Evict cache line without clflush

Question

I want to implement EVICT+RELOAD based on Yarom and Falkner's FLUSH+RELOAD attack but without using the clflush instruction to evict data from the caches.

I have a rough understanding of cache lines and pages, e.g., this post explains it concisely. I know cache lines are the smallest units in a cache. On my system, a cache line has 64 bytes. A memory page refers to a fixed-length contiguous block of virtual memory.

However, I do not really understand how to achieve it. It is clear to me that I need to overwrite the existing data in the cache. Also, I know that the cache is filled up based on the accessed addresses. But how can I selectively overwrite a specific cache line if caching works transparently?

// Addendum

A post to the question Is there a way to flush the entire CPU cache related to a program? also mentions that evictions is a strategy to remove data from the cache: "Or of course creating conflict evictions for known L1d size and associativity, like writing to multiple lines at multiples of 4kiB which all map to the same set in a 32k / 8-way L1d." But it does not provide any details on how to accomplish it.

Answer 1

Depending on the specific cache design, only certain cache lines in memory can fit into certain groups of cache lines ("sets") in the cache.

For example, perhaps the same byte on each page always goes into the same cache set (bytes 64-127 always go into cache set 1). In this case, if you wanted to evict it, you would access bytes 64-127 from page 0, bytes 64-127 from page 1, bytes 64-127 from page 2, bytes 64-127 from page 3, ... up to the number of cache lines in the set. And then you know that bytes 64-127 from page 100 aren't in the cache any more, because you just filled up the cache set where they would've been with different bytes.