OpenBSD's De Raadt Pans 'Incredibly Bad' Disclsoure of Intel CPU Bug

troublemaker_23 quotes ITWire: Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

"It is a scandal, and I want repaired processors for free."

"I want repaired processors for free"

[Lisandro]

You know, he's not wrong. This is, in impact, way bigger than Intel's FDIV fiasco and that ended up in recalls.

Re: "I want repaired processors for free"

How far does the recall go? Should there just be a recall for Meltdown, or does that also extend to Spectre?

There wasn't a software workaround for the FDIV bug, which is why there was a recall. The F00F bug did have a software workaround, which is why there wasn't a recall for that bug. Meltdown also has a software workaround, though one with a potentially significant performance hit. Meltdown seems more like the F00F bug in that respect. Arguably, Spectre is a better candidate for a recall than Meltdown. Although there is a software workaround for it (see retopline), it cannot be implemented just by patching the operating system.

The problem here is that some of these features were designed over 20 years ago, when security wasn't as much of a priority. The feature worked and didn't present obvious security issues, so nobody tried to fix what didn't seem to be broken. It wouldn't surprise me at all if many other potentially serious vulnerabilities were lurking in hardware.

Re:"I want repaired processors for free"

[TheDarkMaster]

Replaced/repaired, not free. Having said that the problem will be how to replace processors that have become obsolete and therefore out of the market, and where you can not simply replace all the associated hardware to pick up a current and patched processor. And I suspect that most of those who can change the associated hardware will simply migrate to AMD instead of taking another Intel.

Re:"I want repaired processors for free"

[thegarbz]

Isn't he? Firstly clearly the distribution was too wide as it was given there was a moratorium on disclosure scheduled for tomorrow to allow all patching to be in place in advance.

Secondly he has in the past jumped the gun on responsible disclosure, parroting OpenBSD as the secure alternative patting himself on the back for being the first.

Thirdly there are multiple groups now that refuse to work with him for this very reason. The OpenSSL team also disclosed to others before OpenBSD for the same reason.

He shat in his bed, and now is complaining that he has to sleep in it.

Re:"I want repaired processors for free"

[Hal_Porter]

Oh I agree 1000%. It's not a freebie, it's Intel living up to the implicit contract to provide a CPU with the performance it was benchmarked when I bought it and not allow user mode stuff to read kernel memory.

In the UK you could make an argument that a processor with that bug was 'not fit for purpose'. Of course it's in the US that a class action suit has the highest chance of success and outside the US Intel will probably follow the US lead.

It'll be interesting to watch. Then again all my Intel chips are soldered to laptop motherboards. And rather elderly laptops at that - it's not like I'm going to convince Intel to convince Asus and Apple to recall motherboards that are out of warranty and do BGA rework to replace the CPUs.

However if I had machines with socketed CPUs and I was in the US I'd join a class action suit. Mind you Intel will presumably claim KPTI and its equivalents on Windows and macOS fix the security problem and any change in performance doesn't violate any sort of contractual agreement. Which they may or may not get away with. I think they probably will.

Re:"I want repaired processors for free"

[nctritech]

A recall of every CPU since 2006 would decimate (if the recall isn't heavily utilized) or likely even bankrupt Intel. The Core 2 generation is the oldest practical Intel CPU (yes, I know this is a subjective statement, thus "practical") on which you can run Windows 10 and modern software. Every computer running Windows 10 and an Intel chip would need CPU replacement. We are talking quite literally several billion processors since Intel sells a few hundred million per year. Intel's market cap is over 200 billion dollars, but even if they were expected to replace 1 billion $100 processors that's half of the company's value. Since we're talking about 11 years worth of processors there is potential for the number to be more like 3-4 billion processors. This is purely the financial side and ignores all of the logistics which would be a totally separate nightmare. Intel is incapable of manufacturing anywhere close to that many processors in a year ESPECIALLY if they continue to sell new processors while doing the recall.

Intel simply cannot afford to recall all affected processors. Do not expect it to happen because it won't. They will obscurity-by-corporate-speak their way out of this in a way that could make Enron's obfuscated lies look tame. If there were no software mitigation they would have few straws to grasp at, but the OS workarounds give them a tiny escape door and you better believe that they'll hire a whole crew of bulldozers to force this massve elephant through it.

Re:"I want repaired processors for free"

[AmiMoJo]

Some people are seeing >50% performance loss. Take a look at this graph: https://www.epicgames.com/fort...

