Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Blocked Collaboration On Spectre/Meltdown Fixes, Says Linux Kernel Developer (eweek.com)

Posted by EditorDavid on from the stuck-in-a-silo dept.

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."

39 of 83 comments (clear)

  1. To Intel's credit... by QuietLagoon · · Score: 1

    To me, there appears to be very little, if anything, to Intel's credit in this whole CPU disaster. Performance instead of security. What a mess. How long will it be before there's an Intel CPU that is not inherently insecure? Will a whole new architecture need to be designed?

    1. Re: To Intel's credit... by king+neckbeard · · Score: 2

      They've made an improvement on paper for future vulnerabilities to what they should have done all along. That would seem to fut under the category of 'very little.'

      --
      This is my signature. There are many like it, but this one is mine.
    2. Re: To Intel's credit... by Anonymous Coward · · Score: 1

      And I'll disregard anybody who uses ad hominem attacks and an appeal to authority rather than actual arguments.

      If you are posting as Anonymous Coward, you aren't really in a position to criticize his pseudonym, either.

    3. Re:To Intel's credit... by Anonymous Coward · · Score: 1

      First "hardware" fixes are in Whiskey Lake (mobile) and Cascade Lake (Xeons) - https://www.techpowerup.com/img/ZBajKtbXMPCysTL5.jpg

      And in the EPYC and Ryzen chips too.

      In fact, just get those.

    4. Re:To Intel's credit... by Anonymous Coward · · Score: 1

      Yeah, every AMD-designed CPU doesn't speculate past a privilege check while Intel ones do, checking only when the speculative path is the correct one, but that's too late...

    5. Re:To Intel's credit... by Tough+Love · · Score: 1

      Will a whole new architecture need to be designed?

      Speaking as a layman in terms of processor engineering, it's more than a mask tweak but less than a new architecture. Given that Intel already has to tear up its entire 10nm fab line to fix the yield issues, this processor re-engineering will probably be done in parallel without delaying Ice Lake any more than it already is, but that is scant comfort. Intel already has hardware fixes for Whiskey Lake laptop processors. Chances are, Intel will just grin and bear it with their desktop and server parts. For the laptop parts, they might have sacrificed some performance for the Meltdown fix. It's going to be really hard to tell, given all the other factors involved. For desktop/server parts it would be really easy to tell, which is maybe why Intel won't bother.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    6. Re:To Intel's credit... by Tough+Love · · Score: 1

      Correction, Intel will provide hardware mitigation for Meltdown with its Cascade Lake 14nm parts announced last week without any details, including no release date more precise than "later this year." Benchmark wars with Epyc promise to be, well, epic.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    7. Re:To Intel's credit... by 93+Escort+Wagon · · Score: 2

      To me, there appears to be very little, if anything, to Intel's credit in this whole CPU disaster. Performance instead of security.

      Given that, when the news came out, their first (and second, and third) thought was to put Marketing in charge of any response... that was to be expected.

      --
      #DeleteChrome
    8. Re:To Intel's credit... by K.+S.+Kyosuke · · Score: 1

      Performance instead of security.

      Time to brush up on old jokes?

      --
      Ezekiel 23:20
    9. Re:To Intel's credit... by HiThere · · Score: 1

      And my first thought was "I wonder what *amazing* new holes they've opened in those models.". I don't *know* that they've intentionally introduced new bugs...but their entire process in this last case (which they have "improved" on paper after the fact) causes me to doubt their intentions.

      But perhaps AMD just hasn't been caught yet. Any chip that requires a "management engine" is dubious, even if you call it a "trust zone" or some such. It's a sign that they're trying to rent you the CPU rather than sell it to you. The "trust zone" is about the company's trust, not the users.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    10. Re:To Intel's credit... by HiThere · · Score: 2

      But officially that won't happen next time. Believe it if you want to. Certainly it's proper to trust Intel's honesty and care for users.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re: To Intel's credit... by mukinrestak · · Score: 1

      Improved does not equal fixed. .00000001% of a fix is an improvement over 0. It's also shit useless.

    12. Re:To Intel's credit... by thegarbz · · Score: 1

      To me, there appears to be very little, if anything, to Intel's credit in this whole CPU disaster.

      There definitely is something to Intel's credit. Their CPUs were faster and the security issues are ultimately non-issues for the vast majority of users. The only reason I won't consider Intel at the moment ... AMD are currently the performance kings.

