[Cryptography] Spectre -- would an L0 for speculation-only help?

Henry Baker hbaker1 at pipeline.com
Fri Jan 12 11:48:53 EST 2018


At 11:20 AM 1/11/2018, Nico Williams wrote:
>Suppose speculative execution never evicted cache lines in any cache, except a special, _small_ (say, 8 cache lines) cache only used during speculation.
>
>Call this cache L0.
>
>When a speculated thread is committed then all the cache lines in L0 loaded during speculation are moved to L1, resulting in evictions only at commit time.
>
>That is, speculative execution would have an L0 in its cache hierarchy, while non-speculative execution would not.
>
>L0/L1 would not be inclusive; L0 would never be loaded from L1.
>
>L2/L3 misses might have to stop speculative execution if the cache hierarchy is inclusive, but not otherwise.
>
>I suspect that in order to perform well L1 misses would have to not stop speculation in any case.
>
>L0 would have to be teeny tiny -- it cannot cost too much die area.
>
>But it wouldn't have to be very large at all to have the desired effect of allowing performant speculative execution with no side-effects on L1 for abandoned speculation.
>
>Is this crazy?
>
>Workable?

IMHO the major problem is that your scheme handles only *one level* of speculation.

When you need to twiddle your registers for 200 instructions or more, you get very far down a multiplicity of garden paths.

In my experience, program sequences consist of large amounts of straight-line code or large thickets of conditional code.

It's essentially impossible to organize the conditionals in such a way to avoid exponential explosion of speculation.



More information about the cryptography mailing list