Korona wrote:
The issue (for Meltdown) is that those selector CPL vs. PTE checks were not done during speculative execution. I don't know if anyone tested whether segment limit checks are done during speculative execution. So unless that's tested, it's not clear whether segmentation can mitigate the issue or not. (If you test it, feel free to post the results here, would be interesting to know.)
Meltdown is that these checks, which do happen on all CPUs (and which would be a huge bug if they didn't!), happened on the speculative path only to trigger the error if that case was actually executed. They were not used to determine whether to speculate further. That meant that you could leak the data loaded with the invalid load through a side-channel if you have one.
This is a 'simple' thing to fix - just stop speculative execution if an error has occurred. Not easy to retrofit, but easy enough for new machines, and of course AMD and other AMD64/X86_64 vendors don't have this problem because they didn't make that mistake to start with.
Spectre is much harder as it revolves around mistraining a BPB, BTB or similar structure to cause a wrong branch to be taken with sensitive data on another process, which the wrong branch then leaks through a side channel. Harder to abuse, but just about impossible to fix.
Retpoline locally disables the BTB. So you can't poison the BTB any more effectively, because it doesn't use it any more.