Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed

Long-time Slashdot reader Bruce Perens writes: The Register reports that Debian is rejecting a new Intel microcode update because of a new license term prohibiting the use of the CPU for benchmarks and profiling.

There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.

Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.

So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.

You'll never get a first post

with these security patches installed, m'ladies

Intel. Just say no

Making a bad situation, worse.

Re:Intel. Just say no

>_ Inasmuch as I agree with "Just say no", it's not so simple.

See, I work for the government. We have to keep transparency in procurement. That is not an option; the public is our "boss". Hiding things is unacceptable.

Benchmarks are a necessary part of choosing a product.

And we must "publish or provide any Software benchmark or comparison test results", so that the procurement process is documented to be led impartially.

I have the law and a contract to choose which I will abide by.

Either I will violate the contract later or exclude Intel from bidding a priori.

Who is this Bruce Perens guy.

And the bigger question why is he not posting spam and dups like the rest of slashdot editors?

Re:Who is this Bruce Perens guy.

[Bruce+Perens]

why is he not posting spam and dups like the rest of slashdot editors?

Because they've never actually given me inside access to Slashdot. It's their playground. One or two editors look for things I've written, mostly the folks who work on the weekend.

I screw up as much as anyone else.

Re:Who is this Bruce Perens guy.

[q_e_t]

You are too modest. You have been a huge asset to the community over many, many years. You are allowed the occasional error.

Re:Who is this Bruce Perens guy.

[thegarbz]

You are allowed the occasional error.

Not on Slashdot your not.

Quick fix:

[Gravis+Zero]

Only buy AMD.

Re:Quick fix:

[rahvin112]

Actually no it doesn't. Of the 11 Spectre Variants AMD has only been vulnerable to about 3. And two of those variants were the ones that affected every out of order processor ever made.

Re:Quick fix:

[Bruce+Perens]

If you want a fully-open processor, there is Risc-V.

Re:Quick fix:

[chill]

Is it? Everything I've read lately is the ISA is free, but there are plenty of blobs for the other components that make an actual processor. It has the potential to be a truly free processor, but the early players don't have the resources for that.

I think POWER9 implementations are, right now, the closest. Raptor Computing Systems is shipping what looks to be real nice, but real EXPENSIVE, stuff. There may also be some OpenSPARC stuff.

we saw this coming long ago

[deviated_prevert]

You do not own a computer chip you are a slave to the software necessary for it to run which is locked down. HACK ON they deserve what they are about to reap! Reversing chips is how most of the locked down hardware was made available to Linux users for most of the early history of the kernel. Intel now wants a total lock down.... SCREW THEM

I think I've got the message...

[niittyniemi]

So Intel, as a condition of using your patch to fix the broken shit you sold us, you don't want us to use the patch to empirically determine just how broken your shit was, or else you'll sue us?

I've got the message loud and clear: you're crooked dirtbags.

I don't think I'll be sending any money your way in future.

Re:I think I've got the message...

[r_pattonII]

The statement from Intel is translated as follows: "We really don't want the public to know how bad we screwed up so we are prohibiting you or anyone else to benchmark the issue before this patch and especially after the patch as we do not want our bottom line ($$$) tarnished by the bad publicity. Therefore since you are using cloud services and require speed this fix is supplied to you to keep your mouth shut about how bad we actually suck at providing quality code for our products. If you are not satisfied with this solution, go somewhere else. BTW good luck with that too!"

Re: I think I've got the message...

[Bruce+Perens]

The slashdot editor munged the link to the license text. It's here.

Re: I think I've got the message...

AMD: "We'll take 'em!"

Intel just made my Streisand effect alarm break. They've screwed up the PR for this since it started. Bad updates, downplaying the severity of the issue, FUD, and now a gag order. You'd think they could handle this better, but I guess not. Rather, I'd say they are scared shitless right now. They've got another FDIV problem on their hands, nothing that will fix it without pain, and no true solution coming out the pipe for another year. Meanwhile their competition is out classing them in everything. Well almost everything, colossal PR nightmares, and bad security design isn't on their competition's roadmap. Reason to be scared indeed. I was already buying AMD exclusively over the AMT crap, but anyone buying Intel at this point is a complete idiot.

Re:I think I've got the message...

i want to see the best intel vs amd cpu benchmarks fro the last 10 years to be rerun and for us to see how the difference between intel's best and amd's best looks now with all the patches and microcode updates installed. like x4-965 vs intel equivalent. stuff like this.
i'm leaning towards the 'intel processors routinely being 20% faster than amd cpu's at the same speed" to be more even, or possibly amd having the performance crown for all these years, it's just intel cheated so much it made their cpus look faster.
amd always had the superior design, they just weren't willing to cheat as much as intel was to win.

it's funnier when you realize they don't want people to benchmark these and publish them, yet when intel launches cpu's, they include benchmarks.... which i thought were useless. oh, they're only useless when they paint you in a bad light, but they're good when they show your cheats are winning the race.

