Reformulation for "fencing when changing SDID" #108
Comments
|
Hi Ronan - this specification does not delve into any treatment of flushing any micro-arch state when supervisor domains are in use. The security model and the uarch side-channel specs are the right place for that treatment. The goal of this sentence was to note that the SDID is a hart-local identifier and may be reused as long as the state tagged by the re-used SDID is appropriately flushed. per your comment - i think these two lines should be moved to an "implementation note" - I plan to change it as follows - PTAL:
|
|
Ok, as I understand it, the SDID is a security domain identifier and therefore, upon changing it, should quite naturally trigger a fence.time kind of flushing/partitioning. As you say, the details should be left to the fence.time spec. What I wanted to say is that flushing cached state is required for proper functionality, flushing all state (with fence.time for example) is required for security. In a hypothetical future with fence.time, Moving this sentence to an implementation note is a great solution, but I think you can remove the "fencing to" for clarity. |
|
sounds good PTAL PR #109 |
I believe this phrase could be clarified:
riscv-smmtt/chapter3.adoc
Line 11 in 8879b1a
To me, "cached state" suggests only the need to flush specific microarchitectural caching structures (such as TLB, L1D, L1I). However, from a security standpoint, the correct action involves flushing all microarchitectural state, including components like branch prediction (BTB, RSB, TAGE) and cache controller states.
Suggested revision:
Still, I am unsure if this phrasing would be sufficiently clear for readers unfamiliar with the risks associated with covert channels.
The text was updated successfully, but these errors were encountered: