Skylake+ (Kabylake etc)
All have extra issues apparently
A false sense of security is worse than no security at all.
Remember the Core 2 Duo/Quad?
That:
I struggle with Civ V and linux as it is.
No, enlighten me?
Even mainstream media is beginning to smell the blood in the water.
SomehowâŚthe average person has little or no idea about these new threats.
Bugs. Bugs everywhere.
Intel managed to sweep most of them under the rug. But kernel devs where furious. And most of them where never fixed to this day even.
Summary of fix by Intel and why Linus is calling it bullshit.
http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html
Big simplification: Proper way to fix an hardware bug like this, is that newer cpu gets protected by default, and they answer they are when queried.
So you can ask the CPU âwhatâs your status on bug Xâ and the cpu answers âiâm good, you donât need to do anythingâ (newer fixed chips), or âi know about it but was already built, and need microcode update/special behavior to protect myselfâ (current chips with microcode update), âno answer / Iâm not goodâ (old chips without update).
So new stuff is protected, and you add more protection (and slowdowns, and special stuff) for older chips that donât know how to deal with it.
What Intel is trying to do here, is to go the other way: the chips, even the new ones, will stay vulnerable by default, and when queried they say âI have a fix but I donât use it, you can enable it by asking !â and the kernel is supposed to enable it.
Itâs terrible for a lot of reasons, like âboot an older os and itâs vulnerable since it doesnât know to call thisâ, âadditional code to enable this feature has to run for all of eternity for new chips now, instead of having to run for older chips and being phased out over timeâ, etc âŚ
The reason why Intel does that seems obvious: by default the chip does not lose speed since the fix is not enabled, and so instead of âintel chips lose 30% speed over night because of a flawâ it becomes âintel adds a special security mode that protects you even more for critical applications, at the cost of some speedâ. Purely marketing speech and decision at the cost of proper engineering decisions, and they need and try to get OSes like Linux to play along. Thatâs what he means by â[it] shows intel had no intention of fixing those flawsâ.
Additionally there seems to be a second issue in that the quality and behavior of the patches they submitted are trying to hide this deceptively simple but technically terrible behavior by making it look/sound obtuse and complicated.
In other words, intel is using its presence and weight to try and push a shitty solution, but one that is better for them marketing wise. Linus is flabbergasted to be treated like an idiot or a obedient drone that should apply such obvious abusive patches.
Further details from a HN poster that seems reasonable:
Heâs complaining about their âfixâ being terrible, but isnât fully against using it the end since as you said, thatâs all there is going to be to have the chips work properly. The reason he refuses those current patches and directly call it a lie/deception is because of what my last two paragraphs related; if you read his message (where the link points to) itâs about half way: Intel tries to disguise it by doing it in a convoluted way. Basically they try to avoid making it obvious when looking at the code, because they donât want a âif (intel_chip) enable_fix_because_default_is_broken_on_intel();â and instead pushes something that looks like the kernel needs to do lots of complex stuff [aka, âitâs complex, and a fix-on-chip is not enough the kernel needs protection anyway !â, and that means a terrible patch with lots of garbage and filler code.
Intelâs intention is clear in that they specifically pushes this in the same patchset as the âtell the chip to be secureâ, trying to mush the two things together to make it looks like itâs all the same thing, whereas in reality it should be two patchset: one to enable the security mode, and bad for intel marketing wise. And a second one to add those âfixesâ to the kernel, that would be refused because terrible and in part unecessary since retpoline already protects it. What Linus is saying is âsure I need the first change, but since youâre intent on pushing them together Iâm refusing them, because the second one is pure garbage, and you mix them together to hide the firstâ.
Never a boring read with him
You seem to have bought into the cool-aid. Please add a healthy dose
of critical thinking. Because this isnât the kind of cool-aid that
makes for a fun trip with pretty pictures. This is the kind that melts
your brain.
I keep thinking of the âcripple codeâ. I think the OSâs should force the performance hitting patch on all intel devices regardless. That is what they are trying dodge from what I gather.
cool⌠So just like their financial practices, their security practices are just as shitty?
While that makes sense for Windows and OSX, enabled by default but configurable is the proper way to handle it on Linux because of the whole âfreedom to run your system how you chooseâ thing.
but then it goes against a even bigger tenant of making a system as secure as possible. Lets just ignore this big hole in fence. Maybe it will block itself up as your cows wander off
I guess you missed the part where I said âenabled by defaultâ
ufw has closed port 22 by default. I can open it though.
YesâŚassociated it to windows. Threw me.
I could have worded it differently. I meant, force it on Windows and OSX because those platforms donât allow configuration or user choice by design, but allow Linux users to turn it off if they want, but it should probably spam dmesg with By using this configuration option, you're being a massively vulnerable FUCKWIT
or something of the sort.
https://www.phoronix.com/scan.php?page=news_item&px=PowerPC-Mem-Protection-Keys
Iâm stuck on hunting stuff down for this againâŚ
What does Apple have to do with Meltdown?
They designed the CPUs in their phones, in which case Meltdown is a non-issue. Idk about Spectre.
Apple keeps everything closed source as much as they can and their walled gardens as tightly as they can, they are paying the price for that.
âSomehowâŚthe average person has little or no idea about these new threats.â
Not surprised. Security and especially privacy is not considered important anymore as much as it should be by most. Certainly not enough to tell oh say, Microsoft that âhey, spying on me through your OS is a bad ideaâ or Google better yet with Android like why does my calculator program need to know where I live? Nobody cares, and thereâs your problem.
They use to talk about these things more often and more urgently back in the day that much I can remember. Then again, there were probably a lot of flaws in design back then.
Some call Linus toxic and hard to deal with.
But itâs borne out of situations like this where Iâm glad Linus (and a few other kernel devs) stick to their principles.
Also a friendly hint:
You can blockquote text like this.
By using the
>
Markup