Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Debian Intel Security Software Linux Technology

Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed (theregister.co.uk) 373

Long-time Slashdot reader Bruce Perens writes: The Register reports that Debian is rejecting a new Intel microcode update because of a new license term prohibiting the use of the CPU for benchmarks and profiling.

There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results."
UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.

Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.

So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.
This discussion has been archived. No new comments can be posted.

Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed

Comments Filter:
  • by Anonymous Coward on Wednesday August 22, 2018 @06:23PM (#57177298)

    with these security patches installed, m'ladies

    • Re: (Score:3, Interesting)

      by Z00L00K ( 682162 )

      Those that have security concerns are willing to take performance penalties, those that want performance usually don't worry too much about the security issues since the performance hunters are probably just running a single application anyway.

      What might be interesting is to be able to boot the computer in different modes - performance or security mode. The Turbo button revival!

      • Those that have security concerns are willing to take performance penalties, those that want performance usually don't worry too much about the security issues since the performance hunters are probably just running a single application anyway.

        What might be interesting is to be able to boot the computer in different modes - performance or security mode. The Turbo button revival!

        I love the idea! Although it would probably show the 5-10% slowdown is a real myth. I have a laptop that overall seems to have slowed down by about half.

        Now that's not "benchmarked", but apparent performance.

  • Intel. Just say no (Score:5, Insightful)

    by Anonymous Coward on Wednesday August 22, 2018 @06:26PM (#57177312)

    Making a bad situation, worse.

  • by Anonymous Coward on Wednesday August 22, 2018 @06:26PM (#57177316)

    And the bigger question why is he not posting spam and dups like the rest of slashdot editors?

  • Quick fix: (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Wednesday August 22, 2018 @06:27PM (#57177320)

    Only buy AMD.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Only buy POWER, BLOB free

    • by Tom ( 822 )

      Alternative fix: Someone in a country with a) a non-broken legal system or b) a legal system so broken that Intel can forget about enforcing its "license": Go collect and post the most comprehensive benchmark data you can possibly get.

  • by deviated_prevert ( 1146403 ) on Wednesday August 22, 2018 @06:28PM (#57177322) Journal
    You do not own a computer chip you are a slave to the software necessary for it to run which is locked down. HACK ON they deserve what they are about to reap! Reversing chips is how most of the locked down hardware was made available to Linux users for most of the early history of the kernel. Intel now wants a total lock down.... SCREW THEM
    • by Balial ( 39889 )

      You saw this coming but have no idea of the history behind microcode patches?

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      The microcode feature is there to help you, not enslave you. Silicon is forever. Patching it on your desktop after the fact is a god-send.

      Learn some history before you claim to have predicted the future.

      • Re: (Score:3, Interesting)

        You saw this coming but have no idea of the history behind microcode patches?

        https://en.wikipedia.org/wiki/... [wikipedia.org]

        The microcode feature is there to help you, not enslave you. Silicon is forever. Patching it on your desktop after the fact is a god-send.

        Learn some history before you claim to have predicted the future.

        With respect; the fight to keep alternative operating systems on PCs and servers is a long and storied history. Through the "hardware partner" cartel, win modems and finally the palladium initiatives culminating in locked bios that required key codes to load an OS. Linux has weathered the lockout exclusion storms that favor Microsoft and to a lesser extent Apple.

        The fact that Linux based servers still run huge portions of the servers that power the net is still a problem for Intel, in as much as Linux serv

  • by niittyniemi ( 740307 ) on Wednesday August 22, 2018 @06:30PM (#57177326) Homepage

    So Intel, as a condition of using your patch to fix the broken shit you sold us, you don't want us to use the patch to empirically determine just how broken your shit was, or else you'll sue us?

    I've got the message loud and clear: you're crooked dirtbags.

    I don't think I'll be sending any money your way in future.

    • by rsilvergun ( 571051 ) on Wednesday August 22, 2018 @06:44PM (#57177384)
      what I took away was "Go buy an AMD processor".
    • Re: (Score:3, Insightful)

      by r_pattonII ( 1960654 )
      The statement from Intel is translated as follows: "We really don't want the public to know how bad we screwed up so we are prohibiting you or anyone else to benchmark the issue before this patch and especially after the patch as we do not want our bottom line ($$$) tarnished by the bad publicity. Therefore since you are using cloud services and require speed this fix is supplied to you to keep your mouth shut about how bad we actually suck at providing quality code for our products. If you are not satis
      • by Anonymous Coward on Wednesday August 22, 2018 @07:01PM (#57177480)

        AMD: "We'll take 'em!"