Clearly they are going to need to spend some serious cash on upgrading their servers. The thread is full of players who can't connect.

Interestingly Intel's CPU data pages contain benchmarks. It will be interesting to see if they update them.

Re:"I want repaired processors for free"

[MSG]

How do you expect patching to be in place in advance for OpenBSD if the kernel developers weren't notified?

You're missing the point. The OpenBSD team would be notified if they cooperated with the temporary embargoes that are in place to provide vendors time to patch before attacks are developed and deployed. They haven't, in the past, so they're no longer in the group that gets advance notice.

Re:"I want repaired processors for free"

[thegarbz]

You largely validated his posting with this one sentence. This is exactly what he's complaining about.

And if you don't take that sentence out of context you'll have seen the point. What happened to OpenBSD and Theo is the fault of precisely one person: Theo.

Hell when we discussed this on Slashdot there were a lot of posters saying that Theo's actions at the time would hurt the OpenBSD community as people would not disclose the vulnerabilities to them. Looks like they were right too.

I agree the OpenBSD community is in a bad place. I also agree with Theo, but only in that his actions have spoken louder than his words.

Re:"I want repaired processors for free"

[networkBoy]

Bwahahahahaaaa
it doesn't work that way at all.

Old designs would be for different process technologies. As the tech changes the DRCs (Design rule checks) change as well.

You can't run a design on a process it wasn't made for, the resulting product simply won't work correctly (if at all).

If the CPU was designed for a gate width of 35nM then it was designed with biasing around that gate width's leakage. If you then try to spin that part on a 14nM fab the biasing of the gates is all wrong and it will (likely catch fire) not work at all because of such high leakage.

Additionally, price doesn't scale the way you imply. A wafer start costs about $1K. Doesn't matter what process you run on it (it does, but not really all that much). The cost per part is based on the number of functional parts per wafer at the end. Thus going from an 8 to a 12 inch wafer lowers cost even though the process change requires a $2.2bn fab to be built, you have gone from 201 sq inches to 452 square inches, over *double* the yield.
Same thing from process shrinks, you cut the area used by your transistor gates and you make the die smaller, then you can fit more on a wafer.

Thing is, Intel may not even have fabs capable of making the older parts any more, even if they wanted to. Process tech has evolved, IDK if they even have an 8" fabs left...

To just "redesign" the part for the new process is not realistic either.

TLDR: To make an old part will cost the same or more than it did when it was the latest and greatest.

Re:Disagree

[TheRaven64]

That doesn't explain why FreeBSD wasn't notified until 5-6 months after Intel and ARM knew about the issue and until after Apple had shipped a patch. It also wasn't helped that there was no real coordination in releases. Apple shipped a binary update and there were patches in the Linux tree containing mitigation before the official end of the embargo period.

Re:Freedom demands Open Hardware also

[Wootery]

This is a question of quality, not idealism and perverse incentives.

We aren't talking about IME here. You seem to be blindly assuming that Open hardware is always free of faults.

Re:"I bet they were instructed to ignore the risk"

[lucasnate1]

Funny, both me and my friend worked at companies where we were told to ignore risk. Why would intel be different?

He and Linus are Spot On

[segedunum]

This has been extremely worrying. What's more worrying are the number of 'security researchers' regurgitating Intel's bullshit verbatim. We have yet to fully see the fallout from this.

He's also dead right in that Intel has been mixing up the two issues, Meltdown and Spectre, deliberately, so they could tell everyone that it wasn't just Intel that was affected, and they also gave the impression that Spectre had been fixed when it was Meltdown that had been mitigated - with a patch that creates unacceptable performance problems, to a lesser or a greater extent.

Yes, all processor manufacturers are affected by Spectre, but it is Intel that is mostly affected because they implemented speculative loads badly without much attempt at segregation. They've also attempted to pass this off as 'historical architectural decisions we can do nothing about, but it is working as designed'.

Re:He and Linus are Spot On

[OneAhead]

He's also dead right in that Intel has been mixing up the two issues, Meltdown and Spectre, deliberately, so they could tell everyone that it wasn't just Intel that was affected, and they also gave the impression that Spectre had been fixed when it was Meltdown that had been mitigated - with a patch that creates unacceptable performance problems, to a lesser or a greater extent.

