Matteo Rizzo

It would be useful to link to your blog post in the writeup (https://pwning.tech/nftables/) because some techniques like dirty pagedirectory are explained in more detail there. Also specifically regarding dirty...

Ah I see, yes now the diagram makes more sense. Yeah I don't really know how to make that clearer, maybe you could add the note from your latest comment...

Looks good, thanks for the submission

Hi, most of the exploit code is easy to understand but the trigger function is long, complicated and there are no comments to explain what each part is doing. Could...

What CPU did you test this on? Clearing the update (setting all quads to nop and all match register to 0) works on some CPUs but it's entirely possible that...

Hi, The symbolic targets come from files like these https://github.com/google/security-research/blob/master/pocs/cpus/entrysign/zentool/data/cpu8181_matchreg.json We found that those addresses correspond to those instructions by trial and error or brute force scanning. If you would...

It's possible to patch any microcoded instructions as long as the address in the ROM where they are implemented is known. It's also be possible to patch fastpath (non-microcoded) instructions...

It should apply to at least Zen 2 and newer but possibly all generations. We don't have any examples of how to use them I'm afraid, our understanding of them...

You need to extract the encryption key from a CPU (any of them, it's the same everywhere). We explained how to do that in our OffensiveCon presentation (near the end)...