    13. Re:To Intel's credit... by mangastudent · · Score: 1

      Intel's out-of-order security problems go back to their very first out-of-order CPU, the 1995 Pentium Pro on which all their current fast chips are based on. Given that every other company of any size with out-of-order CPUs also have Spectre problems, and ARM and IBM also have Meltdown ones, this represents an industry wide blind spot, not anything at all unique to Intel.

    14. Re: To Intel's credit... by Agripa · · Score: 1

      I read that as, "They have made improvements to paper over future vulnerabilities."

  2. poor intel by Anonymous Coward · · Score: 1

    This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek:

    Be careful there, Intel is so inept they will likely mistake you calling them slow with calling their CPUs slow, and they will send their lawyers after you with claims of illegal benchmarks.

    Jokes aside, never EVER sign an NDA with Intel. Tell them to get fucked, and go talking about them anyway.

    You should also consider exempting them from any responsible security disclosures. We have.
    Everything gets published immediately without waiting on a reply from Intel, and in fact we won't even bother informing Intel, they can find out about their bugs and exploits the same as everyone else, not that they care.

    At this point they also have fully used up their allotment of "one more chances"
    We're holding the stance that its a license violation to use their fixed firmware. Not our problem they changed their minds, we have it in writing how that isn't true.
    Let them sue and explain to the judge how their products are intentionally by design exploitable and costing lives. Let them explain why this is being enforced by contract for the 24 hours the legal documentation Intel published to the world and why they didn't at their own expense hand deliver the corrections that don't legally apply to us.

    Zero tolerance has begun, have fun throwing your money down the legal department drain Intel.
    Go ahead and sue us for pirating your shit far and wide and breaking all contracts with you due to your term violations.

  3. Re: Sad. For Linux users. by Anonymous Coward · · Score: 1

    More likely to cost Intel, if anyone. How I'm supposed to buy Intel hw if it is poorly supported by the Linux OS I need to use in my servers?

  4. Broadly speaking, yes a different architecture by raymorris · · Score: 2

    Intel can fix the specific Spectre-class vulnerabilities that have recently received a lot of attention, with some impact on performance. AMD wasn't vulnerable, and Intel can do something similar to what AMD did.

    On the other hand, if you want to speak more broadly about issues like Meltdown and the various types of Spectre, AMD does have some vulnerabilities and is likely that EVERY high-performance CPU in the next five to ten years will have similar issues. Not precisely the same, but in the same general category. Simple, low-performance ARM chips can be used for security-sensitive operations.

    Software is written as if it executes step-by-step, using a simple model of a CPU. Simple code looks like this:
    if (userid larger than 1000) {
            basekarma = 10;
    }

    In this simple model, the basekarma variable is never changed for the oldest users. In the simple model, a Pentium and Core i7 look the same. In the real world, a modern processor doesn't run things step-by-step, it runs multiple things at once. Since the userid is almost always greater than 1000, it DOES run the code in the IF statement every time, then reverses it in the rare instance that userid is 1000 or lower. That's faster than waiting for the userid check, because it can simultaneously set the variable and check the userid in one clock tick.

    In the model, setting the basekarma can never have any effect on the userid. In the real world, basekarma isn't an idea, it's a set of silicon transistors with certain electrical charges. Those tiny transistors are only a few nanometers from the ones used for basekarma, and using them creates hear which heats up all the surrounding transistors (variables). Electrical charges in one, alternating a billion times per second, can and will effect the electrical charges of others that are just 100 nanometers away.

    With the complexity of a modern CPU, it's not going to match the simplistic model. It's going to run multiple threads concurrently. Physical effects mean doing something to one set of memory locations can physically effect others (if only by forcing the system to slow down to avoid overheating).

    Caches speed up operations by an order of magnitude when essentially the same thing is done over and over, such as handling each pixel or each sample of audio. Being faster means attackers can tell what is in the cache. Eliminating cache timing-based attacks would make the CPU MUCH slower.

    A simple single- thread CPU without any speculative execution, only in-order execution, no cache or only very simple cache, and half a dozen other types of complexity could fairly well match the simple model used for programming, and therefore be pretty secure.

    Overall, the security of a system is inverse to its complexity. Complex systems have many complex parts that hackers can manipulate. They'll never be secure, or at least not any time soon.

    1. Re:Broadly speaking, yes a different architecture by HiThere · · Score: 1

      I have not encountered any trustworthy references to the effect that any company besides Intel had the Meltdown problem. Spectre, yes, to a small (I'm not sure how small) degree, but not Meltdown. And only some variants of Spectre.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:Broadly speaking, yes a different architecture by mangastudent · · Score: 1

      Is ARM the company a trustworthy enough reference about the Meldown variant they discovered in their Cortex-A75 core?

