[Cryptography] RISC-V branch predicting
Nico Williams
nico at cryptonector.com
Thu Feb 8 14:42:50 EST 2018
On Wed, Feb 07, 2018 at 09:43:04AM -0800, Nemo wrote:
> Eliminating speculative execution would be a disaster for
> performance. It would also be stupid, because the real problem is not
> speculation per se, but covert channels between privilege domains
> (e.g. cache timing attacks).
Elimination of side channels is really hard.
Elimination of observability of side channels is harder.
The problem with speculative execution is that abandoned speculated code
paths end up having observable effects in the form of cache line
evitions.
Sharing less is one answer, but it's a non-trivial answer since we can
already do that by flushing caches on context switches and we know that
sucks, and we know too that adding tagged caches will cost a ton of
silicon.
Everything that could be done here (other than nothing) has massive
costs that no one wants to incur (surprise). Doing nothing has its own
less tangible cost: security.
Nico
--
More information about the cryptography
mailing list