Slashdot Mirror
Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed (theregister.co.uk)
Long-time Slashdot reader Bruce Perens writes: The Register reports that Debian is rejecting a new Intel microcode update because of a new license term prohibiting the use of the CPU for benchmarks and profiling.
There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.
Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.
So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.
There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.
Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.
So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.
Only buy POWER, BLOB free
"(v) publish or provide any Software benchmark or comparison test results. "
However, there is also a clause that says if you download the tgz you accept the license automatically. So, the act of downloading to read thatlicense means you have agreed will not publish benchmarks.
Orationem pulchram non habens, scribo ista linea in lingua Latina
Well kudos to Debian. I am very disappointed in seeing Red Hat, SUSE in saying the licence is fine.
Just goes to show you how close to Windows the big commercial Linux Distro are moving.
Well, the good lawyers call me when they do stuff like this. Or someone like me who can read a license and knows how a CPU is built. I have saved a few from mis-stating themselves.
Bruce Perens.
"In a time of universal deceit, telling the truth is a revolutionary act. George Orwell"
In a time of universal deceit, telling the truth is a total fracking waste of time.
Yes, I'm afraid it's come to this.
So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?
Let's see a million people tweet their slowdown measurements and then it'll be Intel Legal's move. Somebody come up with the hashtag.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Techspot just published some very extensive benchmarks ( https://www.techspot.com/review/1683-linux-vs-windows-threadripper-vs-core-i9/ ) that make AMD's Threadripper 2990WX look significantly faster than Intel's i9-7980XE in a lot of the particular tests. Interestingly they did most (all?) of the tests with Linux and Windows 10 on both CPU's and Linux also seemed to do better to various degrees (a little to a lot).
I suppose we could assume this patch will increase the AMD performance margin, depending on the particular test, so why bother with worrying about how much more the patch hurts the Intel - just assume it will perform even worse, and buy accordingly, eh?
R O
No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this.
Of course a company can enter into a contract with you that says you can't publish performance specs for their product. So I am going to assume that you mean to say that it's about a product they PREVIOUSLY sold you. The thing is, Intel did NOT previously sell you this microcode update.
The contract is that Intel will provide you this new microcode update, which is software, but that your license to use it will be restricted. (Specifically that you can't run this software on a computer for the purpose of benchmarking it, and that you won't publish such a benchmark.)
I don't see any legal problem with that contract.
It doesn't make Intel look good, but if you don't like the deal, then don't install the software.
Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable.
If you cannot read the "By downloading, you agree..." license terms BEFORE downloading, then you have a shrink-wrap license problem. (By the way, shrink-wrap licenses are still upheld in some states such as Maryland and Virginia.) Even if there's a shrink-wrap issue, though, it is fairly obvious that INSTALLING the software after downloading and reading the accompanying license would constitute agreement to the terms.
Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions
That case was different than this. In the PS3 case, Sony removed access to their online gaming network, thereby crippling the box. Here, Intel is not removing access to anything: if you don't like the terms, then don't install the microcode update, and your computer will continue to function exactly as it did before, with all the same capabilities (and bugs) intact. Which is the point.
I expect the benchmarks will be out soon and all over the place, published in ways that make it impossible to figure out who to sue. Then, these benchmarks will be reported all over the place by people who never downloaded or installed or agreed to any of the license terms, and in fact did not perform any benchmarking themselves. Just published some results from some other shadowy people who cannot be sued.
You saw this coming but have no idea of the history behind microcode patches?
https://en.wikipedia.org/wiki/...
The microcode feature is there to help you, not enslave you. Silicon is forever. Patching it on your desktop after the fact is a god-send.
Learn some history before you claim to have predicted the future.
With respect; the fight to keep alternative operating systems on PCs and servers is a long and storied history. Through the "hardware partner" cartel, win modems and finally the palladium initiatives culminating in locked bios that required key codes to load an OS. Linux has weathered the lockout exclusion storms that favor Microsoft and to a lesser extent Apple.
The fact that Linux based servers still run huge portions of the servers that power the net is still a problem for Intel, in as much as Linux servers don't suffer the constant upgrade cycles that Windows servers do. Thus reducing the need to change out high horsepower gear every 5 years or so and greatly reducing the software licensing fees for ISPs and web servers. The slow sales of Windows server software to ISP, can easily be helped along by Intel locking down testing of security updates for the Linux kernel. Servers certainly must patch the Intel hell holes that speculative execution has created.
I am posting this from a core 2 duo on a Lenovo T500 that is completely vulnerable to the Intel holes that could melt me down at any time. In fact this aspect has already been exploited on firefox with a malicious javascript that put an old school activex style coded tidbit on my ram that made me kill the firefox pid and do a whois traceroute on the source. It was from a .tk as usual and the kicker was that the .tk redirected to a .ru. I still have the logs and printouts of the hack with bounces.
So yes linux is vulnerable and can be annoyance hacked due to intel's stupid speculative execution coding routines, but fortunately not completely hosed unless you are an idiot and let the attacker(s) in. The sky is always falling with opensource software and using linux as a computer OS. BUT I still refuse to send more ransom money to Microsoft or even the Coca Cola company for that matter to secure my computers for use on the information highway when Intel tries again to start WW111 with us linux users. I must indeed be a deviated_prevert to say this but: NOT ONE DIME MORE TO INTEL OR MICROSOFT I have spent enough securing and replacing their hardware and software over the 30 or so years I have needed it to do any serious work that required internet communications!
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Those that have security concerns are willing to take performance penalties, those that want performance usually don't worry too much about the security issues since the performance hunters are probably just running a single application anyway.
What might be interesting is to be able to boot the computer in different modes - performance or security mode. The Turbo button revival!
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Intel accused of age discrimination (May 28, 2018) Subtitle: "US federal investigators are looking into Intel's layoffs of 12,000 employees since 2016."
Judging from personal conversations with Intel employees and comments on web sites, Intel is badly managed:
Quote from thelayoff.com, Nov. 23, 2017:
"As a person who worked there several times as contract employee, which makes up most of the workforce. I have seen this happen many times, where older and higher paid blue badges get shown the door, and sometimes escorted out like criminals. This has created a paranoid environment among those who are left, so everyone starts back stabbing each other because they don't want to be the next one to be booted. And creates animosity to the contract workers who are treated like crap. So any workplace cohesion gets thrown out the window, because everyone is circling their prospective wagons."