[Top] [All Lists]

Re: Is MIPS affected by the recent KAISER/KASLR/KPTI/etc mess?

To: Joshua Kinard <>
Subject: Re: Is MIPS affected by the recent KAISER/KASLR/KPTI/etc mess?
From: James Hogan <>
Date: Fri, 5 Jan 2018 10:08:36 +0000
Cc: Linux/MIPS <>
In-reply-to: <>
List-archive: <>
List-help: <>
List-id: linux-mips <>
List-owner: <>
List-post: <>
List-software: Ecartis version 1.0.0
List-subscribe: <>
List-unsubscribe: <>
Original-recipient: rfc822;
References: <>
User-agent: Mutt/1.7.2 (2016-11-26)
On Thu, Jan 04, 2018 at 07:06:39PM -0500, Joshua Kinard wrote:
> Regarding the KAISER/KASLR/KPTI work to mitigate the recently-announced
> "Spectre" and "Meltdown" issues in x86/x64 and some Arm processors, does 
> anyone
> know how vulnerable MIPS processors might be?
> My initial guess is Spectre might apply, since MIPS CPUs have supported
> speculative execution as far back as the R10000, and even the R10K manual
> contained an entire section on "The side-effects of speculative execution", 
> for
> SGI's non-coherent platforms (IP28, IP32).  But MIPS is a varied ecosystem of
> CPUs, so if the arch is vulnerable, there might be specific MIPS CPU types 
> that
> are not vulnerable.
> I am also uncertain if the way MIPS lays out its address space, with specific
> ranges for kernel mode, supervisor mode (unused), and user mode, makes this a
> non-issue.
> Thoughts?

I'm not a hardware engineer so don't quote me on this, and have only
briefly tried to detect leaked kernel data on a couple of recent cores,
but I'd be surprised if any MIPS cores are vulnerable to kernel data
leak, simply because the static segments (ignoring EVA) encode the
minimum privilege. Hardware should be able to test privilege very easily
compared to when that data comes from the TLB/page tables, hopefully
before anything can be done speculatively depending on the data that
would be read (but of course that doesn't mean individual cores can't be

The MIPS segment layout won't help with any leakage of speculative
execution within a privilege level though (e.g. eBPF or javascript
bounds checks).


<Prev in Thread] Current Thread [Next in Thread>