This, in spades. While Theo De Raadt is not my favorite IT personality, the mixing together of the issues (actually 3 of them!) has made it exceedingly hard for someone who isn't familiar with the inner working of modern CPU architectures to get the story straight, and Mr. De Raadt gets kudos for calling them out on it.

The following is what I could infer from what I found online. I'm almost certain a good portion of it is WRONG, and I hope the more knowledgeable part of the /. crowd will help me out by correcting it. (No, I'm not being lazy - just stretched to the limit of my understanding of the primary sources, yet desperate to gain some working understanding beyond the "it's hard to explain but you should apply patches" advice found everywhere on the internet.)

• There are three separate but somewhat related issues:
  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)
• Variant 3 is a true bug by any definition. It was named "meltdown" and is an Intel exclusive - AMD and ARM are not affected. If an attacker succeeds to run a malicious binary on an affected system, they can read kernel memory, including juicy secrets like passwords and decription keys. To put this into perspective, this is very nearly as bad as a local privilege escalation. And to put that into perspective, local privilege escalations are so common that there's a mantra in security: if a sufficiently skilled adversary gains "arbitrary code execution", it's virtually "game over" and you can go scrub your HDD. Nevertheless, the aforementioned "sufficiently skilled" bar lies quite high and may not be met by a lot of common threats (especially the automated ones). So, from a defense-in-depth perspective, the only sane advise is "patch your system now". The big news is that patching will come with a performance impact that is proportional with how frequently a process calls the kernel. A process that simply allocates a big chunk of memory, loads data into it, and starts chewing on that (think stuff like compression, crypto mining, scientific computation,...) will not feel much impact, while databases generally will.
• Variant 1, IF I understand correctly, allows an attacker to feed a non-buggy process carefully crafted input that tricks it into leaking data into memory space that is owned by the process in question, but not in use by it. The bad news here is that all CPUs (including AMD and ARM) are vulnerable and there's no way to patch it system-wide. One could argue that this is not a huge deal in and by itself because if the process and the system have no other bugs, the data could never be retrieved. However, it is apparently possible on certain browsers to make JavaScript read data from the "not-in-use" memory locations (which would be a feature for a "system" language like C, but I would classify it as a bug for a high-level interpreted language such as JavaScript). Given that a browser handles sensitive data (passwords), this is potentially devastating. Fortunately, it is easily mitigated by the fact that the leaked data doesn't live long by virtue of it physically only residing in the CPU cache and not the actual memory. The attack therefore relies on precise timing, and by decreasing the precision of the timing mechanisms that are available in JavaScript, browser manufacturers can put a stopgap into th

Re:He and Linus are Spot On

[Lothsahn]

Thank you for noting that you're not 100% sure it's right, and for the excellent summary. There's a ton of misinformation going around, especially with 0100010001010011 dude on Slashdot repeatedly posting that Meltdown is INTEL ONLY, which is false, as some ARM products are affected. What is true is that Meltdown does not affect AMD and affects only a few of ARM's processors.

As you state, it's important to rely on the original sources. Here is each CPU vendor's response to the security issues:
https://www.amd.com/en/corpora...
https://www.intel.com/content/...
https://developer.arm.com/supp...

Here are two corrections to make:
1) Meltdown:
One of your bold statements "AMD and ARM are not affected" is untrue. See here, from ARM directly:
https://developer.arm.com/supp...

ARM has confirmed that A75 is vulnerable to Meltdown. In addition, A15, A57, and A72 are vulnerable to a variant of Meltdown (Variant 3a) which ARM has added. ARM has stated that they believe this variant is NOT exploitable, however, there is already userspace code out there that can do some limited exploits:
https://github.com/lgeek/spec_...

AMD is not affected by Meltdown, in any form. From AMD's press release:
https://www.amd.com/en/corpora...

2) Variant 1: While other vendors may require application changes to address this issue, AMD appears to be able to address this with an OS update, based on their post:
https://www.amd.com/en/corpora...


Summary:
Variant 1: Some manufacturers (ARM) appear to not be able to fix it and are recommending compiler changes, but AMD will fix this in OS updates. Unclear how Intel is addressing this vulnerability.
Variant 2: Correct, from what I can tell.
Variant 3 (Meltdown): Affects nearly all Intel (within the last 10 years) and ARM A75 chips. AMD not affected.
Variant 3a (Modified Meltdown): Affects a larger set of high performance ARM chips

Finally, Intel has done a terrible job (intentionally?) at conflating the two issues, which is unfair. These are 3 separate security issues, with their own priorities and impacts. If you read Intel's official press release for this issue, there's no differentiation between variants 1-3, like there is for AMD and ARM:
https://www.intel.com/content/...

