Meltdown simulation & analysis in FS mode using fs.py
Hello everyone,
I am currently working on a meltdown simulation & analysis using the fs.py script. Using se.py is not possible, because there is no kernel space mapping.
As for the meltdown test code, I'm using this repo: https://github.com/IAIK/meltdown
After playing a bit with the multiple parameter options, my current command line call is:
"./build/X86/gem5.opt configs/example/fs.py --cpu-type=X86O3CPU --bp-type=LTAGE --caches --l2cache -n 8 --kernel=fs_stuff/vmlinux-5.4.49 --disk-image=fs_stuff/x86-ubuntu.img --script=fs_stuff/test"
As you can see here, I am using the X86O3CPU and the branch predictor LTAGE (mainly because spectre only works using LTAGE). In theory, this should work and the test binary is executed in the simulation, but unfortunately the simulation either stops right before the leak or during the leakage (not at an exact point everytime, sometimes 1 char, sometimes 4 chars). The simulation does not abort by itself but looks like it's stuck somewhere. I waited for over one hour, but there was no extra char leaked.
First I thought something is missing to even leak anything here, but after some tries do in fact leak some parts of the secret before stopping, there should be another problem.
When the meltdown code is executed, the console log is spammed with "warn: instruction 'palignr_Vdq_Wdq_Ib' unimplemented"". At first I thought this could be the missing piece, but even with these warnings, some parts of the secret were leaked in some tries.
My first goal is to get the complete leak in the result including a normal exit of the gem5 simulation.
Does anyone here have an idea or experience at this topic? It would be very helpful to discuss possible problems and solutions.
Thank you very much in advance.
Kind regards
Robin
Hi Robin,
This may be helpful:
http://www.lowepower.com/jason/visualizing-spectre-with-gem5.html
For warn: instruction 'palignr_Vdq_Wdq_Ib' unimplemented, this is an AVX
(or SSE) instruction that gem5 doesn't implement.
Overall, I'm not sure if gem5 is vulnerable to meltdown. I think that the
instruction is squashed when the TLB detects a page table fault and it does
not proceed to memory. You can check the O3 code to be sure, though.
Cheers,
Jason
On Thu, Jul 20, 2023 at 2:52 AM reverent.green--- via gem5-users <
gem5-users@gem5.org> wrote:
Hello everyone,
I am currently working on a meltdown simulation & analysis using the fs.py
script. Using se.py is not possible, because there is no kernel space
mapping.
As for the meltdown test code, I'm using this repo:
https://github.com/IAIK/meltdown
After playing a bit with the multiple parameter options, my current
command line call is:
"./build/X86/gem5.opt configs/example/fs.py --cpu-type=X86O3CPU
--bp-type=LTAGE --caches --l2cache -n 8 --kernel=fs_stuff/vmlinux-5.4.49
--disk-image=fs_stuff/x86-ubuntu.img --script=fs_stuff/test"
As you can see here, I am using the X86O3CPU and the branch predictor
LTAGE (mainly because spectre only works using LTAGE). In theory, this
should work and the test binary is executed in the simulation, but
unfortunately the simulation either stops right before the leak or during
the leakage (not at an exact point everytime, sometimes 1 char, sometimes 4
chars). The simulation does not abort by itself but looks like it's stuck
somewhere. I waited for over one hour, but there was no extra char leaked.
First I thought something is missing to even leak anything here, but after
some tries do in fact leak some parts of the secret before stopping, there
should be another problem.
When the meltdown code is executed, the console log is spammed with "warn:
instruction 'palignr_Vdq_Wdq_Ib' unimplemented"". At first I thought this
could be the missing piece, but even with these warnings, some parts of the
secret were leaked in some tries.
My first goal is to get the complete leak in the result including a normal
exit of the gem5 simulation.
Does anyone here have an idea or experience at this topic? It would be
very helpful to discuss possible problems and solutions.
Thank you very much in advance.
Kind regards
Robin
gem5-users mailing list -- gem5-users@gem5.org
To unsubscribe send an email to gem5-users-leave@gem5.org
Hi all,
It appears that you're using an older version of gem5 that does not have
the palignr instructions implemented. The current stable branch has those
instructions implemented.
I'm not sure if this is a problem in your setup or related to this problem,
but I wanted to add that I was not able to boot Ubuntu server 22.04 with
the previous version of gem5 (v22 I think). I'm able to boot the OS using
gem5 v23.
Regards,
Hoa Nguyen
On Thu, Jul 20, 2023, 09:33 Jason Lowe-Power via gem5-users <
gem5-users@gem5.org> wrote:
Hi Robin,
This may be helpful:
http://www.lowepower.com/jason/visualizing-spectre-with-gem5.html
For warn: instruction 'palignr_Vdq_Wdq_Ib' unimplemented, this is an AVX
(or SSE) instruction that gem5 doesn't implement.
Overall, I'm not sure if gem5 is vulnerable to meltdown. I think that the
instruction is squashed when the TLB detects a page table fault and it does
not proceed to memory. You can check the O3 code to be sure, though.
Cheers,
Jason
On Thu, Jul 20, 2023 at 2:52 AM reverent.green--- via gem5-users <
gem5-users@gem5.org> wrote:
Hello everyone,
I am currently working on a meltdown simulation & analysis using the
fs.py script. Using se.py is not possible, because there is no kernel space
mapping.
