sr (nobody.delete@this.nowhere.com) on September 21, 2021 9:36 am wrote:
>
> Hey, did a quick look. Old good segmentation is back :D

I see the smiley, but segmentation never went away.

And no, it doesn't really fix the problems.

The issue is that fundamentally there is no advantage of a PLB/segmentation model over just having the permission in the TLB like people already do.

You have exactly the same latency issues, and in fact they can get much worse. For example, protected pointers or segments need to have a base register in addition to the credentials checking, so if you need any kind of fine-granularity thing (and for many uses of protected pointers, that is very much what you need), you have now added more problems to the truly critical path.

because now you can't even start the lookup based on the low bits of the address (or you can make the cache virtual in the segment too, and have the segment as part of indexing, and get yet another source of aliases you need to fix up).

And it doesn't even fix the permission problems. We considered using segmentation to fix Meltdown, but even the segment range check wasn't necessarily done early enough, so while it helped the data leak in some situations, it had the same fundamental issues that a TLB lookup did.

So even the "hey, now the security issues are trivial to look up" doesn't mean that they get looked up correctly. The problem was never the TLB. The problem was that side channels can be much subtler than the documented and clearly visible semantics.

IOW, a PLB/segmentation/protected pointers model doesn't help. There are no fundamental advantages over just a TLB lookup. And there are fundamental disadvantages - people just haven't hit them yet (or, in the case of segmentation, have just forgotten or are too young to have hit them, or are in total denial and going "I don't mean those kinds of segments, of course").

Yes, you can limit the problem set sufficiently that it is simpler and faster than a TLB, but then that simpler solution is so limited that you need it in addition to the TLB you have to have anyway (eg for cache misses). It might be the right thing to do, but it's most definitely not a given.

It's easy to say "TLB access is an issue" and then try to make up new things that you have never tested and have never implemented and say "this way it won't be an issue". You didn't solve the problems, you just made it so that now you don't know what the problems are any more because you changed the solution to something untested.

It's just moving the problem around, and making the solutions unknown.

(That's a class of "solutions" that is not limited to TLB's, of course. It's classic in software engineering - fixing big known problems, and just hitting even bigger problems because you ignored all the things that the first system did so well and concentrated only on the problems it had).

Linus