[Cryptography] Speculation considered harmful?
Tony Arcieri
bascule at gmail.com
Thu Jan 4 23:32:32 EST 2018
I think RISC-V makes for an interesting sidebar...
I have seen a lot of (mostly joking) calls for an earlier time when CPUs
didn't do speculative execution (often pointing to '60s era VAX systems or
what have you).
Most RISC-V CPUs that presently exist today do not implement speculation.
This is mostly just because for the most part RISC-V is a "puny core" and
where people are building larger RISC-V chips they're taking the "swarm of
puny cores" approach, e.g. this 4096-core CPU:
https://fuse.wikichip.org/news/686/esperanto-exits-stealth-mode-aims-at-ai-with-a-4096-core-7nm-risc-v-monster/
That said, adding speculative execution features to RISC-V is presently an
open research area (perhaps some companies have shipped RISC-V CPUs with
these features, but I am not presently aware of any)
In 20/20 hindsight of this whole debacle, I am curious if, along with
memory protections available in RISC-V CPUs such as an "every word tagged"
memory architecture, RISC-V can strategically eliminate this entire
bugclass, e.g. ensuring privilege checks are always synchronous because the
only physical path to the memory demands it. As far as I can tell it has
both a great foundation and is in the perfect place to solve these problems
correctly in a clean-room implementation.
The "swarm of puny cores" approach is a bad fit for a lot of problem
domains, so I'm curious to see if RISC-V implementations can evolve into
something a bit closer to what we'd use for typical "business logic"-heavy
server workloads.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180104/a559571c/attachment.html>
More information about the cryptography
mailing list