Re:I think I've got the message...

[RhettLivingston]

you're crooked dirtbags

From the very start of this saga when Intel jumped the gun on the press release to make sure that it combined their main problem with another problem they shared with AMD in order to make it appear as though they were equally affected, Intel has been playing dirty - bordering on criminal - pool.

Re:Lies?

[glowworm]

The Microcode tgz file also contains a license file with the same language

"(v) publish or provide any Software benchmark or comparison test results. "

However, there is also a clause that says if you download the tgz you accept the license automatically. So, the act of downloading to read thatlicense means you have agreed will not publish benchmarks.

Kudos

[jmccue]

Well kudos to Debian. I am very disappointed in seeing Red Hat, SUSE in saying the licence is fine.

Just goes to show you how close to Windows the big commercial Linux Distro are moving.

Re:Kudos

[Bruce+Perens]

Actually, I've caught Red Hat in a number of legal mistakes where I've had to wake up one of their lawyers to the issue, because the engineer never consulted one. This might be that sort of thing, or whoever read the text didn't consider the implications. The microcode runs for every instruction, and as far as I can tell the prohibition applies to all use of the CPU. Don't ever provide or publish benchmarks, even for your own software, using this CPU to collect them.

The lawyer who wrote the license obviously didn't walk through what the CPU actually does, and that the implication of the language would thus be larger than expected.

What I hope will happen

[Bruce+Perens]

I hope that the part of Intel with some sense will wake up to what that other part of Intel is doing and fix this, quickly. When there is a company that big, it has a multiple personality disorder. Obviously this time somebody didn't think through the implications of their legal language.

That's not the message I took away

[rsilvergun]

what I took away was "Go buy an AMD processor".

Wrong link

[Bruce+Perens]

The link at "a new license term" is to a license for a different product. I'm sure I didn't write that :-)

Someone at Intel might want to read about...

[ElizabethGreene]

Someone at Intel might want to read about the Streisand effect.

Re:Lies?

[Bruce+Perens]

Yes. I didn't write that link. The proper text can be found here.

Re:Car analogy time

[Bruce+Perens]

Well, the good lawyers call me when they do stuff like this. Or someone like me who can read a license and knows how a CPU is built. I have saved a few from mis-stating themselves.

Links to benchmarks?

[KClaisse]

So.....



Anyone got a link to some benchmarks?

Re:Links to benchmarks?

Here's a link, I just hope Intel doesn't commandeer my#``{{#'+`$NO CARRIER

Re:How long before we see what this code does?

[sgage]

"In a time of universal deceit, telling the truth is a revolutionary act. George Orwell"

In a time of universal deceit, telling the truth is a total fracking waste of time.

Yes, I'm afraid it's come to this.

nope

[matushorvath]

"Many computer users don't allow outside or unprivileged users to run on their CPUs"

Your browser is running some outside unprivileged JavaScript for almost every page you visit. One of the exploits was specifically described for JavaScript running in a browser.
You don't even need to be able to execute code. Even code that would traditionally be considered harmless could potentially be used for side channel attacks if you e.g. control the input data. That invoice your ISP sent you as a PDF could potentially use a harmless piece of code inside Adobe Reader to do something harmful.
The fact that it has not been demonstrated yet does not mean it can't be done.

Intel is not managed well, in my opinion.

[Futurepower(R)]

Intel is AMAZINGLY self-destructive, IMO!

Intel says this: Intel's Brian Krzanich is forced out as CEO after 'consensual relationship' with employee. Another story: New details emerge on the office affair that led to Intel CEO Brian Krzanich's surprising resignation on Thursday.

Do you believe this quote? "The office affair which sparked Intel CEO Brian Krzanich's surprise resignation on Thursday started a decade ago and ended before he became CEO in 2013, The Wall Street Journal reported."

I'm guessing that Intel is trying to hide the real reasons that CEO Brian Krzanich is no longer CEO: 1) The Sceptre and Meltdown vulnerabilities in nearly all Intel CPUs, problems that began with former CEO Paul S. Otellini. 2) He used inside information to profit: Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock.

The new Intel CEO is Robert Swan. He joined Intel in September 2016 as CFO.

One of the most self-destructive acts is to appear to lie. Then everything else is examined as also possibly a lie.

Re:What's the problem?