        Intel just made my Streisand effect alarm break. They've screwed up the PR for this since it started. Bad updates, downplaying the severity of the issue, FUD, and now a gag order. You'd think they could handle this better, but I guess not. Rather, I'd say they are scared shitless right now. They've got another FDIV problem on their hands, nothing that will fix it without pain, and no true solution coming out the pipe for another year. Meanwhile their competition is out classing them in everything. Well almost everything, colossal PR nightmares, and bad security design isn't on their competition's roadmap. Reason to be scared indeed. I was already buying AMD exclusively over the AMT crap, but anyone buying Intel at this point is a complete idiot.

        • by SIGBUS ( 8236 )

          I have absolutely no regrets about going with AMD for all my recent builds. As lackluster as Bulldozer was, Ryzen (even my relatively pedestrian 1700) has been wonderful - and I'd even take Bulldozer over Meltdown, FUD, and gag orders any day.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        i want to see the best intel vs amd cpu benchmarks fro the last 10 years to be rerun and for us to see how the difference between intel's best and amd's best looks now with all the patches and microcode updates installed. like x4-965 vs intel equivalent. stuff like this.
        i'm leaning towards the 'intel processors routinely being 20% faster than amd cpu's at the same speed" to be more even, or possibly amd having the performance crown for all these years, it's just intel cheated so much it made their cpus look

    • by RhettLivingston ( 544140 ) on Wednesday August 22, 2018 @07:52PM (#57177702) Journal

      you're crooked dirtbags

      From the very start of this saga when Intel jumped the gun on the press release to make sure that it combined their main problem with another problem they shared with AMD in order to make it appear as though they were equally affected, Intel has been playing dirty - bordering on criminal - pool.

    • At this point I'm hoping the soon-to-be-announced low-cost MacBook will use Apple's own ARM CPU/GPU.

  • by Gravis Zero ( 934156 ) on Wednesday August 22, 2018 @06:39PM (#57177362)

    The reason they did this is because it slows performance to what I would call a painful crawl. I would post the benchmarks to quantify and prove it but it's not allowed.

    • by sinij ( 911942 )

      The reason they did this is because it slows performance to what I would call a painful crawl. I would post the benchmarks to quantify and prove it but it's not allowed.

      Painful crawl is slightly faster than a standstill, and slightly slower than molasses slow. So you did benchmark it and violated the agreement.

  • by bobstreo ( 1320787 ) on Wednesday August 22, 2018 @06:40PM (#57177366)

    "This time for sure!"

    I've had an AMD-64 microcode patch sitting in my update manager for a week or so. I think I'll wait a little longer to apply it,

      I don't like being the first wave of test monkeys.

  • Kudos (Score:5, Interesting)

    by jmccue ( 834797 ) on Wednesday August 22, 2018 @06:42PM (#57177376) Homepage

    Well kudos to Debian. I am very disappointed in seeing Red Hat, SUSE in saying the licence is fine.

    Just goes to show you how close to Windows the big commercial Linux Distro are moving.

    • by sinij ( 911942 )

      You are assuming they read the click-through agreement.

    • Re:Kudos (Score:5, Interesting)

      by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday August 22, 2018 @07:05PM (#57177494) Homepage Journal

      Actually, I've caught Red Hat in a number of legal mistakes where I've had to wake up one of their lawyers to the issue, because the engineer never consulted one. This might be that sort of thing, or whoever read the text didn't consider the implications. The microcode runs for every instruction, and as far as I can tell the prohibition applies to all use of the CPU. Don't ever provide or publish benchmarks, even for your own software, using this CPU to collect them.

      The lawyer who wrote the license obviously didn't walk through what the CPU actually does, and that the implication of the language would thus be larger than expected.

      • by AmiMoJo ( 196126 )

        Would the licence even apply to the end user? Will a licence agreement pop up on screen asking the user to agree to Intel's terms when they install a Red Hat OS or update one?

        Because it seems likely that the end user will never even hear about the patch, and innocently go run some benchmarks when they find their system has slowed to a crawl.