As for the meltdown test code, I'm using this repo:
https://github.com/IAIK/meltdown
After playing a bit with the multiple parameter options, my current
command line call is:
"./build/X86/gem5.opt configs/example/fs.py --cpu-type=X86O3CPU
--bp-type=LTAGE --caches --l2cache -n 8 --kernel=fs_stuff/vmlinux-5.4.49
--disk-image=fs_stuff/x86-ubuntu.img --script=fs_stuff/test"
As you can see here, I am using the X86O3CPU and the branch predictor
LTAGE (mainly because spectre only works using LTAGE). In theory, this
should work and the test binary is executed in the simulation, but
unfortunately the simulation either stops right before the leak or during
the leakage (not at an exact point everytime, sometimes 1 char, sometimes 4
chars). The simulation does not abort by itself but looks like it's stuck
somewhere. I waited for over one hour, but there was no extra char leaked.
First I thought something is missing to even leak anything here, but
after some tries do in fact leak some parts of the secret before stopping,
there should be another problem.
When the meltdown code is executed, the console log is spammed with "warn:
instruction 'palignr_Vdq_Wdq_Ib' unimplemented"". At first I thought
this could be the missing piece, but even with these warnings, some parts
of the secret were leaked in some tries.
My first goal is to get the complete leak in the result including a
normal exit of the gem5 simulation.
Does anyone here have an idea or experience at this topic? It would be
very helpful to discuss possible problems and solutions.
Thank you very much in advance.
Kind regards
Robin
gem5-users mailing list -- gem5-users@gem5.org
To unsubscribe send an email to gem5-users-leave@gem5.org
gem5-users mailing list -- gem5-users@gem5.org
To unsubscribe send an email to gem5-users-leave@gem5.org
Thanks for your replys,
I updated my gem5 version to the latest stable branch and the "palignr" warning is gone.
@Jason
U mentioned, that gem5 may not even be vulnerable to meltdown. Do you think it is feasible to change some parts of the O3 code in order to make it vulnerable and after that analyze meltdown code?
That also means in some runs, gem5 aborts after a few chars and sometimes it does not even leak one char before it aborts.
Maybe I can experiment with debug flags a bit more.
Kind regards,
Robin
Gesendet: Donnerstag, 20. Juli 2023 um 22:38 Uhr
Von: "Hoa Nguyen via gem5-users" <gem5-users@gem5.org>
An: "The gem5 Users mailing list" <gem5-users@gem5.org>
Cc: reverent.green@web.de, "Jason Lowe-Power" <jason@lowepower.com>, "Hoa Nguyen" <hoanguyen@ucdavis.edu>
Betreff: [gem5-users] Re: Meltdown simulation & analysis in FS mode using fs.py
Hi all,
It appears that you're using an older version of gem5 that does not have the palignr instructions implemented. The current stable branch has those instructions implemented.
I'm not sure if this is a problem in your setup or related to this problem, but I wanted to add that I was not able to boot Ubuntu server 22.04 with the previous version of gem5 (v22 I think). I'm able to boot the OS using gem5 v23.
Regards,
Hoa Nguyen
On Thu, Jul 20, 2023, 09:33 Jason Lowe-Power via gem5-users <gem5-users@gem5.org> wrote:
Hi Robin,
This may be helpful: http://www.lowepower.com/jason/visualizing-spectre-with-gem5.html
For
warn: instruction 'palignr_Vdq_Wdq_Ib' unimplemented, this is an AVX (or SSE) instruction that gem5 doesn't implement.Overall, I'm not sure if gem5 is vulnerable to meltdown. I think that the instruction is squashed when the TLB detects a page table fault and it does not proceed to memory. You can check the O3 code to be sure, though.
Cheers,
Jason
On Thu, Jul 20, 2023 at 2:52 AM reverent.green--- via gem5-users <gem5-users@gem5.org> wrote:
Hello everyone,
I am currently working on a meltdown simulation & analysis using the fs.py script. Using se.py is not possible, because there is no kernel space mapping.
As for the meltdown test code, I'm using this repo: https://github.com/IAIK/meltdown
After playing a bit with the multiple parameter options, my current command line call is:
"./build/X86/gem5.opt configs/example/fs.py --cpu-type=X86O3CPU --bp-type=LTAGE --caches --l2cache -n 8 --kernel=fs_stuff/vmlinux-5.4.49 --disk-image=fs_stuff/x86-ubuntu.img --script=fs_stuff/test"
As you can see here, I am using the X86O3CPU and the branch predictor LTAGE (mainly because spectre only works using LTAGE). In theory, this should work and the test binary is executed in the simulation, but unfortunately the simulation either stops right before the leak or during the leakage (not at an exact point everytime, sometimes 1 char, sometimes 4 chars). The simulation does not abort by itself but looks like it's stuck somewhere. I waited for over one hour, but there was no extra char leaked.
First I thought something is missing to even leak anything here, but after some tries do in fact leak some parts of the secret before stopping, there should be another problem.
When the meltdown code is executed, the console log is spammed with "warn: instruction 'palignr_Vdq_Wdq_Ib' unimplemented"". At first I thought this could be the missing piece, but even with these warnings, some parts of the secret were leaked in some tries.
My first goal is to get the complete leak in the result including a normal exit of the gem5 simulation.
Does anyone here have an idea or experience at this topic? It would be very helpful to discuss possible problems and solutions.
Thank you very much in advance.
Kind regards
Robin
_______________________________________________
gem5-users mailing list -- gem5-users@gem5.org
To unsubscribe send an email to gem5-users-leave@gem5.org_______________________________________________
gem5-users mailing list -- gem5-users@gem5.org
To unsubscribe send an email to gem5-users-leave@gem5.org
_______________________________________________ gem5-users mailing list -- gem5-users@gem5.org To unsubscribe send an email to gem5-users-leave@gem5.org