The most striking thing here is that Linus has apparently dismissed incompetence as a rational explanation. Yes, he is often brash, but usually he is accusing someone of sheer stupidity. He does not do that here. Linus alleges that we are being lied to - that we don’t know the full story, nor Intel’s motives.
Furthermore, we are left to wonder if Microsoft is also being fed “bullshit” patches, and if they may be less discerning than Linus regarding a proper solution.
He's quite clear about his theory as to Intel's motives:
> The whole IBRS_ALL feature to me very clearly says "Intel is not
serious about this, we'll have a ugly hack that will be so expensive
that we don't want to enable it by default, because that would look
bad in benchmarks".
> So instead they try to push the garbage down to us. And they are doing
it entirely wrong, even from a technical standpoint."
That bit sounds to me like Intel is trying to pull a "Volkswagen": have it perform better in benchmarks than in real life (when hopefully secure execution will be enabled).
More generally, an opt-in switch to disable unsafe behaviour expresses a clear intent to preserve the unsafe behaviour for the foreseeable future.
Disabling unsafe behaviour for good on current chips and removing it from future ones would be equally easy, and clearly it isn't Intel's intent.
Plausible reasons, apart from looking good in benchmarks, include ease of access for their three-letter friends and not bothering with the cost of designing safe and high performance processors.
I would hope that it would not be removed if there is a performance difference. Not all systems are multi user, thinking stuff like includeos or systems that can control their interaction such that the risk in very minimal and not worth the cost.
If it were removed, the new processors would simply be worth less than the ones that immediately preceded them. The systems you're thinking about would then cost less. What's the problem?
The problem, of course, is that vendors couldn't pretend to sell systems that are worth the prices they would have quoted before all of this awfulness was exposed. That would be a problem for the vendors only. The rest of us would be better off.
But that penalizes the single process systems, they exist. One already pays a cost of overhead for multiprocess/multiuser systems and this is part of it. Pay for what you use. But have sane defaults(protect the common case).
Then again, I cannot see this costing much in future chips.
This debate is about desktop and server processors. You are imagining there is a market segment, worth caring about for non-niche companies like Intel, of non-hackable systems with no network access that use high-end microprocessors, but it isn't so.
Most relatively complex systems that use deluxe microprocessors and could be air-gapped are accessible for convenience instead, and more extreme actually inaccessible systems are likely to use different, specialized processors.
Why do you exclude all single-purpose networked servers? e.g. why wouldn't it be reasonable tradeoff for a private compute cluster with a limited set of applications (or even just one), systems running really dumb services, ...?
On another forum somebody suggested laywer / legal reasons. That if default performance takes too big of a dive the case for lawsuits is stronger. They already have a class action filed against them. A benchmark performance dive would be one angle to use in court.
Coming to a court with "unclean hands" won't help their case either. And showing bad faith can really crank up the damages awarded if it's a jury trial.
The processor's security features should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to insecure behaviour for performance, but insecurity absolutely must be opt-in rather than opt-out.
"The processor should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to less performant behaviour for security, but bad performance absolutely must be opt-in rather than opt-out."
Take away: it all depends on the users preferences. I am with you, in most cases, it should be about security, but I guess there are legitimate use-cases for the opposite as well.
I do video crunching on internal systems, I'm happy that the code I run has nothing to gain from spectre or meltdown, but even a 10% drop in performance is bad, and sometimes can mean doubling the cost (if the cpu that was encoding two real time feeds is no longer powerful enough to do so without dropping frames)
Not every one runs a lamp stack on the intenet.
That said the default should be security. I have to opt in for "maximum performance" in the bios of my hp kit, rather than "balanced power and performance", why shouldn't I have to opt in to "faster but less secure"?
> "The processor should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to less performant behaviour for security, but bad performance absolutely must be opt-in rather than opt-out."
But that isn't true. Poor performance is not remotely in the same class of "very nasty surprise" that security model violations are.
Users can already choose. They can buy old processors without the fix.
I really don't see what case anyone could have against Intel if they just fixed this. Having a fix but turning it off by default seems far more dangerous from a legal perspective. Or having the processor perform far worse in reality than advertised.
Tell me where you could buy old processors in sufficient quantity today and please explain how a modern motherboard with sufficient RAM would hold such an old processor?
But if you want a processor without this fix, then you're in luck: from what I understand, all modern Intel processors don't have this fix yet. And they're very well supported by motherboards.
And by the time the current crop of processors becomes unavailable, I suspect newer processors will be much faster than anything currently available.
Yeah if you could point me towards instructions on how I can install this old processor I just bought in my Macbook that'd be great, also if you know how I can install this old processor in my AWS instances that'd be awesome too.
I winced as an owner of Volks Wagon stock when I read that. 3 people on this thread have now reacted to it.
If that type of behavior gets branded as "pulling a VW", that is the type of thing that could destroy VW in the long term. I agree it is a great analogy though.
The root question is what else is Intel trying to cover up with these garbage patches? Are they afraid of power leakage across gates allowing an attacker to gain a higher level of privilege in certain generations of silicon, and trying to cover it up with these patches (hence some of the seemingly crazy things they do)?
I could be very wrong but I read it as Intel trying to cover the fact that there are huge performance penalties with the patch enabled. Therefore Intel will continue to market chip performance sans patch while pushing down the responsibility of enabling them to OS vendors.
Not with those patches, since they haven't been merged yet. The performance decreases that have been reported so far are for Meltdown patches, those new patches are apparently meant to mitigate Spectre.
Probably not secret anymore. CMS (the "Code Morphing Software" that implemented the x86 emulation) originally went straight to translation which was difficult to get correct and was expensive to do for code that might only be run once. Linus, when he joined said "That's stupid" and wrote an x86 interpreter which then acted as the first tier in the emulation. That let to a massive improvement in quality as more workloads could be tested and enabled an awesome creation by Jim Mattson (IIRC): self-cosimulation. CMS could be run in a mode where all translation were cross checked with the interpreter before the results were committed.
This was before my time and I'm sure he did much more. I only have first-hand knowledge of his work on TVM, the Transmeta x86 Virtualization which predated Intel (and AMD's) hardware support for x86 virtualization. Sadly it never productized. I suspect we couldn't find a way to monetize it.
At least the journal reports I read at that time implied that much. He was one of the technical leads on this as far as I recall. So he would have had to get a very good knowledge of the Transmeta CPU and of the x86 instruction set for that task. I think it shows here.
Linus calls people stupid when they are usually being stupid, at least in his eyes. He doesn't wantonly accuse people of stupidity for no reason. It's just that when he perceives stupid activity... well, he generally goes off. It's his main trigger.
Wonder if perhaps Intel is under classified and gagged duress from the government? There has been plenty of evidence the government is not acting with citizen security foremost in its technical and telecommunications policies.
Hanlon's razor should include an exception where PR and politics are involved. Discounting malicious people as just stupid is the reason so many "stupid" people are in power.
>The most striking thing here is that Linus has apparently dismissed incompetence as a rational explanation. Yes, he is often brash, but usually he is accusing someone of sheer stupidity. He does not do that here. Linus alleges that we are being lied to - that we don’t know the full story, nor Intel’s motives.
"And that's actually ignoring the much _worse_ issue, namely that the
whole hardware interface is literally mis-designed by morons."
Maybe you missed this line? Some classic Linus right there...
Furthermore, we are left to wonder if Microsoft is also being fed “bullshit” patches, and if they may be less discerning than Linus regarding a proper solution.