        Will be interesting to see how Microsoft handles it too. Someone is living in a fantasy world if they think people are going to stop benchmarking and posting the results

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday August 22, 2018 @06:44PM (#57177382) Homepage Journal
    I hope that the part of Intel with some sense will wake up to what that other part of Intel is doing and fix this, quickly. When there is a company that big, it has a multiple personality disorder. Obviously this time somebody didn't think through the implications of their legal language.
  • Wrong link (Score:5, Informative)

    by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday August 22, 2018 @06:56PM (#57177450) Homepage Journal
    The link at "a new license term" is to a license for a different product. I'm sure I didn't write that :-)
  • by ElizabethGreene ( 1185405 ) on Wednesday August 22, 2018 @06:56PM (#57177456)
    Someone at Intel might want to read about the Streisand effect [wikipedia.org].
  • Will I lose the right to use the CPU?
    • "You can use the CPU, bitch, but only the way WE tell you to use it". No doubt that's the fantasy Intel execs masturbate to every night before bed.

    • we can file an copyright claim / dmca take down or even an press theft changes some of our cpus are over $1K-5K each so that is grand larceny.

      Now an real lawyer can kill that BS but some small guys may just back down vs $$$ to defending them form the big boys at intel.

  • by KClaisse ( 1038258 ) on Wednesday August 22, 2018 @07:25PM (#57177568)
    So.....



    Anyone got a link to some benchmarks?
  • I already expected to see either a link here in /. or real data on the effect this code has on CPU performance. Maybe I'm looking in the wrong place.
  • There are much stronger consumer protection laws in many countries, the EU for example
  • a AMD CPU. Enjoy some benchmarks.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Techspot just published some very extensive benchmarks ( https://www.techspot.com/review/1683-linux-vs-windows-threadripper-vs-core-i9/ ) that make AMD's Threadripper 2990WX look significantly faster than Intel's i9-7980XE in a lot of the particular tests. Interestingly they did most (all?) of the tests with Linux and Windows 10 on both CPU's and Linux also seemed to do better to various degrees (a little to a lot).

      I suppose we could assume this patch will increase the AMD performance margin, depending on

  • nope (Score:4, Informative)

    by matushorvath ( 972424 ) on Wednesday August 22, 2018 @07:55PM (#57177712)

    "Many computer users don't allow outside or unprivileged users to run on their CPUs"

    Your browser is running some outside unprivileged JavaScript for almost every page you visit. One of the exploits was specifically described for JavaScript running in a browser.
    You don't even need to be able to execute code. Even code that would traditionally be considered harmless could potentially be used for side channel attacks if you e.g. control the input data. That invoice your ISP sent you as a PDF could potentially use a harmless piece of code inside Adobe Reader to do something harmful.
    The fact that it has not been demonstrated yet does not mean it can't be done.

    • I think that sentence was aimed at people run their own data centers. Many of these computers (most?) don't even have a web browser installed.
    • Why would anyone bother with a novel approach to exploiting Adobe products when there are such a large number of known vulnerabilities to choose from?
    • Your browser is running some outside unprivileged JavaScript for almost every page you visit.

      Which would worry me if the browser ran that script long enough to build up a detailed profile of my machine, and then customised it's own malware attack to make a side channel attack at all relevant.

      The reality is side channel attacks MUST be targetted at a specific system setup, or in many cases with modern OS security measures the actual specific currently running system with the hope it doesn't reboot at some point. Just because your browser executes Javascript doesn't mean anyone in their right mind wo

  • Vote against Intel's malarkey with your money.
  • Judge Laughs (Score:4, Interesting)

    by bill_mcgonigle ( 4333 ) * on Wednesday August 22, 2018 @08:40PM (#57177900) Homepage Journal

    So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?

    Let's see a million people tweet their slowdown measurements and then it'll be Intel Legal's move. Somebody come up with the hashtag.

  • and will intel force MS to trun this on in windows even on AMD systems?

  • Not Legal (Score:4, Insightful)

    by SirAstral ( 1349985 ) on Wednesday August 22, 2018 @09:01PM (#57177970)

    You can ignore stupid shit like this. Intel can sue for you for looking cross eyed if they wanted to. It does not mean that they will win even if you lose everything defending yourself from it.

    No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this. Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable. Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions.

    That said, it could still be a nightmare to deal with but that is the nature of SLAP lawsuits to begin with. The intention is not to win, but to financially drain you into a loss or to scare people... mainly the websites publishing benchmark data.

    One wrong move by Intel and they will be facing the same kind of fucking class action lawsuit themselves. Everyone should slap so many fucking benchmarks online that intels heads spin!

    • Re:Not Legal (Score:4, Interesting)

      by cstacy ( 534252 ) on Thursday August 23, 2018 @12:00AM (#57178412)

      No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this.

