I am wondering if an instruction or sequence of instructions in x86 assembly exists to flush the entire L1I and L1D caches of the CPU executing the instruction. Specifically, I am looking for the non-privileged cache equivalent to the instruction MOV to CR0 (changing CR0.PG from 1 to 0) that flushes all TLBs (including global ones). My goal is to flush these caches for security reasons and add them to other assembly instruction routines.
Asked
Active
Viewed 253 times
2
-
There is no user-mode instruction to invalidate a TLB entry. You could exploit the fact that a page fault invalidates the TLB entries associated with the faulting address but it would be a long and expensive process unless you can restrict the range. Another way is to simply pollute the TLB with dummy translations. For the L1 you can either use the pollution approach or flush each line, I guess – Margaret Bloom Jun 27 '21 at 14:01
-
How exactly could I use the page fault invalidating TLB entries to flush all TLB entries? It sounds like it would be easier to flush the entire cache using C or C++ than trying to pollution approach or flushing each line one by one strictly in assembly. Is this correct? – ballsmahoney Jun 27 '21 at 14:58
-
The idea is to make every page fault, for example by making them RO (when they exist) and writing to them. But as I said, that's just theoretical. The pollution/clflush approach for L1 is feasible thanks to the small size of L1. In short, there is no instruction (I'm aware of) that flushes the entire L1 and no user-mode instruction to invalidate the TLB. You have to be creative. Maybe someone will shed more light into this problem. – Margaret Bloom Jun 27 '21 at 15:07
-
1No, there's only `wbinv` which is privileged (and flushes *all* data caches system-wide), and putting this CPU core into a really deep level of sleep with `mwait` which is also privileged (flushes all caches on this core, including L2, so it can power down the core). (upcoming `umwait` extension doesn't allow user-mode to initiate that deep a C-state). Otherwise as @Margaret says, only unprivileged option is triggering pseudo-LRU eviction via pollution. And that's for data, not TLB. – Peter Cordes Jun 27 '21 at 15:46
-
1"My goal is to flush these caches for security reasons" makes me wonder what kind of malware you're writing - some kind of denial of service attack (ruining the performance of everything you have no right to access directly), some kind of side-channel exploit (flush the caches so that it's much easier to tell which cache lines the code you're attacking touched), or maybe a variation on the "row hammer" theme? – Brendan Jun 27 '21 at 16:01
-
@PeterCordes Thank you for the reply. You said triggering eviction will work for data L1 cache (and not instruction I'm assuming), but not the TLB. So is it not possible to do something similar with the TLBs? – ballsmahoney Jun 27 '21 at 16:31
-
Obviously you can touch a lot of pages to make it likely that older TLB entries get evicted. Or mprotect can force the kernel to invalidate a TLB entry for a page or range of pages. I also wanted to make the point that `mov` to CR3, or more insanely toggling paging off and on, will only affect TLBs, but in the rest of your question you were talking about non-TLB caches. – Peter Cordes Jun 27 '21 at 16:54
-
@PeterCordes Thanks again for the reply. CR0 also contains a CD (Cache Disable) bit. What would toggling the cache disable bit do? I assume you would lose all data in the caches (thus needing to writeback everything first). And if this is a multiprocessor would it only disable the caches local to the CPU toggling the CD control register bit? – ballsmahoney Jun 27 '21 at 17:03
-
@ballsmahoney: Setting the "CD" bit doesn't flush existing cache entries. It's also called "no fill mode". See [How to explicitly load a structure into L1d cache?](https://stackoverflow.com/q/66772632) for one consequences of using it with the system already up and running. Also [How Does BIOS initialize DRAM?](https://stackoverflow.com/q/63159663) for more about this "cache as RAM" mode. – Peter Cordes Jun 27 '21 at 18:41