cva6
cva6 copied to clipboard
openhwgroup
Is it possible for CVA6 to be attacked by meltdown?
Hi, I try to implement the meltdown attack on CVA6 but I have some problems.
The purpose of the meltdown attack is to try to use the load instruction to access data with illegal permissions, and to leak the data through a cache-based side channel. Therefore, we must find a way to delay the processing of exceptions so that there is time to leak data with illegal permissions.
According to the document of CVA6, the architecture of CVA6 is in-order issue, OoO write back and in-order commit. And CVA6 only handles exceptions in the commit stage. So I think this architecture may have the opportunity to be threatened by meltdown attack.
Below is the simple assembly code segment I am trying to execute:
fdiv.s fa6, fa4, fa5 // to delay the commit of the exception.
ld s1, 0(s1) // load data with illegal permissions (will cause the exception)
add s3, s2, s1
ld s2, 0(s3) // leakage the data by cache based side channel
Since the execution time of the fdiv.s instruction is not long enough, the exception is committed first before the data is successfully leaked. I try to use other instructions like div to delay the commit of the exception, but the add instruction will not be issued by issue unit because the execution unit is occupied by div as shown below.
always_comb begin : unit_busy
unique case (issue_instr_i.fu)
NONE:
fu_busy = 1'b0;
ALU, CTRL_FLOW, CSR, MULT:
fu_busy = ~flu_ready_i;
FPU, FPU_VEC:
fu_busy = ~fpu_ready_i;
LOAD, STORE:
fu_busy = ~lsu_ready_i;
CVXIF:
fu_busy = ~cvxif_ready_i;
default:
fu_busy = 1'b0;
endcase
end
Is there any other instruction whose execution time is longer than fdiv.s, and will not conflict with the resources of the add instruction and the loadinstruction ? Or are there other reasons why the CVA6 is not at risk from a meltdown attack?
