Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Says 'Partitions' in New Chips Will Correct the Design Flaw that Created Spectre and Meltdown (geekwire.com)

Posted by msmash on from the umm-sure dept.

Intel said on Thursday it is introducing hardware protections against the Spectre CPU flaw that was discovered last year. From a report: Starting with the Cascade Lake version of its Xeon server processors later this year, Intel will incorporate "protective walls" in its hardware that prevent malicious hackers from using speculative execution techniques to steal private information from the secure part of the processor. These fixes will also ship with the PC version of the Cascade Lake chips, but the tech industry has been much more concerned about the effect of these design flaws on server processors running in data centers and cloud vendors.

The new fixes allow Intel to still benefit from the performance advantages of speculative execution -- in which a processor guesses which upcoming instructions it will need to execute in order to speed things up -- without the security risks. The hardware changes address Variants 2 and 3 of the Spectre and Meltdown issues first disclosed in early January, and software fixes should continue to address Variant 1, Intel said.

2 of 68 comments (clear)

  1. Obligatory: Intel CPU Backdoor Report (Jan 1 2018) by Anonymous Coward · · Score: 2, Informative

    Change log:
    2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

    Intel CPU Backdoor Report
    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    [Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    @21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

    [Quotes] Vortrag:
    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    2017 Dec Update:
    Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

    Useful links (Added 2018 Jan 1):
    Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
    me_cleaner: Set HAP AltMeDisable bit with -S option
    Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
    EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
    Sakaki's EFI Install Guide/Disabling the Intel Management Engine
    Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
    CVE-2017-5689: An unprivileged network attacker could ga

  2. Re:I smell a lawsuit... by Anonymous Coward · · Score: 3, Informative

    No, these are rather small modifications to existing designs: moving protection checks earlier (for meltdown) to prevent speculative execution past a guaranteed exception is not a complete redesign.
    The protection bits are in the TLB entry, that you need to look up for address translation anyway, and then they may be checked in parallel with the cache access. Compared to looking up the tags for an 8-way (or 4, can't remember) cache access, checking the protection is simple.
    Recent chips have 57 virtual address bits of which only the 12 lower go without translation, the TLB is at least 4 way set associative, so this means that you need 4 45 bit comparators to select the TLB entry. Once translated, the L1 cache lines are 64 or 128 bytes on a physical address range of 46 bits, so this means that the cache tags are 39 or 40 bit wide (some AMD CPUs even allow a larger physical address space).
    Therefore, for the address translation and cache tags matching, you end up with at least 8 comparators about 40 bits wide each, more if the associativity is higher.
    Well, the protection bits in the TLB and the current privilege levels altogether are less then 8 bits (2 for the current privilege level, 3 or 4 for protection in the TLB entry).
    Completely negligible in terms of silicon area. Of course the logic has to be able to say: stop here, but it already needs to take into account the case of a TLB miss, and of a cache miss. It's probably not that hard to change the logic to treat a protection violation as a TLB miss, except that all that logic in Intel's core dates back to the PentiumPro...