[Cryptography] RISC-V isn't the answer
Tony Arcieri
bascule at gmail.com
Mon Jan 22 10:45:41 EST 2018
On Mon, Jan 22, 2018 at 6:30 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
> RISC-V caches aren't partitioned [...] As I said before, every plaintext
> compression attack can be translated into a timing attack against a
> processor with a cache, since the cache "compresses" the memory reference
> stream. RISC-V does nothing to address (!) this issue.
RISC-V is just an ISA. Someone could easily design a RISC-V core with
partitioned caches.
> I'm not interested in squashing bugs like Meltdown and Spectre one by one
> -- it's far too expensive. We need to squash entire classes of bugs with
> one swat, and this means learning from experiences like plaintext
> compression attacks.
>
lowRISC provides an every-word-tagged memory architecture. This information
could be augmented to encode things like memory protection domains (or may
already include the necessary information, I have not done an exhaustive
survey of their tag bits), much in the same way KPTI is being leveraged as
a page-level protection with the Linux's kernel's assistance. With
information about the current protection domain encoded in every single
word of memory, caches and memory controllers could physically deny access
to words which are not tagged with the current protection domain. This
would provide a central point of enforcement for *synchronous* checks which
could prevent CPUs from speculating outside the current protection domain
in the first place.
I'm sure RISC-V designers will be researching both of these options, and
more. Far from being doomed, RISC-V is going to be arguably the most
exciting place for this sort of research.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180122/c59805ea/attachment.html>
More information about the cryptography
mailing list