Correction needed

[fubarrr]

>is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk

The specific issue that Pentium line CPUs: a) do privilege check asynchronously; b) do it only for the "winning" execution branch was very well known among CPU design community.

Intel architects even bragged about that as their "innovation" in industry journals and filled a number of patents for that (this is the reason amd privilege checker runs on all branches)

Re:Correction needed

[TheRaven64]

System calls where always slow because they used to be called via a software interrupt call.

And software interrupts were slow because they were not considered branches by early branch predictors and so triggered a complete pipeline flush equivalent to a branch mispredict (followed immediately by another branch, which SYSCALL removed). Intel addressed this by treating software interrupts as normal branches for the branch predictor, with an extra hint that they changed privilege level. This gave a small improvement to the Pentium, but was a huge boost on the Pentium 4, where the pipelines were long and deep enough that they had up to 140 instructions in flight at a time and having to flush all of those for a system call was painful.

Speculative execution does n't mean we have have this problem, AMD managed to do it fine. No one can say this is by design, if it is by design then it should be documented since 1995 that the MMU protection can be bypassed.

Speculative execution across ring changes is the root cause of this. AMD doesn't do this because Intel patented it, told AMD, and didn't include it in their cross-licensing agreement. You can bet that AMD was just waiting for the patent to expire before doing it, because without it you have to wait until all branches up to the system call have been retired before you can perform the transition. The MMU protection isn't bypassed, because the instructions that would be bypassing the MMU protection are cancelled. There is a side channel that allows you use the changes in cache behaviour to determine what the values in memory would have been.

Dream on

[sjbe]

"It is a scandal, and I want repaired processors for free."

And I want a pet unicorn. Come to think of it, unicorns are about as real a thing as a "repaired processor" since they physically cannot be repaired. He wants a replacement processor which almost certainly is never going to happen. Basically he's asking for every processor produced in the last 20 years to be replaced for free. If you think that's realistic I've got a bridge to sell you.

There will be plenty of legal action over this and the results of that will be the full extend of any compensation. Furthermore to get compensation he will have to show actual harm incurred. Simple fact is that at least so far there has been little to no tangible harm from this problem to date so standing will be an issue for anyone who sues. This might change in the coming months/years but until it does the chip makers aren't going to pay a dime to replace anyone's chip - flawed or otherwise.

Open hardware is going to be hard

[sjbe]

Open Hardware doesn't fix problems in silicon that has already been manufactured. It might help with the next generation but it won't prevent bugs from appearing in the first place.

Bear in mind that the reason Open Source software works so well is that the marginal cost of (re)production is close to zero and that there are (comparatively) minimal capital costs. Really you just need a PC and a lot of time. Open Hardware is a worthy goal but it's going to be a LOT trickier to pull off in the real world for mostly economic reasons. Furthermore hardware isn't protected by copyright for the most part. It's protected by patents and those are expensive. Worse once someone has one on a piece of kit they can basically shut down any open hardware that uses that idea for the next 20 years.

Re:Freedom demands Open Hardware also

[Entrope]

ARM is a RISC architecture, and plenty of RISC architectures suffer from Spectre. Meltdown is an Intel-only bug -- AMD doesn't have it because they implemented an obvious security rule, and presumably Cyrix and other x86 implementations didn't either.

Re:Disagree

[complete+loony]

He's just bitter because he got slapped on the wrist last time.

Why did OpenBSD silently release a patch before the embargo?

OpenBSD announced an errata on 30 August 2017 that silently prevented our key reinstallation attacks. More specifically, patches were released for both OpenBSD 6.0 and OpenBSD 6.1.

We notified OpenBSD of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.

Re:Disagree

[Freultwah]

You do realise that OpenBSD and FreeBSD are two different entities, right?

Re:Freedom demands Open Hardware also

This is a question of quality, not idealism and perverse incentives.

We aren't talking about IME here. You seem to be blindly assuming that Open hardware is always free of faults.

This is a question of quality. You seem to be blindly assuming that starts and ends with hardware faults. It does not, and it was the main point Theo was making here. Quality also has to do with how you handle faults when they happen.

And I'd sure as shit trust an open community a lot more than a proprietary closed one hell-bent on protecting profits at all costs. How many more bugs does Intel know about right now that they refuse to disclose because it might affect stock price? I rest my case.