      Of course a company can enter into a contract with you that says you can't publish performance specs for their product. So I am going to assume that you mean to say that it's about a product they PREVIOUSLY sold you. The thing is, Intel did NOT previously sell you this microcode update.

      The contract is that Intel will provide you this new microcode update, which is software, but that your license to use it will be restricted. (Specifically that you can't run this software on a computer for the purpose of benchmarking it, and that you won't publish such a benchmark.)

      I don't see any legal problem with that contract.

      It doesn't make Intel look good, but if you don't like the deal, then don't install the software.

      Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable.

      If you cannot read the "By downloading, you agree..." license terms BEFORE downloading, then you have a shrink-wrap license problem. (By the way, shrink-wrap licenses are still upheld in some states such as Maryland and Virginia.) Even if there's a shrink-wrap issue, though, it is fairly obvious that INSTALLING the software after downloading and reading the accompanying license would constitute agreement to the terms.

      Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions

      That case was different than this. In the PS3 case, Sony removed access to their online gaming network, thereby crippling the box. Here, Intel is not removing access to anything: if you don't like the terms, then don't install the microcode update, and your computer will continue to function exactly as it did before, with all the same capabilities (and bugs) intact. Which is the point.

      I expect the benchmarks will be out soon and all over the place, published in ways that make it impossible to figure out who to sue. Then, these benchmarks will be reported all over the place by people who never downloaded or installed or agreed to any of the license terms, and in fact did not perform any benchmarking themselves. Just published some results from some other shadowy people who cannot be sued.

  • Could be a mistake (Score:4, Informative)

    by viperidaenz ( 2515578 ) on Wednesday August 22, 2018 @09:39PM (#57178070)

    The license also mentions NDA's and Pre-Release agreements

    Looks like license they would include with pre-release/beta software.

    7. CONFIDENTIALITY. The terms and conditions of this Agreement, exchanged
    confidential information, as well as the Software are subject to the terms and
    conditions of the Non-Disclosure Agreement(s) or Intel Pre-Release Loan
    Agreement(s) (referred to herein collectively or individually as "NDA") entered
    into by and in force between Intel and You, and in any case no less
    confidentiality protection than You apply to Your information of similar
    sensitivity. If You would like to have a contractor perform work on Your behalf
    that requires any access to or use of Software, You must obtain a written
    confidentiality agreement from the contractor which contains terms and
    conditions with respect to access to or use of Software no less restrictive
    than those set forth in this Agreement, excluding any distribution rights and
    use for any other purpose, and You will remain fully liable to Intel for the
    actions and inactions of those contractors. You may not use Intel's name in any
    publications, advertisements, or other announcements without Intel's prior
    written consent.

    • by jrumney ( 197329 )
      I thought the following terms from TFS were a bit off for a production release.

      You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; ... (iii) use or make the Software available for the use or benefit of third parties;

      Never mind the benchmark clause, there is no way I would expect Debian, Microsoft, or anyone else to start shipping code that has those clauses in the license terms.

  • so run SUSE, Arch, and Red Hat and lose the right to bench your own systems?
    I don't think that yum update can show an EULA or even an YUM update -y && reboot can stop and force you to read it.

  • Whoops (Score:5, Funny)

    by Tough Love ( 215404 ) on Wednesday August 22, 2018 @10:25PM (#57178208)

    Whoops, this is basically an ad for Ryzen.

  • How can Microsoft deploy this microcode to customers without banning benchmarking under Windows? Are they just betting Intel isn't going to sue them?

  • by technosaurus ( 1704630 ) on Wednesday August 22, 2018 @11:25PM (#57178334)
    Since you cannot run the benchmark (in this case due to legal restrictions) just write FAIL* next to it. Then put the actual values for AMD, VIA and DMP CPUs. Once a few dozen articles get published where even DMP beats Intel's most expensive chips, they will wake up.

    * FAIL means that the chip was unable to complete the benchmark due to faulty engineering or legal restrictions.
  • Phoronix (Score:5, Informative)

    by Meneth ( 872868 ) on Thursday August 23, 2018 @05:20AM (#57179120)
    Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan.... [phoronix.com]
    • Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan.... [phoronix.com]

      Read the license. It does not restrict the publication of benchmarks. It restricts the OS vendors from publishing benchmarks directly. Not cool on Intel's part. But no where does the license prevent anyone from running benchmarks. That would be impossible to control and completely impossible to enforce.

  • by dwheeler ( 321049 ) on Thursday August 23, 2018 @02:28PM (#57182068) Homepage Journal
    Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay... [dwheeler.com]

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...