back to article Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug. Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes …

Silver badge

Re: no news

But really, for the tasks the average user puts their laptops to, they won't notice a performance hit. They might notice a battery hit, but many CPUs are faster than their user's needs. The enthusiasts (gamers etc) and professionals may notice, and they the types more likely to read tech blogs.

4
0
Silver badge

Re: no news

and professionals may notice

And *all* the big cloud providers will now need to buy 25-30% more hardware to meet the expected capacity plan. I don't imagine that Google/Amazon/Microsoft are going to be too chuffed with Intel right now. And since they (with Apple/Twitter/Facebook et. al) are probably the biggest buyers with the most clout their voice is going to count.

If they all switch to buying AMD (assuming AMD has the capacity to build that many processors) or re-tool for ARM then Intel sales are going to nosedive.

3
0
Gold badge

Re: no news

21 hours after you posted that, I can report that it is on the front page of the BBC news website and at least one major UK newspaper. Yes, that surprises me, too, but perhaps it is just too good a *story* to pass over and, after all, even normal people use computers these days.

3
0

Re: no news

https://www.reuters.com/article/us-cyber-intel/intel-working-to-fix-security-flaw-in-its-chips-without-slowing-computers-idUSKBN1ES1BO

0
1
Silver badge
Happy

Phew!

Fortunately, last November I'd already decided my next computer would be an AMD Ryzen. It's being built this month.

15
3
Big Brother

Re: Phew!

Don't finish that sigh of relief. Your new Ryzen box is under the permanent control of anyone with AMD's signing keys via the PSP. Think remote network access below the hypervisor, in a critical processor inside your processor, just waiting to be exploited.

Scared yet?

4
19

Re: Phew!

@whitepines

You mean like Intel's Management Engine? I'd much rather have AMD, at least they work as advertised and (as yet) aren't known to be full of security flaws like the Management Engine is. Obviously I'd rather have no 'security' processor whatsoever inside my CPU, but given the known bugs with Intel's Management Engine I'd still rather take my chances with AMD.

Ryzen is already a far better deal than Intel's offerings, especially when you factor in this latest flaw that makes Intel's chips run even slower than advertised. Intel trying to flog buggy, half-working hardware is getting beyond a joke.

25
2
Stop

Re: Phew!

@conscience

Oh, I fully agree on the ME, but AMD is just the other side of the same coin. You need to look beyond x86 to have any chance of getting away from the security problems and general bugginess of both Intel and AMD.

The simple fact is, the ME just got done being put under the microscope in 2017, and it was found to be swiss cheese. It wasn't even looked into for the previous near-decade it was present on Intel platforms, and for all that time it looked impenetrable / no one cared.

Read that last sentence again. Something can have 0 CVEs published just because none of the "good guys" bothered to try to hack it.

Before assuming the PSP is better "just because it's AMD", wait for the PSP to eventually go under that same microscope. I'm sure at least one critical bug will be found, that's really the nature of having closed-source secret sauce "god-mode" security processors built into your chips.

For what it's worth, I prefer civil discussion to anonymous downvotes, too!

15
0

Re: Phew!

What has stopped me from the Ryzen which I almost bought the 16 core for $699 on sale was the fact it had issues with Hyper-V running 32 bit VM's and other Hyper-V issues such as features not supported on AMD. If they had the full support, Ryzen 1950x would certainly have been my next choice.

2
0
Anonymous Coward

Re: Phew!

So you think the security problems in the world don't matter other than the influence of which processor you buy. So shallow. Sad!

0
6
Silver badge

Re: Phew!

"So you think the security problems in the world don't matter other than the influence of which processor you buy"

Focus. Tackle each issue in its own place. We've discussed other security issues in other contexts. Actually, in this context, the issue isn't so much the security issue, because like many others, it can be fixed, but the cost of fixing it.

2
0

Designed on a P54c?

Isn't it time that the Intel chip designers stop using the P54c chips intel couldn't flog off to unsuspecting idiots?

8
0

Already exploited?

I wonder if anyone at the NSA/GCHQ/<insert government surveillance agency> is pissed about this being publicly discovered.

11
2

So Intel ME is broken, and the VMM is broken, sounds like Intel completely forgot how to make CPUs while they enjoyed their market dominance - probably a good time to switch out to Power or take another look at AMD again IMHO.

13
0

I agree... I decided just last night to start hunting a replacement for my failing Thinkpad T400 with a newer (used) laptop, and I'll definitely be giving the AMD options a more serious look than I would have otherwise.

7
0

What about switching away from x86 and putting the security disasters inherent in this particular over-complicated duopoly permanently to rest?

6
1
Silver badge

Suggestions? Sincerely.

1
0
Silver badge

Seriously the only suggestion is to jump to ARM. The Qualcomm 44-core will be coming out this year. As for realistic alternatives, there's only AMD and Intel. We'll have to wait and see what the real impact is, based on benchmarks.

9
0
Anonymous Coward

Seriously the only suggestion is to jump to ARM.

Or SPARC?

6
0
Silver badge

"Suggestions? Sincerely."

He's been pushing Talos. Providing they have a product in the format you need supported by the S/W you need...

3
0
Bronze badge

Just get a T420 and be glad, or an X220 if you want smaller.

Come over to /r/thinkpad and check out your options!

1
0

Somewhere at Intel some poor sod is thinking "Now is Itanium's chance to shine!"

4
0
Linux

@Doctor Syntax

On the desktop and server end absolutely, but that's an awful big chip to stuff in a laptop. For laptops or small desktops I've been recommending ARM mostly, since ppc doesn't have anything decent in that space. Of course, if you run Windows you need x86, but if you run Linux you're probably mostly set to switch already.

ARM just got a lot more competitive against a 30% slowed Intel laptop processor, that's for sure!

3
0
Silver badge

Ecofeco.

My suggestion is wait a few months for people who are concerned about this issue to replace their CPUs with whatever intel brings out (or AMD).

I'm expecting the second hand market to be flooded with cheap intel chips in the next few months. I might be able to upgrade my 2nd gen i7 for something much faster (even with the performance hit) for very few ££!

2
0
LDS
Silver badge
Devil

If these news came before xmas...

... I would have liked to see the impact on PC sales...

I can't believe they could change how the kernel/user space communication works - and test it - in just a few weeks.

Consumer protection agencies should really give a deep look into this.

8
1

Re: If these news came before xmas...

It did.

It's just that people were being fairly quiet about it all at the time, preferring to get the patches done…

8
0
Anonymous Coward

'preferring to get the patches done'

And don't disturb a gorilla like Intel, both because FOSS software gets a lot of help from it, and commercial one is strongly tied to Intel as well....

1
0

Intel based mobiles

They are really going to feel the heat with a 30% hit.

How about Microsoft surface garbage with intel chipsets, their shite performance is now really gonna suck.

11
3
Anonymous Coward

Impact on virtualized systems?

Let's say that I am already running workloads on a virtualized x86, say in EC2 or GCE. Doesn't that make me immune to a first approximation because I'm not really running on "true Intel"?

I say "first order approximation" because under the covers my cloud hoster is. So I am exposed insofar as say Amazon's servers could be compromised and then they could come for me.

I'm trying to work out which parts of this are a cluster and an opportunity at the same time for AWS and friends.

0
1

This post has been deleted by its author

Silver badge

Re: let's see how this turns out.

Well Bloomberg and The Grauniad have had a go, both citing The Reg.

Murdoch also had a go, citing their own special expert who got everything arse about face while he handwaved some technobabble claiming all vendors are bad as each other (well, the other vendor is AMD and their CPUs don't have this problem).

5
1

So, about that being able to access kernel memory bit...

Does that mean that any VM running on an Intel-based machine with this vuln, could access the memory space of any other VM? What does that do for, oh, EC2, or Azure, or Digital Ocean, or...

11
0
Silver badge
Thumb Up

Holy Shit

Literally an Outside Context Problem.

With the UFOs.

4
0
Silver badge
Headmaster

A pretty good writeup I think

Except for this part:

Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job.

Not a good way to think about this IMHO.

The way to think about this is that the CPU is in charge, but gets dragged along by the code (alternatively, there is a token being handed down the instruction path) (alternatively, the CPU plays "parser" of the code, leaving a foliation of the changing memory state along the time dimension). The switches between protection rings just follow a small finite state machine, where the transitions occur on kernel call, interrupt or return-from-kernel.

2
7
(Written by Reg staff) Silver badge

Re: A pretty good writeup I think

I think we're both right - but i disagree that the CPU is in charge. The CPU isn't in charge of anything, it's just obeying code. Who is in charge - the horse or the person riding the horse? ;)

C.

16
0
Silver badge

Re: A pretty good writeup I think

That's why "it's being dragged along".

But yes. Same as with parser. If you parse text from the Internet, it's the text from the Internet that's in charge, not your parser...

4
0

Re: A pretty good writeup I think

Some of the horses I've ridden, definitely the horse...

2
0
Anonymous Coward

If true then this is a monumental cock up. 30% performance hit is huge and costly - I can't see corporate customers walking away from this without demanding compensation or new chips. If you sold a car to someone and its performance was 30% less than advertised you wouldn't get away with it, and at least in the EU there is little protection for Intel. This is essentially a manufacturing defect within the limitation period of EU law.

12
0
Silver badge
Meh

F00F

I think I'll keep buying AMD for a bit longer... and possibly avoiding any kernel updates for a bit too.

9
0
Silver badge

Re: F00F

An if has been committed which disables the changes for AMD.

9
0
Silver badge

Apart from the hit on performance what's the likely effect on power consumption and hence battery life and heat generation? Clearly the CPU is going to have to do more work to achieve the same result.

11
0
Silver badge

It depends on what's going on in a system. If it's IO heavy, this could be quite bad (lots of interaction with the kernel). If it's compute heavy, possibly this isn't too bad. And it also depends on whose code is running. It's only a problem if you run someone else's code arbitrarily on one's computer.

For Google this isn't too bad. The bulk of their machines are running Google's own code and dishes up search results to Internet clients. For search, maps, Gmail servers Google could take the risk and ignore the patches because they're not running arbitrary code. That's a good thing because the bulk of Google's costs is energy.

For outfits running other people's code (Amazon?) this could be bad because they're all about running other people's code for them. So they need the patches, it will slow them down. And a lot of their cost is energy, so their cost is going to rise.

For the rest of us mere users our computers are going to be slower and therefore use more energy for the same tasks.

The real killer is if this exploitable in Javascript because a huge amount of what happens these days relies in users having Web browsers that are configured to accept and run Javascript from anywhere. Which all of a sudden looks hideously dangerous. That could be a massive problem for Google; if we all switch off Javascript then Google's services don't work. And nor does anyone else's.

5
2
Silver badge

This is not going to be exploitable in pure javascript. (With sufficient understanding of the VM you could control the machine code that's executed. But you can't get the VM to execute arbitrary instructions. So its very unlikely this will be exploitable without help from a bug in the VM.)

WASM, on the other hand, might afford you enough flexibility. It will depend on the nature of the bug.

1
0
Silver badge

"It depends on what's going on in a system."

Firing up top in Linux shows several processes, mostly daemons, actively using CPU with nothing actually being done with the system so even in the absence of IO there's context changes taking place even if it's just a matter of waking up daemons to find that there's nothing to do. I'd guess that much the same situation applies with Windows.

3
0
Silver badge

Dodged the bullet

Only Intel system in the house is my 5 y/o's decade old Xeon based system; which other than the £11 for the cpu, cost me nothing.

I doubt if they will bring out any coding for stuff that old, and I doubt I would install it if they did.

3
0

Class Action Lawsuit Please

If true, then the performance is pretty significant. Now, all of a sudden, many consumers end up with a product that offers much less than what they paid for. There should be a class action lawsuit seeking compensation.

8
0
Silver badge

Re: Class Action Lawsuit Please

There should be a class action lawsuit seeking compensation

Which will net the consumers 12 1/2p (plus two part-sucked gobstoppers) in compensation while the lawyers get to buy a nice new island each..

7
0
Dig

I don't quite get all this griping about one company or another such as this company doesn't give one hoot about security much better with this.

If one thing that can learned from various security warnings over the years is that everyone suffers from them, in some case they can be patched without issue in others (which is unfortunately the case here) the patch causes a performance hit.

For those crowing about AMD here was a security issue on their Opteron

https://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/

Luckily for them it could be fixed with a microcode update.

A lot of big American companies are risk averse due to the large fines that can be imposed for negligence, however humans are involved in all parts of the process so mistakes can, will and are made.

Lessons will be learned but unfortunately another issue will slip through.

4
11
Gold badge

But a you pointed out, it could be fixed in the CPU. That's not the case with this Intel fix and changing every x86 OS in the world isn't a great fix.

10
0

Haven't done a full read through so don't if this has been raised...

Apple are facing class action suits for slowing their CPU's because of old batteries.

Other than not telling Apploids what they were doing I see no huge problem with that.

I wonder when the first CA is going to hit Intel.

I've been using AMD cpu's since the K series in the late 90's damn I feel old now

Smug but old :)

13
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018