Hi, I was wondering if anyone was able to get a PoC for Spectre v2/BTB working on gem5. I was able to get Spectre v1 and ret2spec to work, but not Spectre v2. I tried multiple PoCs, cache thresholds, and gem5 configurations (both se and fs; with different branch predictors) but none seem to work. The problem is that the misspeculated gadget is not executed, not that the flush+reload channel does not work. This is supported by the fact that the other working variants use the same flush+reload code and parameters. Here are the PoCs I tried, all on x86: * Spectre v2/BTB (all not working): * https://github.com/Anton-Cao/spectrev2-poc * https://github.com/IAIK/transientfail/tree/master/pocs/spectre/BTB/sa_ip * https://github.com/google/safeside/blob/main/demos/spectre_v1_btb_sa.cc * Spectre v1/PHT: * https://github.com/Eugnis/spectre-attack (working) * https://github.com/IAIK/transientfail/tree/master/pocs/spectre/PHT/sa_ip (working but fails with some branch predictors) * https://github.com/google/safeside/blob/main/demos/spectre_v1_pht_sa.cc (working) * ret2spec: * https://github.com/google/safeside/blob/main/demos/ret2spec_sa.cc (working) Any help would be appreciated. Thank you. Best, Hossam