Re:Disagree

[TheRaven64]

Sure it does. If you want to keep something quiet until you are ready to announce it, then you DO NOT tell any of the people who have a track record of spilling the beans.

When has FreeBSD ever disclosed a security vulnerability under embargo? FreeBSD has a security officer and a secteam group that are the only ones that have access to any embargoed security information and have separate infrastructure from the rest of the project for preparing fixes. Only people who have signed the relevant NDAs are allowed access to anything shared with this group and they are normally given information about embargoed security issues as a result.

Regardless of where you personally stand on the idea of embargos and standing up for principles, Theo refused to go along with an embargo previously and it was quite likely that he wouldn't do so this time either

You do realise that FreeBSD and OpenBSD are entirely different projects, run by different people, with different infrastructure and different codebases and that Theo De Raadt has no connection to the FreeBSD project?

Re:"I bet they were instructed to ignore the risk"

[TheRaven64]

To quote Linus "A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains."

That's bullshit. When Intel introduced speculation across protection domains everyone including Linux was happy because it reduced system call costs. Without this, as soon as you get to a syscall / sysenter instruction, you stall the pipeline until all pending instructions have been committed. On a modern Intel CPU with close to 200 instructions in flight at a time, that's a measurable performance overhead.

We've known for a long time that side channels of this kind were possible, but not that they were performant. The new attacks are not interesting because they're side channels that allow data to be disclosed, they're interesting because they're side channels that allow disclosure far faster than previously believed. CPU designers believed that this kind of attack could only be exploited to get a bit every few seconds, at which rate it's not really worth trying as an attack and is pretty easy for software to spot (hmm, why is this thread at 100% and triggering insane numbers of cache misses? Looks malicious...). Now we know that you can use these attacks to get data at about 0.5MB/s, so you can scan the whole of memory in a few minutes.

"I bet they were instructed to ignore the risk"

[Misagon]

I was one of those who called "no way" at first, but just yesterday I found this quote from an Intel engineer. It was originally posted in a reddit thread but has since been deleted - but not before being confirmed by other former engineers at Intel.

As someone who worked in an Intel Validation group for SOCs until mid-2014 or so I can tell you, yes, you will see more CPU bugs from Intel than you have in the past from the post-FDIV-bug era until recently.

Why?

Let me set the scene: It's late in 2013. Intel is frantic about losing the mobile CPU wars to ARM. Meetings with all the validation groups. Head honcho in charge of Validation says something to the effect of: "We need to move faster. Validation at Intel is taking much longer than it does for our competition. We need to do whatever we can to reduce those times... we can't live forever in the shadow of the early 90's FDIV bug, we need to move on. Our competition is moving much faster than we are" - I'm paraphrasing. Many of the engineers in the room could remember the FDIV bug and the ensuing problems caused for Intel 20 years prior. Many of us were aghast that someone highly placed would suggest we needed to cut corners in validation - that wasn't explicitly said, of course, but that was the implicit message. That meeting there in late 2013 signalled a sea change at Intel to many of us who were there. And it didn't seem like it was going to be a good kind of sea change. Some of us chose to get out while the getting was good. As someone who worked in an Intel Validation group for SOCs until mid-2014 or so I can tell you, yes, you will see more CPU bugs from Intel than you have in the past from the post-FDIV-bug era until recently.

Re:Core issue is trust

[Christian+Smith]

It was also a short and long term benefit of their customers. Are you willing to pay Intel back for the extra performance they provided by their same decision that you are deriding today?

Eh? We've already paid the Intel for the performance. Intel CPUs are that bit more expensive than equivalent AMD CPUs, performance is why they commanded the price premium.

Customers trusted Intel that the performance was gained with no cost to security, a reasonable assumption. I'm computer literate, and I'm shocked that this can even be an issue. How the hell do speculative memory accesses leak through kernel memory protection?

So I'm not sure what you think is to be paid back.

Patent infringement

[sjbe]

No, it's not tricky to pull off.

If it wasn't tricky to pull off then it would have already been done on a wide scale. I'm not saying it's impossible but it is going to be a much tougher nut to crack than open software. Mostly for economic reasons rather than technical ones.

- Research and make use of expired patents extensively, file new ones defensively.

