admin-guide/hw-vuln/spectre.rst

7 and speculative execution on modern CPUs to read memory, possibly
8 bypassing access controls. Speculative execution side channel exploits
16 Speculative execution side channel methods affect a wide range of modern
18 use branch prediction and speculative execution.
53 CPUs use speculative operations to improve performance. That may leave
56 influence the speculative execution paths, and then use the side effects
57 of the speculative execution in the CPUs' caches and buffers to infer
58 privileged data touched during the speculative execution.
60 Spectre variant 1 attacks take advantage of speculative execution of
61 conditional branches, while Spectre variant 2 attacks use speculative
70 of speculative execution that bypasses conditional branch instructions
74 done speculatively before validation checks resolve. Such speculative
92 The branch target injection attack takes advantage of speculative
97 the victim. The side effects left in the CPU's caches during speculative
102 In Spectre variant 2 attacks, the attacker can steer speculative indirect
119 return stack buffer (RSB) :ref:`[13] <spec_ref13>` to cause speculative
131 speculative execution's side effects left in level 1 cache to infer the
163    for speculative execution. This could cause privileged memory to be
168    macros are used to prevent speculative loading of data.
190    swapgs, and then do a speculative percpu load using the user GS
198    rest of the speculative window.
206    target buffer on indirect jump and jump to gadget code in speculative
210    speculative execution, he would also need to pass a parameter to the
217    indirect branches. Return trampolines trap speculative execution paths
218    to prevent jumping to gadget code during speculative execution.
282    are used to stop speculative memory access.
286    the kernel to jump to gadget code in the speculative execution paths.
483    addresses.  Speculative execution paths under retpolines are trapped
484    in an infinite loop to prevent any speculative execution jumping to
733 …analysis of speculative execution side channels <https://newsroom.intel.com/wp-content/uploads/sit…
761 … side-channels <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulne…
765 … issues update <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulne…
777 …] `MIPS: response on speculative execution and side channel vulnerabilities <https://www.mips.com/…
783 [11] `Spectre Attacks: Exploiting Speculative Execution <https://spectreattack.com/spectre.pdf>`_.