The intel-microcode packages for Debian are in the non-free repository. I'll make a point not to take legal advice from you.

Judge Laughs

[bill_mcgonigle]

So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?

Let's see a million people tweet their slowdown measurements and then it'll be Intel Legal's move. Somebody come up with the hashtag.

Not Legal

[SirAstral]

You can ignore stupid shit like this. Intel can sue for you for looking cross eyed if they wanted to. It does not mean that they will win even if you lose everything defending yourself from it.

No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this. Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable. Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions.

That said, it could still be a nightmare to deal with but that is the nature of SLAP lawsuits to begin with. The intention is not to win, but to financially drain you into a loss or to scare people... mainly the websites publishing benchmark data.

One wrong move by Intel and they will be facing the same kind of fucking class action lawsuit themselves. Everyone should slap so many fucking benchmarks online that intels heads spin!

Re:Not Legal

[cstacy]

No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this.

Of course a company can enter into a contract with you that says you can't publish performance specs for their product. So I am going to assume that you mean to say that it's about a product they PREVIOUSLY sold you. The thing is, Intel did NOT previously sell you this microcode update.

The contract is that Intel will provide you this new microcode update, which is software, but that your license to use it will be restricted. (Specifically that you can't run this software on a computer for the purpose of benchmarking it, and that you won't publish such a benchmark.)

I don't see any legal problem with that contract.

It doesn't make Intel look good, but if you don't like the deal, then don't install the software.

Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable.

If you cannot read the "By downloading, you agree..." license terms BEFORE downloading, then you have a shrink-wrap license problem. (By the way, shrink-wrap licenses are still upheld in some states such as Maryland and Virginia.) Even if there's a shrink-wrap issue, though, it is fairly obvious that INSTALLING the software after downloading and reading the accompanying license would constitute agreement to the terms.

Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions

That case was different than this. In the PS3 case, Sony removed access to their online gaming network, thereby crippling the box. Here, Intel is not removing access to anything: if you don't like the terms, then don't install the microcode update, and your computer will continue to function exactly as it did before, with all the same capabilities (and bugs) intact. Which is the point.

I expect the benchmarks will be out soon and all over the place, published in ways that make it impossible to figure out who to sue. Then, these benchmarks will be reported all over the place by people who never downloaded or installed or agreed to any of the license terms, and in fact did not perform any benchmarking themselves. Just published some results from some other shadowy people who cannot be sued.

Could be a mistake

[viperidaenz]

The license also mentions NDA's and Pre-Release agreements

Looks like license they would include with pre-release/beta software.

7. CONFIDENTIALITY. The terms and conditions of this Agreement, exchanged
confidential information, as well as the Software are subject to the terms and
conditions of the Non-Disclosure Agreement(s) or Intel Pre-Release Loan
Agreement(s) (referred to herein collectively or individually as "NDA") entered
into by and in force between Intel and You, and in any case no less
confidentiality protection than You apply to Your information of similar
sensitivity. If You would like to have a contractor perform work on Your behalf
that requires any access to or use of Software, You must obtain a written
confidentiality agreement from the contractor which contains terms and
conditions with respect to access to or use of Software no less restrictive
than those set forth in this Agreement, excluding any distribution rights and
use for any other purpose, and You will remain fully liable to Intel for the
actions and inactions of those contractors. You may not use Intel's name in any
publications, advertisements, or other announcements without Intel's prior
written consent.

Whoops

[Tough+Love]

Whoops, this is basically an ad for Ryzen.

Simple - Can't run == FAIL

[technosaurus]

Since you cannot run the benchmark (in this case due to legal restrictions) just write FAIL* next to it. Then put the actual values for AMD, VIA and DMP CPUs. Once a few dozen articles get published where even DMP beats Intel's most expensive chips, they will wake up.

* FAIL means that the chip was unable to complete the benchmark due to faulty engineering or legal restrictions.

Phoronix

[Meneth]

Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan....

What is happening at Intel? BAD management?

[Futurepower(R)]

Intel accused of age discrimination (May 28, 2018) Subtitle: "US federal investigators are looking into Intel's layoffs of 12,000 employees since 2016."

Judging from personal conversations with Intel employees and comments on web sites, Intel is badly managed:

Quote from thelayoff.com, Nov. 23, 2017:

"As a person who worked there several times as contract employee, which makes up most of the workforce. I have seen this happen many times, where older and higher paid blue badges get shown the door, and sometimes escorted out like criminals. This has created a paranoid environment among those who are left, so everyone starts back stabbing each other because they don't want to be the next one to be booted. And creates animosity to the contract workers who are treated like crap. So any workplace cohesion gets thrown out the window, because everyone is circling their prospective wagons."