Who is going to do this? Who has the funding and more importantly the incentive to do this? IBM received 8000 patents in 2016 and numerous other tech companies received thousands more each. Exactly how do you plan to match that sort of pace? How do you plan to produce anything really useful without infringing on a pile of those patents? Not to mention fending off the flesh eating lawyers that give those patents teeth...

It's more capital intensive than software, but it's also not that expensive either.

I'm a certified accountant and an industrial engineer. I do cost accounting for a living. It is a LOT more expensive than software no matter how clever you are. There is a reason gross margins in manufacturing hardware are far thinner than in software. You don't escape these costs by just doing design either. Someone eventually has to make the product and that will require substantial capital. Then you have the cost of distributing the product. Unlike software which can be sent across the net for nearly free, hardware has to be shipped, stored and turned into products, all of which cost non trivial amounts of cash. If you think it isn't substantially more expensive than making and distributing software you haven't done the math.

Not the same

[sjbe]

Of course, when Linux was new the argument was that an OS was just too big for a bunch of Free Software fans to manage.

You are making a false equivalency here. Making and distributing software is COMPLETELY different than making and distributing hardware. The economics could not be more dissimilar. The legal protections (patents vs copyright) are different. The amount of up front capital required is different. You can modify software after it has been release but you cannot do that with (most) hardware. Basically just because it worked out well for software is does not mean it will work out well for hardware. Hope for the best of course but it's likely to be a difficult nut to crack.

Only a big corporate structure could support development of anything as complex as an OS.

Ultimately that turned out to be true. Basically all the developers of linux and most other major OSS projects are employed at large tech firms (and a few large foundations) and are paid to maintain them. It isn't a bunch of hobbyists in their garages.

Open hardware is harder, but probably not impossible.

Not impossible but for non-trivial applications it appears pretty close to it. The obstacles are predominately economic ones and some legal ones and they aren't minor obstacles. I'm not about to hold my breath for patent reform anytime soon and the patent swamp is a real problem. And the economics of making and distributing hardware are immutable. I think Open Hardware is a very worthy goal but it's going to be quite the challenge.

Re:"I bet they were instructed to ignore the risk"

[TheRaven64]

Was this attack known, and deemed an acceptable risk because of the incredible low rate at which data could supposedly be extracted?

Not this specific attack, but it was known that any source of nondeterminism in a processor was a source of side channels. These were largely ignored because these attacks get lots of papers at top security conferences but are really hard and slow to carry out in practice. Most of the existing attacks used the cache, but there are others involving things like the fact that computation on denormals is much slower than on normal floating point values (a fun one of these lets you scrape browser contents via WebGL and I don't believe has been mitigated yet in spite of being published a couple of years ago).

Speculative execution was known to be a potential source of these side channels for a while. Now that it's shown to be feasible, expect a lot more similar attacks.

Cost of outsourcing

[sjbe]

From a big picture perspective, the making of the hardware has already been detached from the design of the system.

Doesn't matter. You still have to make it and that still will cost money. Doesn't matter if you make it in house or if you hire someone else to do it. If doesn't matter if you have the secret formula for Coke, you still have to put sugar water in bottles and ship it somewhere which is expensive. It's FAR harder to bootstrap the funding for an open source hardware design than open source software.

Would a manufacturer take the risk of making a huge investment that relies on Open Source designs? They already do. Most mobile phones are entirely worthless without Android, an Open Source software.

You're conflating issues. You can already send an open source chip design to a chip fab or a hardware design to a contract manufacturer. My day job is general manager of a contract manufacturer (wire harnesses) so I'm more than passingly familiar. But just because you have outsourced production doesn't mean that the costs for it go away. Your analogy to Android is a meaningless one here.

Just because someone else makes it doesn't make the patent swamp go away. Open source software works precisely because how copyright law is written. The GPL and every other license basically only works because of copyright law. That doesn't apply to hardware. To protect hardware designs you have to get patents on the design and that costs serious money. Not only that you have to avoid infringing other companies patents which is not a trivial exercise when companies like IBM, Google, Apple, etc are getting thousands of new ones every year.

Companies that rely heavily on open source software can do so because they have an alternative revenue source. Typically service or engineering - sometimes ads. What is the alternative revenue source for open hardware? Service? Maybe but the revenue streams aren't quite as clear for open hardware. And even if they become clear it still doesn't solve the capital costs and patent issues.

I'm not saying it's impossible but it definitely will be difficult for open hardware to achieve the sort of success we've seen with open software.