” seems to be the standard term when referring to security 
>fixes.

When I look at
<https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html>,
e.g., for Meltdown (CVE-2017-5754), I see for some hardware "Software"
(i.e., not fixed in hardware) and for other hardware (e.g., Tiger Lake
U) "Not affected" (i.e., fixed in hardware, for CPUs like Tiger Lake U
where the ancestors were affected; for cores where the ancestors were
not affected, these were already constructed correctly, not fixed; but
if you just look at the particular hardware without considering it's
pedigree, it's just "not affected"); other entries (e.g., for Spectre
v2) have "MCU+Software" (i.e., microcode changes for supporting
software mitigations, i.e., not fixed in hardware) and
"Hardware+Software" (i.e., hardware changes for supporting software
mitigations, i.e., not fixed in hardware.  I see no mention of
"hardware mitigation" for CPUs there that are not affected.

"Mitigation" has a weak sound to be because it is used when the
security hole is not closed at all, but instead one suggests that
someone else should do something or avoid something such that the
still-existing vulnerability cannot be exploited.  E.g., in the case
of Spectre v2, to insert retpolines and/or new instructions like IBRS,
STIBP, IBPB (provided in microcode or in hardware) in the software.

>Think of “fix” as a marketing term, that could suggest that you 
>will no further problems in future.

That's totally unlike any use of "fix" that I have seen.  Bugfixes are
provided for software all the time, and they do not promise that no
other bugs will be found in the future.

- anton
-- 
'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
  Mitch Alsup, <c17fcd89-f024-40e7-a594-88a85ac10d20o@googlegroups.com>