-6

short question: I read an article about the spectre vulnerable.

It says that only high end ARM processors are affected, not the low end ones. Since low end ARM CPUs doesn't support SIMD instructions (aka NEON extension on ARM) it sound to me like SIMD is the issue. I'm not that deep in that topic, but I found a paper for speculative instructions on SIMD.

I just want to know if I'm correct or on a wrong way.

Citrullin
  • 2,269
  • 14
  • 29

1 Answers1

4

No, the "high-end" feature that matters on those ARM CPUs is out-of-order execution, with branch-prediction + speculative execution.

In-order CPUs with NEON (like Cortex A-53) aren't on the list of affected CPUs, because Spectre depends on speculative execution.

Spectre primes the branch predictors so an indirect branch in privileged code is mispredicted to go somewhere that causes a data-dependent change in micro-architectural state before the mispredict is detected.

In Meltdown you run instructions yourself in unprivileged code; Intel CPUs continue speculative execution after a load that should have faulted, using the TLB entry for a kernel-only page. The fault isn't taken until the load tries to retire (which you can even delay by running a separate slow dependency chain of instructions ahead of the faulting-load + use of that data, because instructions retire in order).

For more microarchitectural details about how Meltdown works, see Why are AMD processors not/less vulnerable to Meltdown? (and Spectre)?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • Where's the difference between speculative execution and SIMD with speculative dynamic instructions? In which extension is the speculative execution included? – Citrullin Jan 04 '18 at 12:58
  • 1
    @PhilippBlum: No existing architectures implement the speculative-vectorization proposed in that paper. I only skimmed, but I think it uses existing speculative-execution hardware features to auto-vectorize strided loads inside the CPU (checking for mis-speculation if the load address doesn't follow a pattern), or else it lets compilers do that efficiently. Read the Meltdown paper which has a brief summary of branch prediction (https://meltdownattack.com/meltdown.pdf). Or read how out-of-order execution works in Haswell, for example: https://www.realworldtech.com/haswell-cpu/3/ – Peter Cordes Jan 04 '18 at 13:03
  • @PhilippBlum it is speculative execution leading to prefetching(/etc) leading to cache activity/changes that are the key. Not a specific subset of the whole ISA but anywhere you can cause cache changes leading to information you can use/shouldnt have. If I understand right the two issues are one seeing stuff from another process (userland seeing kernel stuff) and worse, pseudo sandboxes seeing each other in the same process, in theory a program should be able to see all of its stuff, but what about two separate webpages (same browser/program) running java(script) we want those separated. – old_timer Jan 05 '18 at 15:01
  • @old_timer: yes, I update my answer with a summary: Spectre is about priming / "training" the branch predictors for an indirect branch. (And then using a cache-timing side-channel to read the resulting change in microarchitectural state.) – Peter Cordes Jan 06 '18 at 00:03