Deutsch English Français Italiano |
<2024Jun17.082520@mips.complang.tuwien.ac.at> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!2.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: anton@mips.complang.tuwien.ac.at (Anton Ertl) Newsgroups: comp.arch Subject: Re: Qualcomm's Oryon boasts hardware "side-channel mitigations" Date: Mon, 17 Jun 2024 06:25:20 GMT Organization: Institut fuer Computersprachen, Technische Universitaet Wien Lines: 41 Message-ID: <2024Jun17.082520@mips.complang.tuwien.ac.at> References: <2024Jun14.174602@mips.complang.tuwien.ac.at> <v4o16o$a45a$1@dont-email.me> Injection-Date: Mon, 17 Jun 2024 08:53:37 +0200 (CEST) Injection-Info: dont-email.me; posting-host="e0f2e6a4910bb025cd872434dd109c2c"; logging-data="559707"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+YFyuAGHhAF5tVA9ydfQj/" Cancel-Lock: sha1:zpEnvdYkEJ9Tv+HhUr33ravS1b8= X-newsreader: xrn 10.11 Bytes: 3101 Lawrence D'Oliveiro <ldo@nz.invalid> writes: >On Fri, 14 Jun 2024 15:46:02 GMT, Anton Ertl wrote: > >> ... "mitigation" has a weaker sound than "fix" to me ... > >“Mitigation” seems to be the standard term when referring to security >fixes. When I look at <https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html>, e.g., for Meltdown (CVE-2017-5754), I see for some hardware "Software" (i.e., not fixed in hardware) and for other hardware (e.g., Tiger Lake U) "Not affected" (i.e., fixed in hardware, for CPUs like Tiger Lake U where the ancestors were affected; for cores where the ancestors were not affected, these were already constructed correctly, not fixed; but if you just look at the particular hardware without considering it's pedigree, it's just "not affected"); other entries (e.g., for Spectre v2) have "MCU+Software" (i.e., microcode changes for supporting software mitigations, i.e., not fixed in hardware) and "Hardware+Software" (i.e., hardware changes for supporting software mitigations, i.e., not fixed in hardware. I see no mention of "hardware mitigation" for CPUs there that are not affected. "Mitigation" has a weak sound to be because it is used when the security hole is not closed at all, but instead one suggests that someone else should do something or avoid something such that the still-existing vulnerability cannot be exploited. E.g., in the case of Spectre v2, to insert retpolines and/or new instructions like IBRS, STIBP, IBPB (provided in microcode or in hardware) in the software. >Think of “fix” as a marketing term, that could suggest that you >will no further problems in future. That's totally unlike any use of "fix" that I have seen. Bugfixes are provided for software all the time, and they do not promise that no other bugs will be found in the future. - anton -- 'Anyone trying for "industrial quality" ISA should avoid undefined behavior.' Mitch Alsup, <c17fcd89-f024-40e7-a594-88a85ac10d20o@googlegroups.com>