Tuesday, January 23rd 2018
Intel's Patch for Meltdown, Spectre "Complete and Utter Garbage:" Linus Torvalds
Linus Torvalds, creator of Linux, the most popular datacenter operating system, proclaimed Intel's patches for the recent Meltdown and Spectre CPU vulnerabilities "complete and utter garbage." Torvalds continues to work on the innermost code of Linux, and has been closely associated with kernel patches that are supposed to work in conjunction with updated CPU microcode to mitigate the two vulnerabilities that threaten to severely compromise security of data-centers and cloud-computing service providers.
Torvalds, in a heated public chain-mail with David Woodhouse, an Amazon engineer based out of the UK, called Intel's fix "insane" and questioned its intent behind making the patch "toggle-able" (any admin can disable the patch to a seemingly cataclysmic vulnerability, which can bring down a Fortune 500 company). Torvalds also takes issue with redundant fixes to vulnerabilities already patched by Google Project Zero "retpoline" technique. Later down in the thread, Woodhouse admits that there's no good reason for Intel's patches to be an "opt-in." Intel commented on this exchange with a vanilla-flavored potato: "We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions."
Source:
TechCrunch
Torvalds, in a heated public chain-mail with David Woodhouse, an Amazon engineer based out of the UK, called Intel's fix "insane" and questioned its intent behind making the patch "toggle-able" (any admin can disable the patch to a seemingly cataclysmic vulnerability, which can bring down a Fortune 500 company). Torvalds also takes issue with redundant fixes to vulnerabilities already patched by Google Project Zero "retpoline" technique. Later down in the thread, Woodhouse admits that there's no good reason for Intel's patches to be an "opt-in." Intel commented on this exchange with a vanilla-flavored potato: "We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions."
16 Comments on Intel's Patch for Meltdown, Spectre "Complete and Utter Garbage:" Linus Torvalds
lkml.iu.edu/hypermail/linux/kernel/1801.2/05282.html
I assume you are talking about the microcode fix for spectre?
So I see it like this: Intel could fix it with a microcode update but, that will cost more performance across the board but, will patch the hole for good or it could be left up to kernel and software developers to determine if and when protections from this kind of exploit are required. I personally think that's a big ask of the application development community because we (and I say this as an application dev,) that I don't want to be thinking about when I need to protect hardware from an attack and I think Linus is thinking the same thing.
Honestly, I don't care what the performance hit is. Intel needs to man up and fix this instead of trying to pass the buck. It's a problem that they need to own up to and I would hold AMD and ARM to similar standards. I understand that these things happen. At work I've spent the last several days fixing bugs and they happen more than you realize, but if something makes it to production, you fix it as quickly as possible. If it hurts performance, that can be part of the next release (for CPUs that would be next gen,) but you have to freaking fix it.
So, rant over, tl;dr: Intel needs to fix this, regardless of the performance hit. Not doing a microcode update for this is unacceptable as Linus suggests.
AMD and ARM are an interesting question here. Were their patches for this good?