back to article Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery

Intel's offered the world some helpful advice about how to handle the Meltdown and Spectre chip design flaws it foisted on the world. "I can't emphasize enough how critical it is for everyone to always keep their systems up-to-date," wrote Navin Shenoy, executive veep and general manager of Intel's data centre group, bemoaning …

  1. Sgt_Oddball Silver badge
    Holmes

    so those of us..

    Still using aged CPU's are still buggered then? (I'm thinking Sandy bridge here... for personal reasons) is this the punishment for owning old bit perfectly capable kit?

    1. Anonymous Coward
      Anonymous Coward

      Re: so those of us..

      Looks like it... Ivy Bridge here and the performance impact was noticable on modern games and boot up it seemed. I've turned off the mitigaion, does that make me a bad person?

      1. Anonymous Coward
        Anonymous Coward

        Re: so those of us..

        I've just unplugged the processor, much easier and yes it's really slow, it hasn't even booted up yet.

    2. Archtech Silver badge

      Re: so those of us..

      Yes indeed. One way of looking at this whole Meltdown/Spectre episode is as a spectacularly successful sales campaign.

      "Won't buy new PCs, won't they? Well, we'll see about that..." (As several billion orders come in).

      1. Anonymous Coward
        Anonymous Coward

        Re: so those of us..

        > Yes indeed. One way of looking at this whole Meltdown/Spectre episode is as a spectacularly successful sales campaign.

        For AMD yes. Not sure anyone forced to upgrade from older Intel gear by this bullshit is going to reward Intel for it.

        Obviously, some will... but not expecting many.

        1. ThatOne Silver badge
          Unhappy

          Re: so those of us..

          > Not sure anyone forced to upgrade from older Intel gear by this bullshit is going to reward Intel for it.

          Of course they will. I'm not saying AMD is bad, they're pretty good actually, but Intel controls the corporate market, there is no wiggling around it.

          Anyway, we'll be forced to discard all our older but perfectly working computers and replace them with newer computers, which will have the exact same problems, but will get those patches the old ones will never get. That's really minimum value for maximum money.

          (And in a nice chain reaction way, this means having to also replace every piece of hardware which ran perfectly on those older computers, but which hasn't Win10 drivers. Everybody gets a piece of the Intel pie - except the end user...)

    3. bombastic bob Silver badge
      Black Helicopters

      Re: so those of us..

      "is this the punishment for owning old bit perfectly capable kit?"

      Yes, the WinTel Cartel _WILL_ force compliance on "bleeding edge Intel CPUs" and Win-10-nic

      icon, because, obvious (snark) conspiracy theory

  2. Anonymous Coward
    Anonymous Coward

    How about delivering a working patch first

    This guy needs to be explained the concept of QA. I got a friend of mine who can do the honours (*). I can talk to her boss to lend her to Intel for a short tour. As they are an outsourcing supplier they will be happy to oblige

    (*)In addition to being a damn good QA (15+ years of QA experience and 5+ writing software before that), she has spent 10+ years in the country's top 10 on sabre and has a collection of belts (brown onwards) in more than one martial art. I would love to sell tickets when this guy has a discussion with her on releasing sh*t of the kind they shipped as Meltdown fixes. Gives a whole new meaning to the words "you are releasing this over my dead body (and I am hard to kill ya know)"

    1. Mark 85 Silver badge

      Re: How about delivering a working patch first

      Go a step further... instead of "naming" the processer, tell us what we will find on the "label". My Gateway says "Intel inside".. a quick check tells me it's an i3... How does this relate to the average person knowing WTF a Skylake is? Same for the Dells and Acers we have. I have yet to see anything that correlates what they call it and what's on the boxen.

      And then there's the problem of getting the info and patches out to Joe-Average User who hasn't a clue but knows that Winders does updates without him/her doing anything.

      Truly a fluster-cluck.

  3. adam payne Silver badge

    The effort to do so turned out to be more complicated than Intel thought, as some of its early updates made the silicon unstable. So unstable, in fact, that Intel recommended rollback as the best option

    It always is more complicated to fix things.

    If you can't fix it does everybody get a free CPU upgrade?

    1. Anonymous Coward
      Anonymous Coward

      > If you can't fix it does everybody get a free CPU upgrade?

      No, because they don't have any CPUs without the bug to issue as replacements (*)

      (*) Unless you are suggesting that they "upgrade" people from Xeon to Celeron.

      I suppose they *could* upgrade everyone to the corresponding AMD parts, in the same way that an airline may have to book you a seat on a competing airline if it can't get you home. Unfortunately it would involve replacing motherboards.

      1. Missing Semicolon
        Mushroom

        No replacement

        There will never be replacements - they won't be opening the lines to create "fixed" Haswells, for example.

        The only option will be the latest devices, on the latest motherboards. And you won't be getting a penny in discount from Intel for the costs of upgrading all of your gear.

        Thieves.

        1. Peter Gathercole Silver badge

          Re: No replacement

          But they could produce latest generation chips without the design flaw, and package them in the older chip packages. As most Core and Xeon processors are in sockets, it would be possible to do a one-for-one replacement, although you would either have to be happy taking the systems apart yourself, or paying someone to do it.

          They could get approximate performance by tweaking the clock multiplier and possibly disabling some cores and L0/1 cache, and I dare say they could also turn off some of the newer features (as they already do for current generation Celeron and the recently re-launched Pentium processors) so that end users did not get the benefit of those not in the older CPUs. They would have to do something with the ID info, because some mobos may struggle to configure the newer chips without a firmware upgrade.

          I think that the only thing they might have problems with was the TDP. Underclocking later generation CPUs would use less power, but I think that they should be generous enough to allow people to benefit from that.

          But it would be pretty expensive, so I have no expectation that Intel will do this.

          1. Archtech Silver badge

            Re: No replacement

            But it would cost Intel money.

            So that's a non-starter.

          2. bombastic bob Silver badge
            Unhappy

            Re: No replacement

            "As most Core and Xeon processors are in sockets, it would be possible to do a one-for-one replacement"

            last I checked, an older (replacement) 'Core Quad' costs more than Intel's faster/better "latest" quad-core CPU. Economy of scale and all of that.

            swapping out the motherboard, RAM, and CPU together might actually cost less.

            1. Peter Gathercole Silver badge

              Re: No replacement

              But packaging a Coffee Lake+ in a Socket 1150/1 package (at the volume of Core Quads produced) may be cheaper, especially if you consider a like-for-like replacement of the mobo and memory in some gaming rigs will cost a similar amount to the processor!

              Last year I did a just-behind the leading curve rebuild of one of my son's gaming rig, and the cost of the mobo and memory was easily more than the processor.

  4. Archtech Silver badge

    "I can't emphasize enough how critical it is for everyone to always keep their systems up-to-date..."

    Said Intel, having just left an immense security chasm in all its processors wide open for more than a decade.

    1. CrazyOldCatMan Silver badge

      immense security chasm in all its processors wide open

      And in their various management engines.. And in their drivers.

  5. jake Silver badge

    That's not irony.

    That's 100% Grade A Corporate Bullshit.

    1. Archtech Silver badge

      Re: That's not irony.

      But in the USA of 2018, that's what succeeds. Just as with the banks and insurance companies: profits go to the company, losses are paid for by the serfs.

  6. anonymous boring coward Silver badge

    ""I can't emphasize enough how critical it is for everyone to always keep their systems up-to-date," wrote Navin Shenoy,"

    Looks like the opposite is true.

    Accept any hastily cobbled together shit they push out in desperation, and you'll end up bricked.

    1. Teiwaz Silver badge

      ""I can't emphasize enough how critical it is for everyone to always keep their systems up-to-date," wrote Navin Shenoy,"

      "I can't emphasize enough how critical it is for everyone to always keep giving Intel money." Navin Shenoy wanted to write, but didn't think he could get away with it.

      No particular benefit to the consumer, who would still be saddled with Meltdown-Spectre, only on the latest faulty Intel kit rather than slightly older faulty Intel kit.

      Well, they could do with a bigger tide-over while they sort out some over-priced offering that is bug-free free of PR disaster-level revealed flaws.

  7. alain williams Silver badge

    Open Source their microcode

    Given how seriously Shenoy suggests Intel takes this issue I have to assume that they set to work to try and produce a microcode patch as soon as they learned of the problem 8 months ago (or was that 2 years ago?).

    In all that time they have not succeeded; so maybe they could do with some help. How about releasing the microcode and then we could all try to help.

    1. Jim Mitchell

      Re: Open Source their microcode

      Having the microcode isn't going to help without also releasing in-depth knowledge of the processor's internal design.

    2. Archtech Silver badge

      Re: Open Source their microcode

      "... as soon as they learned of the problem 8 months ago (or was that 2 years ago?)"

      I think you could take the date when the CEO sold his stock as a rough guide. Give or take about 30 seconds.

  8. Wolfclaw

    PC-and-server-makers, not Intel, will be the source of the fixes .. so basically anything that a manufacturer is not currently making cash from will be left vulnerable, just like the mobile market. Manufacturers should be forced to supply patches for any CPU made in the last 10 years and Intel/AMD/Apple/Arm/xxx should pick up the costs.

    1. Anonymous Coward
      Anonymous Coward

      I'd guess you could argue that it is not fit for purpose, would be interesting to see the EU take action on this.

      1. Archtech Silver badge

        Visual aids?

        Certainly not fit for any purpose except giving demonstrations on how to create gaping security holes.

  9. Anonymous Coward
    Anonymous Coward

    Presumably if you don't have a hardware support contract with said manufacturer you won't be able to get the fix? HP for instance stopped supplying bios/firmware upgrades unless you have a support contract a few years ago.

  10. mark l 2 Silver badge

    If the HP, Dell etc refused to provide the patch because your 'outside of warranty' you could return it under the sale of goods act to the place you originally purchased it as not fit for purpose, for up to 6 years in the EU i believe. I am sure if enough PCs got returned this way the PC sellers would put pressure on the manufactures to resolve the issue or they will stop selling their gear with Intel inside in favour of AMD or Arm systems.

  11. Anonymous Coward
    Anonymous Coward

    I don't fully understand the document

    So, for Skylake, we should stop deploying microcode version C2, while continuing to use microcode version C2?

  12. ma1010 Silver badge
    Flame

    What about homebrew computers?

    The post also points out that PC-and-server-makers, not Intel, will be the source of the fixes.

    I call bullshit on this (well, as others have pointed out, on the whole thing, really). How are people who bought the parts and built their own computers going to get these "fixes"? I bought the motherboard, CPU and other bits from a parts supplier and built my own computer. Hey, Intel, which "PC-and-server-maker" should I contact for my microcode update?

    1. donk1

      Re: What about homebrew computers?

      Hi Intel,

      I am CEO of a company which is about to become a "PC/server maker", how will we get the fixes?

      David Williams

      CEO

      Blue Rose Quantum Consulting

    2. Simon 15

      Re: What about homebrew computers?

      Yourself, as you are the 'manufacturer'... I would expect that you should be able to download a BIOS update for your motherboard (when/if available) which will contain the relevant microcode to patch the processor. If you are using Linux then you can also update the microcode manually if you so wish, this link describes the process (https://sites.google.com/site/easylinuxtipsproject/microcode) there are ways to do the same thing on Windows too.

    3. Patched Out

      Re: What about homebrew computers?

      Maybe the motherboard manufacturer will have a BIOS update that you can download. Check your motherboard manufacturer's support page.

      I also have a homebrew PC with a 4 year old ASUS AMD motherboard. Since the motherboard was still be sold by ASUS a year ago, I'm hoping to see a BIOS update come out for SPECTRE, but I'm not going to hold my breath.

      1. Smoking Man

        Re: What about homebrew computers?

        Just last week I did a Bios upgrade to a almost brand new system, ASUS Z370 MB with Intel I7 8700K CPU.

        The new firmware brought the performance down to about 16% of the level achieved with the previous version. Yes, not _by_ 16% but _to_ 16%. (*)

        So there's room for improvement.

        Yes, I indeed switched back to the previous firmware. Shame on me.

        (*) = Measured under Win10 Pro with Cinebench v15.

    4. Archtech Silver badge

      Re: What about homebrew computers?

      I believe that Intel's official line on that is,

      "Screw you - we got ours".

  13. nick soph

    We just need to wait for the exploits. Once we have a few million PC's pwned by the baddies, action will be taken: until then Intel is solvent.

    1. Simon 15

      Yes, this is definitely a massive f**k-up by processor manufacturers and although Intel is by far worse affected let's not forget that AMD, Arm and pretty much any modern CPU that uses preemptive/speculative execution are vulnerable too.. If you were paranoid you might even speculate that such a 'feature' was added deliberately.

      Although news of the problem did make it to the mainstream media, this was a few weeks ago and probably wont be mentioned ever again. I'd say 95% of computer users are still completely oblivious to the issue and wont make the connection even when they do get pwned. Intel will get away Scot-free as per usual.

  14. PyLETS
    Linux

    Open source hardware needed ?

    Personally I think patching existing systems is likely to have to involve using software to increase timing entropy resulting in the blocking of these side channels where the software access control context calls for it. So processes already running sandboxed from each other or owned by different users shouldn't be able to read each other's memory and will run slower as a consequence.

    This is just a patch. If the deeper problem exposed is that proprietary hardware can't be trusted anymore due to it's combination of obscurity and complexity, then open source hardware might offer a solution for users and applications where security really matters enough, initially to be willing to pay more for hardware offering the same raw performance, until scale economics enable this approach to compete against established hardware designs. The RISC-V open source hardware project seems to be making useful progress .

    1. whitepines Silver badge
      Happy

      Re: Open source hardware needed ?

      Or for those not wanting to go back to 1980s computing power, you can get POWER9 with completely open firmware and neat stuff like the latest PCIe (useful for AMD's ROCm effort)...

      1. J. Cook Silver badge

        Re: Open source hardware needed ?

        ... And have you *seen* how much the Power9 kit is?

  15. Digitall

    Solutions on GitHub?

    If apple proprietory code can make it on GitHub, what's to stop intel microcode from being there too?

    1. whitepines Silver badge
      Devil

      Re: Solutions on GitHub?

      Having the code to either one won't help unless you also have the correct signing keys. Sort of a "what good is a telephone call when you can't speak" situation, and I don't know that would help anyone much!

  16. wownwow

    The 2/7 update is only for "several (not all) Skylake-based platforms."

    So except for the "several (not all) Skylake-based platforms," there is nothing for the other zillions after the last emergency Windows update that disables the patch for Intel!

    Seems people have been accepting quite well what has been going on with Intel, amazing!

    1. Archtech Silver badge

      Stunned silence

      I think it's more that they are stunned and hardly able to believe that a corporation they believed to be "leading edge" could be so grossly incompetent.

      Also, what action is open to them? This situation is very much like the financial crash of 2008. It's wholly due to the unbelievable negligence and incompetence of corporations - but because of their "in" with government they will not suffer any consequences, and may indeed gain.

  17. wownwow

    People asked for having a $10 faulty product replaced but haven't been asking for having Intel's expensive faulty products (without stable, working patches) replaced, just amazing!

  18. Claptrap314 Silver badge

    This is much harder than it looks...

    I am a mathematician, and I spent 10 years at AMD & IBM doing microprocessor validation from 1996-2006. I occasionally referred to my job as taking the smartest engineers on the planet and rubbing their noses in their mistakes like bad puppies. In fact, I have enormous respect for the individual engineers, but the culture can breed a lot of arrogance--and I have anecdotal evidence that Intel is significantly worse than IBM (which was worse than AMD).

    I am sceptical of claims that Specter-class issues (these are not "bugs") can be completely fixed in microcode without trash-can level performance penalties. Many of the core performance features (caches of one form or another) on these parts are so core to the system that they cannot be turned off. (Resulting in some hilarious initial responses to bug reports, by the way.) This means that the added microcode either has to turn off speculation, which will often be at least as expensive as an expensive task switch for each instruction executed, or flush the affected caches--which will likely be even more expensive.

    Informed speculation here--the patches are going to cover the easy to cover parts of the exploit. But the corner cases might not even be known yet. How can I say this? 1) I stopped the public announcement of a bug so I could whip up a script and search for more fails over night. I almost quadrupled the failing cases. 2) I was contacted just before a bug announcement was made for a bug I had researched. Suspecting an issue, I checked my data. The first fail I had traced out represented 50% of the failing cases--and it was not in the planned errata. 3) I was called into a need-to-know only meeting and had a failure described to me. The design team stated that they did not believe that a certain class of failure was possible. I told them that I would have the the failing case in the morning. (It took less than an hour to target the case & collect the data.)

    The only way to have complete confidence that these side channels do not exist in the design would be to have a cycle-accurate simulation of the chip, and then do formally checked proofs that they do not. And yes, that involves something that approaches proving a negative. You can prove that side channels X, Y, and Z do not exist. But proving that an out-of-order chip design has no side channels at all.... I'm not holding my breath.

  19. Claptrap314 Silver badge

    Fit for what purpose?

    I mentioned this before, but it is worth repeating. Right inside the cover of the manual for these chips is a declaration that they are not approved for use with classified material. There has always been, and will always be, a different price/security computation between sensitive government use and general public use.

    I am no Intel fan. And yes, they appear to have forgotten whatever they learned from the Pentium bug fiasco. But if you want a level of security assurance that governments demand for their classified work, you have no business running a consumer application on a consumer OS in a consumer enclosure holding a consumer hard drive, motherboard, and processor. (All delivered via a consumer shipping service and hooked up to the Internet.)

    Certainly, we want best available of everything. And we want it now. For free. But we make tradeoffs.

    Yes, questions were asked twenty years ago about side channels with speculative and out of order execution. But no one could figure out how to do it (that we know of). For almost twenty years. That's longer than the expected lifespan of an encryption scheme by a substantial margin. In the meantime, we all benefited from speculative execution. A lot.

    Yes, the embargo was at best handled poorly. And anyone who bought on of these products after the stock sale and before the matter came to light might have a good case that bad product was being foisted off on them. But from the initial internal light to before the sale, it is murkier. Before the initial report? Human beings err. A lot.

    1. mbiggs

      Re: Fit for what purpose?

      So......a computer company doesn't have simulation capabilities to model their own products????

      *

      Or perhaps they DO have the appropriate simulation capabilities....and didn't bother because as a monopolist, they don't really give a toss about quality.

      1. CrazyOldCatMan Silver badge

        Re: Fit for what purpose?

        So......a computer company doesn't have simulation capabilities to model their own products?

        I suspect that the truth is closer to "no-one at Intel ever considered that something like this could be a security vulnerability".

        Which (to me) indicates a profound lack of *design* QA (not production QA - that looks at very different things) - design QA being "what are the things that can go wrong with this high-level design and how can someone abuse/break it"?

        Intel, having the vast resources that it has, should be able to afford a set of interdisciplinary teams to look at new designs. But instead, all they seem to do is check whether the final result works according to the designs and not whether the designs are flawed to begin with.

        1. Claptrap314 Silver badge

          Re: Fit for what purpose?

          It's a bit more even than this. First of all, you might be surprised to know that cycle-accurate simulations were in fact not intended to be created on multiple projects that I was a part of. In each case, validation requirement eventually prevailed, but in one case, it actually took years.

          Second, and this is critical, the set of people that are actually capable of attacking this problem (Spectre-class vulnerabilities) is vanishing small. This is not a problem of design or engineering. This is basically a problem of proving a negative. You need a mathematician's training in just what a proof is combined with a deep understanding of computer function, architecture, and design. Formally defining the statement "speculative execution of instructions does not affect the microarchitectural state of the processor" is actually not that hard to do. But the statement is too strong--there ARE microarchitectural state changes that will not lead to vulnerabilities--and you want to allow those. Once you get past that, you can start on your proof. Have fun.

          A nationstate has the resources, and the priorities, to do such a thing. That a consumer-facing company might not go there should not be disappointing. The real issue is--where do we go from here? Now that this is in the open, consumer protection does require that this be cleaned up. But the cost is going to be high. I am not at all surprised by the comment here that a benchmark test showed a 6x performance drop.

          1. RandSec

            Re: Fit for what purpose?

            I think this IS a problem of design: It demonstrates that our current concepts of design do not work at the complexity levels we want to use. This idea of "proving a negative" is the statement that the system is too big to traverse, as most are. But little systems and scalable systems can be investigated very strongly.

            It may not be practical, but it would be heartening to see a build based on small modules which can be exhaustively tested to do exactly what they should and nothing else. When we get into systems with massive state, we need designs we can scale down and test. Yes, that is not the same, but it is close.

            The problem is whether such tested systems can be built in hardware. We know they can be built, to some extent, in software, although very rarely are, presumably because that is not a goal, and is not taught. In this case testing might have caught a hint of the problem, only to be dismissed so the business could benefit. That benefit is what society needs to take back.

            1. Claptrap314 Silver badge

              Re: Fit for what purpose?

              The business benefited because society benefited. All of those cheap cycles have added up--a lot.

              The "small, composable modules" idea has been around a long time. The problem is emergent complexity. For instance, we've solved the general two-body problem. Why can't we solve the general three-body problem?

              I really did spend a decade being paid to find bugs in designs. This class of vulnerability is going to be really, really hard to stamp out at speed.

  20. Chairman of the Bored Silver badge

    Don't know what all y'all complaining about...

    ...I actually liked Shenoy's comments so much that I printed them out.

    You see, there is a lot of bullshit in the world. So much that one can drown. But the bullshit that threatens us is always contaminated to a greater or lesser degree by "reality" and "common sense".

    This particular Intel bullshit, in contrast, is absolutely pure and unadulterated. It's a work of art. From a genuine bullshit artist. Show some respect!

  21. peterw52

    Who will distribute any code

    I have a 5 year old Dell which they seem determined to ignore and isn't in their list of potential changes, so I asked Which, as our consumer champion, what they thought abut the whole affair. As part of their reply they said any patches from Intel would come via MS updates?!

  22. wownwow

    The 2/7 update is only for "several (not all) Skylake-based platforms."

    So there is nothing for the rest of zillions after the last emergency Windows update that disables the patch for Intel!

    Amazing, the company can keeps launching new chips without "known-stable" working patches, and people keeps buying chips without "known-stable" working patches, just so amazing!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019