back to article Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws

Intel on Tuesday plans to release a set of processor microcode fixes, in conjunction with operating system and hypervisor patches from vendors like Microsoft and those distributing Linux and BSD code, to address a novel set of side-channel attacks that allow microarchitecture data sampling (MDS). These side-channel holes can …

  1. Sgt_Oddball Silver badge
    Coat

    Nice explanation but....

    Anyone else mindly annoyed by the stock photo having an Intel chip over an AMD motherboard (probably AM2 considering the colour of the socket)?

    Anyone?

    No? I'll get my coat

    1. Blazde

      Re: Nice explanation but....

      Beats using it an Arm article: (28th Jan) https://www.theregister.co.uk/Tag/arm

    2. Deckard_C

      Re: Nice explanation but....

      The intel chip is a socket 775 so not affected. Since production ceased 2011 and others sources say these new flaws affect intel CPUs from 2011 onwards. Like you mention the motherboard is for AMD CPUs so also not affected.

      Mindly annoying?

    3. Jamie Jones Silver badge
      Flame

      Re: Nice explanation but....

      I'm more annoyed that they feel the need to preface an article about CPU's with stock images of a CPU.

      It's annoying when an article about an angry customer has a stock image of a person being angry, or an article about a train gaffe has a generic stock picture of a train.

      Then it becomes annoying when an article about someone doing something dodgy contains a picture of said dodgy person, yet we have to assume it's just taken from the "generic dodgy looking bloke" section.

      Seriously, photos should be *specifically* related to a story, not just a photo of "something like it".

      It's everywhere, and drives me potty, but not as potty as every new version of android becoming more and more dumbed down to appear like a crappy iphone, or website replacing detailed sections with blank space AND LARGER FONTS TO FILL IT. (looking at you, paypal)

      FFS

      1. heyrick Silver badge

        Re: Nice explanation but....

        "It's everywhere, and drives me potty"

        +1 billion

        You'd think they'd think we'd know what a processor looks like...

        1. Jamie Jones Silver badge

          Re: Nice explanation but....

          Of course, Tina Turner warned us about this in 1985, but did we listen? https://www.youtube.com/watch?v=NVPq-_t-ANwM

    4. Anonymous Coward
      Anonymous Coward

      Re: Nice explanation but....

      >Anyone else mindly annoyed by the stock photo having an Intel chip over an AMD motherboard (probably AM2 considering the colour of the socket)?

      Since when has art been bothered by scientific accuracy ?

      1. Roj Blake Silver badge

        Re: Since when has art been bothered by scientific accuracy?

        Since the days of Leonardo da Vinci?

    5. S4qFBxkFFg

      Re: Nice explanation but....

      These sorts of graphics can always be worse:

      https://gfycat.com/graciousactivecoral-techsupportgore-shittybuildapc-blender

    6. Anonymous Coward
      Anonymous Coward

      Getting even more pissed with Intel !!!

      Anyone else mildly annoyed by the fact that the only 'fix' for the latest 'issue' that works is to not use Hyperthreading !!!

      I personally have perfectly good 'older' kit that worked fine for running Vsphere etc etc at home for testing and general 'Playing about' :)

      Now the official VMware tack is disable Hyperthreading and you *might* need to benchmark your workload to see *if* it is still able to perform as originally spec'd !!!

      Intel have effectively said "Ooops these processors are not fit for purpose *but* don't worry as you can always buy more kit that will support your workload .... thank you for your custom :)"

      When funds allow AMD here I come !!! :(

  2. Pirate Dave
    Pirate

    Ya gotta think...

    that at some point our fire-breathing computers are going to fall back to 25 MHz 80386 performance levels because of the cumulative "small performance hit" from all the hacks and microcode patches and kernel kludges piled on top of each other to prevent Spectre-like flaws.

    1. _LC_ Bronze badge
      Angel

      Re: Ya gotta think...

      Don't worry. Intel keeps benchmarking with mitigations DISABLED.

      1. Korev Silver badge

        Re: Ya gotta think...

        I've seen Intel benchmarks that are much more honest, we are under NDA though...

  3. Christian Berger Silver badge

    Well the lesson is simple

    Don't run foreign code on your CPU, abolish Javascript and AppStores. Always keep code and data separate. Code is something you only want to run from your trusted sources (e.g. Distribution) while Data can be exchanged freely.

    1. Teiwaz Silver badge
      Coat

      Re: Well the lesson is simple

      while Data can be exchanged freely.

      Data is often exchanged freely.

      (well, I say exchanged, it usually means left on an unsecured AWS bucket).

      Now I come to think of it, it sounds like one of those espionage package drop-offs. (sshhh, It is I, Le'Clair).

      1. DCFusor Silver badge

        Re: Well the lesson is simple

        Except some smart arse at MS or was that Adobe came up with things like OLE, Flash, PDF, ActiveX,

        COM and so on - data with code inside and the means to execute said code.

        Keeping them separate has been reduced to a nice idea - served with pie in the sky.

        1. A.P. Veening

          Data with code inside

          The first to come up with that idea was Von Neumann. A computer program is just a bunch of data as well and on most systems you can use all kinds of file handling on executables, including string editing.

    2. _LC_ Bronze badge
      Headmaster

      Re: Well the lesson is simple

      I got an idea. Let's create a new system that does that. Let's call it "MS-DOS". ;-)

    3. Walter Bishop Silver badge
      Facepalm

      Re: Well the lesson is simple

      @Christian Berger: “Don't run foreign code on your CPU, abolish Javascript and AppStores. Always keep code and data separate. Code is something you only want to run from your trusted sources (e.g. Distribution) while Data can be exchanged freely.”

      The trouble is that most/all current apps rely in someway on running someone elses code/scripts on your computer.

      1. Teiwaz Silver badge

        Re: Well the lesson is simple

        @Christian Berger: “Don't run foreign code on your CPU, abolish Javascript and AppStores. Always keep code and data separate. Code is something you only want to run from your trusted sources (e.g. Distribution) while Data can be exchanged freely.”

        The trouble is that most/all current apps rely in someway on running someone elses code/scripts on your computer.

        And 'exchanging' your data freely (whether you want it shared or not, seemingly).

    4. Claptrap314 Bronze badge

      Re: Well the lesson is simple

      The only securable application is some sort of a walled garden. And that presumes that the inputs can be trusted...

      Otherwise, get used to the performance cost of security.

  4. elvisimprsntr

    At this point I have lost all hope the vulnerability discovery cadence will not slow down enough for Intel to ever fab new silicon.

    1. Korev Silver badge
      Joke

      It shouldn't be a problem, they can just use their 10nm process

  5. ecofeco Silver badge

    The fun never stops

    See title.

    *sigh*

  6. J J Carter Silver badge
    Boffin

    All your L1 cache as belong to us

    The NSA could have continued exploiting this if it weren't for those pesky kids!

    1. _LC_ Bronze badge
      Holmes

      Re: All your L1 cache as belong to us

      They don't need to. They get an extra CPU from Intel. It can access everything, while you can't access it: https://itsfoss.com/fact-intel-minix-case/

      "The Truth About the Intel’s Hidden Minix OS and Security Concerns

      ...

      Built into many Intel® Chipset–based platforms is a small, low-power computer subsystem called the Intel® Management Engine (Intel® ME).

      ...

      Simply said, that means Intel ME adds another processor on the motherboard to manage the other sub-systems. As a matter of fact, it is more than just a microprocessor: it’s a microcontroller with its own processor, memory, and I/O. Really just like if it was a small computer inside your computer.

      ...

      By design, Intel ME has access to the other sub-systems of the motherboard. Including the RAM, network devices, and cryptographic engine. And that as long as the motherboard is powered. In addition, it can directly access the network interface using a dedicated link for out-of-band communication, thus even if you monitor traffic with a tool like Wireshark or tcpdump you might not necessarily see the data packet sent by Intel ME."

      1. DCFusor Silver badge

        Re: All your L1 cache as belong to us

        Oh, it gets worse than that, believe me. At any rate, running wireshark or whatever on the same machine is like hoping built-in-test-equipment doesn't BITE. Or that it's safe to let Boeing certify that their software to cover for a bad aerodynamic mod is "safe".

        Use another machine for that...

        There are levels below the management engine, fwiw. Chris Domas found a way to get down to ring

        - (minus!) 2. Yep, that's more than root...and you can persist there, so even the engine can't find you or change your stuff....

        See some of the talks in this youtube search:

        https://www.youtube.com/results?search_query=god+mode+domas

        And people say middlin-average skill attacks must be state sponsored, when we see guys like this, or bunny and xobs doing this level of stuff on their own free time. It takes brains, which often are a significant missing ingredient in "the state".

  7. Mephistro Silver badge
    Unhappy

    Given that...

    ... a majority of PC makers aren't patching four years old machines, and most home/SOHO systems aren't being patched, full stop, where does that leave the owners of, e.g. 8 years old systems?

    Yep. In the shit.

    1. BinkyTheMagicPaperclip Silver badge

      Re: Given that...

      Not so much. Practically all current commercial and free OS are bundling/downloading microcode updates, so if there's no updated BIOS from your manufacturer your machine is still protected.

      1. Mephistro Silver badge

        Re: Given that...

        It was my understanding that for the OSs to support updating the microcode in a given computer model, they usually need the help and feedback from the computer maker, at least regarding the motherboard* and the BIOS**, and I read in these same forums a year or so ago that many manufacturers weren't providing that help. Am I in the wrong here?

        *note: Including motherboards personalized to the specifications of the computer manufacturer.

        **note: Ditto regarding BIOSs and its updates.

        1. BinkyTheMagicPaperclip Silver badge

          Re: Given that...

          Microcode is specific to the CPU, it doesn't affect the motherboard. If the Microcode is added to the BIOS it is installed immediately on system startup, whilst if it's included in an OS the OS needs to start booting before the microcode may be installed.

          This isn't anything particularly new, and OS already upload manufacturer firmware blobs into devices (network cards, graphic cards, etc) in order to make them operate, even with free OS (the drivers may be both cost free and open source, but the firmware often remains closed.)

          1. STOP_FORTH

            Re: Given that...

            This is all news to me. I hadn't realised that microcode could be user upgraded on modern CPUs. I thought that stopped happening when microprocessors were introduced.

            You live and learn!

            1. BinkyTheMagicPaperclip Silver badge

              Re: Given that...

              It stopped until the pentium pro came out in the 90s, and has been present ever since. They probably got burnt by the FDIV scandal and wanted a way to work around it.

              'user upgraded' is overstating it, 'user installable' is more accurate. Yes there are microcode updates available, but this depends on intel making them available, there is no documentation or ability to construct your own microcode.

              If you have a Sandy Bridge CPU (~2011) onwards you'll probably be patched. For anything else you'll probably be out of luck.

              1. STOP_FORTH
                Pint

                Re: Given that...

                So I was right, but now I'm wrong?

                Thank you, have a beer.

    2. BinkyTheMagicPaperclip Silver badge

      Re: Given that...

      I should also point out it depends on your system, the Intel document is here :

      https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

      So pretty much anything prior to Sandy Bridge (which is seven years old or more now) is omitted. My E5-2690 v1 Xeons are on the 'patch sometime' list. Maybe this is a nudge to go to Ivy Bridge, which has already been patched..

      Most of my other systems are earlier than Sandy Bridge (mostly pre Nehalem Core2) so won't be fixed.

  8. Anonymous Coward
    Anonymous Coward

    Of course Intel wll disagree about disabling Hyper Threading, they are vulnerable to a class action suit by all those I7 owners that have just become converted to cheaper I5s

    1. TechnicalBen Silver badge

      Jokes on them.

      I only ever purchased i5s.

      1. Captain Scarlet Silver badge
        Coat

        Re: Jokes on them.

        Core i5's on lappies use HT :(

    2. Mandoscottie

      except pretty much all i5s also have Ht so i7s become i5s and i5 owners have i3s? :)

  9. Anonymous Coward
    Anonymous Coward

    Where are the benchmarks?

    When the Spectre and Meltdown patches were released, some benchmarks showed up looking at the performance implications - and they were annoyingly vague.

    But this is now the 4th - at least? - set of patches and I am unable to find benchmarks showing the cumulative effect of unpatched performance vs fully patched performance.

    Also, as a dev, I hate gaming benchmarks because I don't game. I much prefer the antiquated benchmarks testing thing like compile time.

    1. Leigh Brown

      Re: Where are the benchmarks?

      Phoronix has done a lot of benchmarks on this topic which you may find informative. Not all on Intel architectures either:

      https://www.phoronix.com/scan.php?page=search&q=Spectre

      1. Anonymous Coward
        Anonymous Coward

        Re: Where are the benchmarks?

        Thanks!

        I remembered Phoronix's original benchmarking. I wonder why I didn't stumble across their updated ones.

  10. mark l 2 Silver badge

    "Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors."

    Well it took about a year for Intel to add hardware fixes for the first round of meltdown and spectre flaws, so expect that a similar amount of time before they get around to new hardware which is immune to this MDS vulnerability.

  11. Will Godfrey Silver badge
    FAIL

    Patches on patches

    This never works out. If you get to that state the only realistic answer is a complete redesign, otherwise what was just, maybe, a bit hacky becomes a total pile of shit. Just ask any experienced software developer.

    1. elvisimprsntr

      Re: Patches on patches

      More bandaids on top of bandaids. At some point you have to rip off the first bandaid to clean the wound to prevent infection.

    2. A.P. Veening

      Re: Patches on patches

      Just ask any experienced software developer.

      It isn't limited to software, see the Boeing 737MAX.

    3. Mandoscottie

      Re: Patches on patches

      some "could" claim thats worked for Microsoft and plenty others in our game of IT for decades :)

  12. Unicornpiss Silver badge
    Meh

    Karma?

    Perhaps Intel is finally beginning to experience the full force of Karma for its deceptive and monopolistic business practices?

    Of course the thing about Karma is it always seems to be a day late and a dollar short. Like locking the gate after the horse has gone, lived a full life, passed on, and the farm burned down and was replaced with a strip mall years ago.

    1. A.P. Veening

      Re: Karma?

      As far as I am concerned, she is a lovely bitch ;)

  13. Dr Dan Holdsworth Silver badge
    Boffin

    True comparisons

    So, do we actually have any true comparisons of Intel with all the mitigations in place versus AMD with any needed mitigations versus ARM, Power and SPARC etc?

    That's the only way we're actually going to get to the bottom of all of this.

    As a die-hard Linux user, I am now leaning very heavily towards AMD CPUs and AMD graphics cards, especially seeing as how much of an unmitigated pain in the backside nVidia can be as opposed to opensource-friendly AMD...

    1. _LC_ Bronze badge
      Pirate

      Re: True comparisons

      The researchers have already published Spectre "bugs", which - according to them - cannot be mitigated fully on the Intel architecture. Therefore, this "comparison" boils down to a "How much cheating do we allow?".

  14. Missing Semicolon Silver badge
    Devil

    Intel's illusionary advantage

    Once again Intel's performance advantage over AMD is shown to be insecure.where's my f'n refund/buyback?

    1. nkuk

      Re: Intel's illusionary advantage

      There have been so many of these bugs now it makes you wonder if they are actually bugs/flaws or ways that the Engineers/chip designers found to squeeze more performance out of the chips due to not being able to move to a smaller process node.

  15. Stevie Silver badge

    Bah!

    So syllable count and a final rhyme is the only important factor in El Reg pun construction these days?

    Suffer the I.P. layer.

    1. STOP_FORTH
      Headmaster

      Re: Bah!

      Ooh, tough crowd. They do seem a bit forced these days, though.

      I hope they never have to write about Haiku!

      1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019