    3. Re: Broadly speaking, yes a different architecture by mangastudent · · Score: 1

      ARM may license some technology from Intel, AMD licenses a lot by definition, but ARM has always had their own unique designs, governed from the very beginning by low power usage. Back then, it was so that they could use inexpensive plastic instead of ceramic packaging for their desktop computer target, they beat their target by a factor of two. That's one of the main reasons ARM chips now own the mobile market.

      If your claim was true, it wouldn't explain why every other one of their earlier out-of-order designs only suffer from Spectre flaws. Instead, that, along with IBM's POWER Meltdown and Spectre issues, including this very latest set of Foreshadow/L1TF ones, and AMD's Spectre problems starting with the first reporting of this class of bugs, show that this has been a massive blind spot of the entire industry.

    4. Re:Broadly speaking, yes a different architecture by HiThere · · Score: 1

      Yes, but as another comment indicated, only the chips based on Intel designs had the Meltdown problem, so I still tend to think of it as an Intel defect. Were I considering purchasing an ARM, of course, the manufacturer would be more significant.

      Since I'm not, to me that's still an Intel defect. Where you draw the line is, in a sense, arbitrary...or at least situational.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    5. Re:Broadly speaking, yes a different architecture by mangastudent · · Score: 1

      Yes, but as another comment indicated, only the chips based on Intel designs had the Meltdown problem

      Could you point out the comment that indicated both ARM and IBM's RISC designs were "based" on Intel designs, I couldn't remember it, and I just reviewed the 0 or higher scored them and couldn't find one.

      The fundamental design that's gotten everyone into trouble including AMD, which copied the Pentium Pro (just not the Meltdown part), goes back to IBM in 1967 when they were creating the highest end System/360 supercomputers.

    6. Re:Broadly speaking, yes a different architecture by HiThere · · Score: 1

      Sorry, I didn't mean to include current IBM designs. I know nothing about them. Are you saying that they are vulnerable to Meltdown?

      As for the 1967 design problem, I believe that's about when the problem was originally identified...though at the time the exploits were considered only theoretically possible, not actually possible. Still, that was when mitigation measures were first considered.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    7. Re:Broadly speaking, yes a different architecture by mangastudent · · Score: 2

      IBM says they've vulnerable to Meltdown. And, hmmm, adding this item from them it's much worse than the one new microarchitecture ARM discovered was vulnerable to a Meltdown variant, looks like POWER 7+, 8, and 9 processors, can't confirm if 7 is affected, but this is clearly pretty much all of their currently supported CPUs. The first item also implies problems, without mentioning Meltdown specifically, with POWER 4 through 6 CPUs. Ah, and following a link in that first one, per RedHat z/Architecture CPUs are also vulnerable to one or both.

      I'm not sure the problem occurred in the IBM 1960's design, for I don't know if it included speculative execution as well as out-of-order execution, in those days IBM built its computers with discrete silicon transistors, 1 or a very few of them along with resistors and maybe capacitors on a single module. Played well to their manufacturing strengths when true single die silicon integrated circuits were just too new, and no one could make them in the volumes IBM needed. So gates were very expensive, and they might have satisfied themselves with just out-of-order execution. Especially since this was just for the FPU.

      By the time of the Pentium Pro in 1995, gates were a lot cheaper, so adding speculative execution when you already had all those anonymous registers, and doing it for your integer instructions wouldn't have been hardly as expensive. Or as complicated or gate intensive, since you could afford to use microcode, the top 2 IBM System/360 CPUs didn't, and fared less well in the marketplace because they couldn't emulate earlier IBM CPUs using some additional microcoded instructions.

    8. Re:Broadly speaking, yes a different architecture by HiThere · · Score: 1

      Yi! I'm going to guess that IBM has some sort of technology sharing arrangement with Intel, but that's admittedly a guess. It's hard to believe that IBM would make that kind of tech goof on it's own.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    9. Re:Broadly speaking, yes a different architecture by mangastudent · · Score: 1

      Every company but AMD, which has by definition the very tightest technology sharing arrangement with Intel made the Meltdown screwup. Every company including AMD has multiple Spectre screwups. Why is it so hard for you to believe this is a general industry problem? Or to put it another way, I'll repeat a question I asked to another participant in this discussion, "Show us on the doll where Intel touched you." Because I find this monomania about Intel inexplicable.

