back to article Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug. Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes …

Page:

        1. CrazyOldCatMan Silver badge

          Re: no news

          and professionals may notice

          And *all* the big cloud providers will now need to buy 25-30% more hardware to meet the expected capacity plan. I don't imagine that Google/Amazon/Microsoft are going to be too chuffed with Intel right now. And since they (with Apple/Twitter/Facebook et. al) are probably the biggest buyers with the most clout their voice is going to count.

          If they all switch to buying AMD (assuming AMD has the capacity to build that many processors) or re-tool for ARM then Intel sales are going to nosedive.

    1. Dave 126 Silver badge

      Re: no news

      The story is on Slashdot and Gizmodo. As for the awareness of the mass populace, it might come to them when more details arrive - or they have available headspace following the FCC's Net Neutrality shenanigans.

    2. Ken Hagan Gold badge

      Re: no news

      21 hours after you posted that, I can report that it is on the front page of the BBC news website and at least one major UK newspaper. Yes, that surprises me, too, but perhaps it is just too good a *story* to pass over and, after all, even normal people use computers these days.

    3. el_oscuro

      Re: no news

      https://www.reuters.com/article/us-cyber-intel/intel-working-to-fix-security-flaw-in-its-chips-without-slowing-computers-idUSKBN1ES1BO

  1. Will Godfrey Silver badge
    Happy

    Phew!

    Fortunately, last November I'd already decided my next computer would be an AMD Ryzen. It's being built this month.

    1. whitepines Bronze badge
      Big Brother

      Re: Phew!

      Don't finish that sigh of relief. Your new Ryzen box is under the permanent control of anyone with AMD's signing keys via the PSP. Think remote network access below the hypervisor, in a critical processor inside your processor, just waiting to be exploited.

      Scared yet?

      1. conscience

        Re: Phew!

        @whitepines

        You mean like Intel's Management Engine? I'd much rather have AMD, at least they work as advertised and (as yet) aren't known to be full of security flaws like the Management Engine is. Obviously I'd rather have no 'security' processor whatsoever inside my CPU, but given the known bugs with Intel's Management Engine I'd still rather take my chances with AMD.

        Ryzen is already a far better deal than Intel's offerings, especially when you factor in this latest flaw that makes Intel's chips run even slower than advertised. Intel trying to flog buggy, half-working hardware is getting beyond a joke.

        1. whitepines Bronze badge
          Stop

          Re: Phew!

          @conscience

          Oh, I fully agree on the ME, but AMD is just the other side of the same coin. You need to look beyond x86 to have any chance of getting away from the security problems and general bugginess of both Intel and AMD.

          The simple fact is, the ME just got done being put under the microscope in 2017, and it was found to be swiss cheese. It wasn't even looked into for the previous near-decade it was present on Intel platforms, and for all that time it looked impenetrable / no one cared.

          Read that last sentence again. Something can have 0 CVEs published just because none of the "good guys" bothered to try to hack it.

          Before assuming the PSP is better "just because it's AMD", wait for the PSP to eventually go under that same microscope. I'm sure at least one critical bug will be found, that's really the nature of having closed-source secret sauce "god-mode" security processors built into your chips.

          For what it's worth, I prefer civil discussion to anonymous downvotes, too!

        2. Captain Obvious

          Re: Phew!

          What has stopped me from the Ryzen which I almost bought the 16 core for $699 on sale was the fact it had issues with Hyper-V running 32 bit VM's and other Hyper-V issues such as features not supported on AMD. If they had the full support, Ryzen 1950x would certainly have been my next choice.

    2. Anonymous Coward
      Anonymous Coward

      Re: Phew!

      So you think the security problems in the world don't matter other than the influence of which processor you buy. So shallow. Sad!

      1. Doctor Syntax Silver badge

        Re: Phew!

        "So you think the security problems in the world don't matter other than the influence of which processor you buy"

        Focus. Tackle each issue in its own place. We've discussed other security issues in other contexts. Actually, in this context, the issue isn't so much the security issue, because like many others, it can be fixed, but the cost of fixing it.

  2. sveinskogen

    Designed on a P54c?

    Isn't it time that the Intel chip designers stop using the P54c chips intel couldn't flog off to unsuspecting idiots?

  3. robjcamb

    Already exploited?

    I wonder if anyone at the NSA/GCHQ/<insert government surveillance agency> is pissed about this being publicly discovered.

  4. tim292stro

    So Intel ME is broken, and the VMM is broken, sounds like Intel completely forgot how to make CPUs while they enjoyed their market dominance - probably a good time to switch out to Power or take another look at AMD again IMHO.

    1. Trilkhai

      I agree... I decided just last night to start hunting a replacement for my failing Thinkpad T400 with a newer (used) laptop, and I'll definitely be giving the AMD options a more serious look than I would have otherwise.

