> The ARM reference design offers a guarantee that such side channels don't exist.
Nonsense. All modern CPUs have speculative execution side channels by nature. The only way to protect against these attacks is to change how we write software to insert speculation barriers in security-critical code paths.
The difference is that Intel doesn't just have speculative execution side channels, they had a pile of critical *security domain crossing* speculative execution side channels. All CPUs can leak data in speculation from your process into the side channel (which might be monitored by another process), but Intel has a pile of bugs which can leak data from *a completely different, innocent process*, or even the kernel (meltdown), or a VM hypervisor (L1TF). Those aren't inherent in CPU design, those are a result of what is clearly a major culture issue inside Intel.
> Spectre and Meltdown bed to differ.
Spectre and Meltdown are not covert channel issues. Spectre is a collection of speculative execution *side channel* issues, and Meltdown is a privilege domain crossing speculative execution *side channel* (the only one that hit other CPUs as well as Intel IIRC; other than Meltdown I think Intel has a monopoly on goofs this bad, e.g. L1TF). Covert channels are not the same thing as side channels, as they require cooperation from both sides.
Not only that, 0% of the effort has to do with the GNU part. The article title is accurate in using the term Linux. You get the kernel to run, then you grab a binary userspace from your favorite distro. Linux is what matters. The rest follows automatically because it is barely hardware specific if at all.
You only port GNU/Linux once to any given architecture. After that, all devices using the same architecture only require porting Linux to them.
Yes, because when I put Linux on a PS4 I certainly didn't spend several months figuring out how to write hardware-specific Linux components for the PS4.
But hey, I guess GitHub is some shady website that serves shady black box binaries, and implementing kexec as a hot-patchable module for the FreeBSD kernel is a decidedly shady technique. Right.
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn