By: Chester (lamchester.delete@this.gmail.com), January 7, 2021 4:19 pm
Room: Moderated Discussions
Linus Torvalds (torvalds.delete@this.linux-foundation.org) on January 7, 2021 10:04 am wrote:
> Chester (lamchester.delete@this.gmail.com) on January 7, 2021 5:00 am wrote:
> > > Linus
> >
> > Except if we're talking about malicious attacks, researchers figured out they could flip three bits
> > and cause an undetectable error.
>
> BS.
>
> They could do so only by causing a lot of single-bit flips
>
> Why is this so hard to understand? ECC would detect the attack.
> It really is that simple, and that's a fundamental fact.
>
> People who argue about undetectable 3-bit flips are incompetent and don't understand
> what they are talking about. They are either actively trying to be bad actors,
> or they have bought into the fairy tale from the bad actors.
>
> And yes, in some theoretical universe you could have a single 3-bit flip without getting any single-bit
> flips. Anything can happen in theory. But that's like worrying about a meteorite targeting you
> personally. It's simply not a realistic worry, and it's not an argument against ECC.
>
> Do you argue against airbags because they wouldn't save
> you from being killed in your car by a stray meteorite?
>
> Can you really not see how stupid your argument is?
>
> Linus
I'm not arguing against airbags because they won't stop a stray meteorite. I'm arguing against driving at 100 MPH because airbags will (maybe) save you. Notice people didn't create bit flips in L1D (also ECC protected), even though that's a lot easier to hammer than ECC DRAM. L1D is designed to handle very frequent accesses to the same rows. DRAM is not, because of caches.
So, we need the same standard from DRAM: it needs to handle frequent accesses without bit flips the way cache does, regardless of whether it has ECC.
About theory vs reality, this site claims they can pull off an attack in 32 minutes when bit flips are observable (because once a bit flips and ECC detects it, latency increases). Of course you have to draw the line somewhere and some attacks are so remote or take so long that you just don't bother. But I'm not sure I'd draw that line below 32 minutes.
And of course ECC would log bit flips and hint such an attack happened, but an attacker would have elevated privileges by the time you found out. That's why I think tightening refresh timings is a much better way of raising the bar.
As for the regular consumer case, I agree there should be a choice between ECC or not, and AMD's on the right path. But I suspect most consumers wouldn't bother paying even a little extra for ECC.
> Chester (lamchester.delete@this.gmail.com) on January 7, 2021 5:00 am wrote:
> > > Linus
> >
> > Except if we're talking about malicious attacks, researchers figured out they could flip three bits
> > and cause an undetectable error.
>
> BS.
>
> They could do so only by causing a lot of single-bit flips
>
> Why is this so hard to understand? ECC would detect the attack.
> It really is that simple, and that's a fundamental fact.
>
> People who argue about undetectable 3-bit flips are incompetent and don't understand
> what they are talking about. They are either actively trying to be bad actors,
> or they have bought into the fairy tale from the bad actors.
>
> And yes, in some theoretical universe you could have a single 3-bit flip without getting any single-bit
> flips. Anything can happen in theory. But that's like worrying about a meteorite targeting you
> personally. It's simply not a realistic worry, and it's not an argument against ECC.
>
> Do you argue against airbags because they wouldn't save
> you from being killed in your car by a stray meteorite?
>
> Can you really not see how stupid your argument is?
>
> Linus
I'm not arguing against airbags because they won't stop a stray meteorite. I'm arguing against driving at 100 MPH because airbags will (maybe) save you. Notice people didn't create bit flips in L1D (also ECC protected), even though that's a lot easier to hammer than ECC DRAM. L1D is designed to handle very frequent accesses to the same rows. DRAM is not, because of caches.
So, we need the same standard from DRAM: it needs to handle frequent accesses without bit flips the way cache does, regardless of whether it has ECC.
About theory vs reality, this site claims they can pull off an attack in 32 minutes when bit flips are observable (because once a bit flips and ECC detects it, latency increases). Of course you have to draw the line somewhere and some attacks are so remote or take so long that you just don't bother. But I'm not sure I'd draw that line below 32 minutes.
And of course ECC would log bit flips and hint such an attack happened, but an attacker would have elevated privileges by the time you found out. That's why I think tightening refresh timings is a much better way of raising the bar.
As for the regular consumer case, I agree there should be a choice between ECC or not, and AMD's on the right path. But I suspect most consumers wouldn't bother paying even a little extra for ECC.