      1. whitepines Bronze badge

        What about switching away from x86 and putting the security disasters inherent in this particular over-complicated duopoly permanently to rest?

        1. ecofeco Silver badge

          Suggestions? Sincerely.

          1. Brian Miller Silver badge

            Seriously the only suggestion is to jump to ARM. The Qualcomm 44-core will be coming out this year. As for realistic alternatives, there's only AMD and Intel. We'll have to wait and see what the real impact is, based on benchmarks.

            1. Anonymous Coward
              Anonymous Coward

              Seriously the only suggestion is to jump to ARM.

              Or SPARC?

            2. JonHendry

              Somewhere at Intel some poor sod is thinking "Now is Itanium's chance to shine!"

          2. Doctor Syntax Silver badge

            "Suggestions? Sincerely."

            He's been pushing Talos. Providing they have a product in the format you need supported by the S/W you need...

            1. whitepines Bronze badge
              Linux

              @Doctor Syntax

              On the desktop and server end absolutely, but that's an awful big chip to stuff in a laptop. For laptops or small desktops I've been recommending ARM mostly, since ppc doesn't have anything decent in that space. Of course, if you run Windows you need x86, but if you run Linux you're probably mostly set to switch already.

              ARM just got a lot more competitive against a 30% slowed Intel laptop processor, that's for sure!

          3. d3vy Silver badge

            Ecofeco.

            My suggestion is wait a few months for people who are concerned about this issue to replace their CPUs with whatever intel brings out (or AMD).

            I'm expecting the second hand market to be flooded with cheap intel chips in the next few months. I might be able to upgrade my 2nd gen i7 for something much faster (even with the performance hit) for very few ££!

      2. collinsl

        Just get a T420 and be glad, or an X220 if you want smaller.

        Come over to /r/thinkpad and check out your options!

  5. LDS Silver badge
    Devil

    If these news came before xmas...

    ... I would have liked to see the impact on PC sales...

    I can't believe they could change how the kernel/user space communication works - and test it - in just a few weeks.

    Consumer protection agencies should really give a deep look into this.

    1. Mr Flibble

      Re: If these news came before xmas...

      It did.

      It's just that people were being fairly quiet about it all at the time, preferring to get the patches done…

      1. Anonymous Coward
        Anonymous Coward

        'preferring to get the patches done'

        And don't disturb a gorilla like Intel, both because FOSS software gets a lot of help from it, and commercial one is strongly tied to Intel as well....

  6. Dr Mantis Toboggan

    Intel based mobiles

    They are really going to feel the heat with a 30% hit.

    How about Microsoft surface garbage with intel chipsets, their shite performance is now really gonna suck.

  7. Anonymous Coward
    Anonymous Coward

    Impact on virtualized systems?

    Let's say that I am already running workloads on a virtualized x86, say in EC2 or GCE. Doesn't that make me immune to a first approximation because I'm not really running on "true Intel"?

    I say "first order approximation" because under the covers my cloud hoster is. So I am exposed insofar as say Amazon's servers could be compromised and then they could come for me.

    I'm trying to work out which parts of this are a cluster and an opportunity at the same time for AWS and friends.

  8. This post has been deleted by its author

    1. Dan 55 Silver badge

      Re: let's see how this turns out.

      Well Bloomberg and The Grauniad have had a go, both citing The Reg.

      Murdoch also had a go, citing their own special expert who got everything arse about face while he handwaved some technobabble claiming all vendors are bad as each other (well, the other vendor is AMD and their CPUs don't have this problem).

  9. lolwhat

    So, about that being able to access kernel memory bit...

    Does that mean that any VM running on an Intel-based machine with this vuln, could access the memory space of any other VM? What does that do for, oh, EC2, or Azure, or Digital Ocean, or...

  10. Destroy All Monsters Silver badge
    Thumb Up

    Holy Shit

    Literally an Outside Context Problem.

    With the UFOs.

  11. Destroy All Monsters Silver badge
    Headmaster

    A pretty good writeup I think

    Except for this part:

    Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job.

    Not a good way to think about this IMHO.

    The way to think about this is that the CPU is in charge, but gets dragged along by the code (alternatively, there is a token being handed down the instruction path) (alternatively, the CPU plays "parser" of the code, leaving a foliation of the changing memory state along the time dimension). The switches between protection rings just follow a small finite state machine, where the transitions occur on kernel call, interrupt or return-from-kernel.

    1. diodesign (Written by Reg staff) Silver badge

      Re: A pretty good writeup I think

      I think we're both right - but i disagree that the CPU is in charge. The CPU isn't in charge of anything, it's just obeying code. Who is in charge - the horse or the person riding the horse? ;)

      C.

      1. Destroy All Monsters Silver badge

        Re: A pretty good writeup I think

        That's why "it's being dragged along".

