Re: How does knowing where imply knowing what?
Thanks - that took me a couple of re-reads but it helps a lot.
To save anyone else the re-reads, the key is the number 256, the number of values a byte can hold plus the memory accessed in the second step need not be protected memory.
1) Access kernel memory to put value in register.
2) Speculative execution subsystem tries to execute as if (1) was OK. It will then speculatively execute "memory access at address **in non privileged memory areas that we have legitimate access to** of which the register forms part of the resolved address (as an index/scale/whatever to a base address) that causes **one of 256** pages to be pulled into cache. It doesn't matter what data values are in these pages, nor which pages, as long as the pages are accessible to us and there are *exactly* 256 possible pages that could be accessed. It is the fact that the data values are now in cache that matters. They could be the number of fleas on your cat, number of bugs in the Pentium FPU, doesn't matter.
3) (1) faults due to privilege level. (2) Is "thrown away" as fault prevents the CPU getting to it "in the real world", **but the cache lines involved are not flushed**".
4) By using timing analysis to find out *which* page was cached, that's also the number in the register and that number was loaded from kernel memory and used in an index register of sorts **before (2) was thrown away**. Thus, you now know which number is in the address in kernel memory.
At least, that's how I read it in simple terms. Ouch!!