> -----Original Message-----
> From: Liran Alon [mailto:liran.a...@oracle.com]
> Sent: Thursday, January 25, 2018 6:50 PM
> To: Hansen, Dave <dave.han...@intel.com>
> Cc: labb...@redhat.com; l...@kernel.org; janakarajan.natara...@amd.com;
> torva...@linux-foundation.org; b...@suse.de; Mallick, Asit K
> <asit.k.mall...@intel.com>; rkrc...@redhat.com; karah...@amazon.de;
> h...@zytor.com; mi...@redhat.com; Nakajima, Jun
> <jun.nakaj...@intel.com>; x...@kernel.org; Raj, Ashok <ashok....@intel.com>;
> Van De Ven, Arjan <arjan.van.de....@intel.com>; tim.c.c...@linux.intel.com;
> pbonz...@redhat.com; a...@linux.intel.com; linux-kernel@vger.kernel.org;
> dw...@infradead.org; pet...@infradead.org; t...@linutronix.de;
> gre...@linuxfoundation.org; mhira...@kernel.org; ar...@linux.intel.com;
> thomas.lenda...@amd.com; Williams, Dan J <dan.j.willi...@intel.com>;
> j...@8bytes.org; k...@vger.kernel.org; aarca...@redhat.com
> Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
> Indirect
> Branch Speculation
>
>
> Google P0 blog-post
> (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory-
> with-side.html) claims that BTB & BHB only use <31 low bits of the address of
> the source instruction to lookup into the BTB. In addition, it claims that the
> higher bits of the predicated destination change together with the higher
> bits of
> the source instruction.
>
> Therefore, it should be possible to leak the low bits of high predicition-mode
> code BTB/BHB entries from low prediction-mode code. Because the predicted
> destination address will reside in user-space.
>
> What am I missing?
I thought this email thread was about the RSB...