        But yes. Same as with parser. If you parse text from the Internet, it's the text from the Internet that's in charge, not your parser...

      2. Rob Daglish

        Re: A pretty good writeup I think

        Some of the horses I've ridden, definitely the horse...

  12. Anonymous Coward
    Anonymous Coward

    If true then this is a monumental cock up. 30% performance hit is huge and costly - I can't see corporate customers walking away from this without demanding compensation or new chips. If you sold a car to someone and its performance was 30% less than advertised you wouldn't get away with it, and at least in the EU there is little protection for Intel. This is essentially a manufacturing defect within the limitation period of EU law.

  13. Unicornpiss Silver badge
    Meh

    F00F

    I think I'll keep buying AMD for a bit longer... and possibly avoiding any kernel updates for a bit too.

    1. Dan 55 Silver badge

      Re: F00F

      An if has been committed which disables the changes for AMD.

  14. Doctor Syntax Silver badge

    Apart from the hit on performance what's the likely effect on power consumption and hence battery life and heat generation? Clearly the CPU is going to have to do more work to achieve the same result.

    1. bazza Silver badge

      It depends on what's going on in a system. If it's IO heavy, this could be quite bad (lots of interaction with the kernel). If it's compute heavy, possibly this isn't too bad. And it also depends on whose code is running. It's only a problem if you run someone else's code arbitrarily on one's computer.

      For Google this isn't too bad. The bulk of their machines are running Google's own code and dishes up search results to Internet clients. For search, maps, Gmail servers Google could take the risk and ignore the patches because they're not running arbitrary code. That's a good thing because the bulk of Google's costs is energy.

      For outfits running other people's code (Amazon?) this could be bad because they're all about running other people's code for them. So they need the patches, it will slow them down. And a lot of their cost is energy, so their cost is going to rise.

      For the rest of us mere users our computers are going to be slower and therefore use more energy for the same tasks.

      The real killer is if this exploitable in Javascript because a huge amount of what happens these days relies in users having Web browsers that are configured to accept and run Javascript from anywhere. Which all of a sudden looks hideously dangerous. That could be a massive problem for Google; if we all switch off Javascript then Google's services don't work. And nor does anyone else's.

      1. Brewster's Angle Grinder Silver badge

        This is not going to be exploitable in pure javascript. (With sufficient understanding of the VM you could control the machine code that's executed. But you can't get the VM to execute arbitrary instructions. So its very unlikely this will be exploitable without help from a bug in the VM.)

        WASM, on the other hand, might afford you enough flexibility. It will depend on the nature of the bug.

      2. Doctor Syntax Silver badge

        "It depends on what's going on in a system."

        Firing up top in Linux shows several processes, mostly daemons, actively using CPU with nothing actually being done with the system so even in the absence of IO there's context changes taking place even if it's just a matter of waking up daemons to find that there's nothing to do. I'd guess that much the same situation applies with Windows.

  15. Ian Emery Silver badge

    Dodged the bullet

    Only Intel system in the house is my 5 y/o's decade old Xeon based system; which other than the £11 for the cpu, cost me nothing.

    I doubt if they will bring out any coding for stuff that old, and I doubt I would install it if they did.

  16. Dyson Lu

    Class Action Lawsuit Please

    If true, then the performance is pretty significant. Now, all of a sudden, many consumers end up with a product that offers much less than what they paid for. There should be a class action lawsuit seeking compensation.

    1. CrazyOldCatMan Silver badge

      Re: Class Action Lawsuit Please

      There should be a class action lawsuit seeking compensation

      Which will net the consumers 12 1/2p (plus two part-sucked gobstoppers) in compensation while the lawyers get to buy a nice new island each..

  17. Dig

    I don't quite get all this griping about one company or another such as this company doesn't give one hoot about security much better with this.

    If one thing that can learned from various security warnings over the years is that everyone suffers from them, in some case they can be patched without issue in others (which is unfortunately the case here) the patch causes a performance hit.

    For those crowing about AMD here was a security issue on their Opteron

    https://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/

    Luckily for them it could be fixed with a microcode update.

    A lot of big American companies are risk averse due to the large fines that can be imposed for negligence, however humans are involved in all parts of the process so mistakes can, will and are made.

    Lessons will be learned but unfortunately another issue will slip through.

    1. Giles Jones Gold badge

      But a you pointed out, it could be fixed in the CPU. That's not the case with this Intel fix and changing every x86 OS in the world isn't a great fix.

  18. Queeg

    Haven't done a full read through so don't if this has been raised...

    Apple are facing class action suits for slowing their CPU's because of old batteries.

    Other than not telling Apploids what they were doing I see no huge problem with that.

    I wonder when the first CA is going to hit Intel.

    I've been using AMD cpu's since the K series in the late 90's damn I feel old now

    Smug but old :)

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019