  5. Re:Sad. For Linux users. by HiThere · · Score: 1

    There have indeed been times when Intel acted in ways that benefited the Linux community. Of course, they also benefitted Intel.

    OTOH, have you ever heard the term "Wintel"? They've acted detrimentally about as much as they've acted beneficially, and arguably more. They've designed systems that intentionally shut Linux out of application. They've refused to publish interface specs that they shared with a different OS vendor. Etc.

    The problem with trying to assign a position to the company is that it's not an individual. Different groups have adopted different policies. If they were a person they'd be described as being MPD to an extreme degree, and in need of hospitalization. I find them untrustworthy, and when one of the legal or marketing personalities is in charge, totally untrustworthy. But they aren't the worst company that one must deal with.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  6. Re:Slashdot users LOVE the Win64 version... apk by Zontar+The+Mindless · · Score: 1

    But still no Be after 20 years? FAIL.

    --
    Il n'y a pas de Planet B.
  7. Re:Viral code by pslytely+psycho · · Score: 1

    Nah, Windows has the WSL. They decided it was truly time for the year of the LINUX desktop...brought to you by your good friends at Microsoft.

    --
    Donald Trump, on a crusade to make Nixon look respectable
  8. Re:To Intel's discredit... by Anonymous Coward · · Score: 1

    Intel still ignores OpenBSD.

  9. Don't worry, customers by rodia · · Score: 2

    Ok, so Intel landed on the shady side of the performance/security tradeoff. That probably kept CPU prices artificially high for you for a while because it helped their market position. But don't worry, soon you will be allowed to give them more money for new processors which are less vulnerable. I'm sure this is the right incentive to never let something like this happen again.

    Also, how should they know their CPUs have so many problems? NOBODY knew, apart from some geeks who write papers nobody understands. Especially this one CS professor (U.S. based, security focus) who tweeted a slide from a talk he gave years ago at an Intel event. Warned about all this out-of-order and speculative branching stuff, who was that again? I'm sure they are all just crazy conspiracy theorists. The government should really do something about them.

  10. Re:Sad. For Linux users. by drinkypoo · · Score: 1

    There have indeed been times when Intel acted in ways that benefited the Linux community.

    When was that? Every time Intel does Linux development, they tie it to their own processors. They killed Meego by turning it into Moblin, which was slightly about making a new OpenGLES-based interface and mostly about making it Intel-specific (wouldn't even boot on AMD systems.)

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. Re: It's not Intel by mangastudent · · Score: 1

    And being labeled a Troll for telling the truth is certainly going to encourage him to contribute in the future.

    Is there any out-of-order with speculative execution architecture family out there that doesn't have these problems? IBM's z/Architecture?? No idea, and it's been a long since anyone bought an IBM mainframe for CPU power, but the modern out-of-order design was first developed for the System/360's supercomputer FPUs. Per my reading Wikipedia just now, of the non-dead ones, there were out-of-order MIPS and SPARC microarchitectures in the past. The big and successful ones today all suffer, Intel/AMD, ARM and IBM POWER.

  12. Re: It's not Intel by mangastudent · · Score: 1

    I haven't seen the slightest bit of evidence that Intel "licenced" this sort of technology to anyone by AMD by definition, and the basic technology goes back to the 1960s and IBM, when it FRAND licensed all its patents due to a 1940s or very early 50s lawsuit settlement, that's one of the reasons their mag tape and mechanism designs became ubiquitous, as you can see in old movies. Of course by 1993-5 with others started doing out-of-order and at least in Intel's case speculative execution based on that IBM's patents had lapsed.

    Thus we see of the few still successful high performance CPU makers all but AMD created Meltdown vulnerable designs, and all including Spectre vulnerable ones.

    Seriously, this obsession has me asking "Show us on the doll when Intel touched you."

  13. To Dahmer's credit... by Excelcia · · Score: 1

    To Jefrey Dahmer's credit, he stopped killing and eating people after he was caught, convicted and imprisoned.

  14. Re:To Intel's discredit... by Excelcia · · Score: 1

    That's weird, since Microsoft invented the Blue Screen of Death.

  15. Re:To Intel's discredit... by mangastudent · · Score: 1

    Only in a very technical sense, Commodore for example did it a decade earlier in red for the Amiga. Here's a Wikipedia page on things like it.

  16. Re:To Intel's discredit... by Excelcia · · Score: 1

    *pacefalm*