Re: Intel Microcode

Re: Intel Microcode

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2123 bytes --]

Hi,

On Thu, 2018-08-23 at 10:26 -0400, Tom Rymes wrote:
> On 08/23/2018 9:34 AM, Michael Tremer wrote:
> > On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote:
> 
> [snip]
> 
> > It looks like we have to rollback the microcode update. Intel has
> > changed the licensing terms in such a way that we won't be able (and no
> > third party either) to provide any performance benchmarks.
> > 
> > So if someone says on the forum that IPFire is "a little bit slower
> > since the last update", that would violate that license.
> 
> That's a VERY broad reading of the license. What you describe is a 
> subjective opinion of the performance of one installation from someone 
> not associated with the project, as opposed to the project itself 
> posting controlled performance benchmarks with before-and-after numbers.

That didn't come from me, but Debian and Gentoo:

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158
* https://bugs.gentoo.org/664134

RedHat and SuSE seem to be shipping the new microcode. Not sure if they
saw the change of the license.

There is also a number of articles in the German news (at least) who
share this opinion:

* https://www.golem.de/news/side-channel-angriffe-intel-untersagt-benchmarks-und-haertet-naechste-generation-1808-136151.html

> [snip]
> 
> > Basically, it isn't an option to ship this. Other distributions think
> > the same.
> 
> I see the desire to err on the side of caution, plus the desire to put 
> pressure on Intel to modify the license, but I'd argue it's overkill.

It is just ridiculous from my angle. Their primary sales argument is to
be on top of the list of each benchmark out there. They probably forgot
about that.

But this is more about a slight change to hide that they messed up
*massively* here and a very bad attempt to cover it up. Now they got a
proper Streisand going. Well done Intel.

I am so fed up with spending so much of my time trying to fix something
that they got wrong and don't even own up to it. They are a shit
company.

*Goes and punches a wall now*

-Michael

> Tom

Re: Intel Microcode

[Tom Rymes]

[-- Attachment #1: Type: text/plain, Size: 923 bytes --]

On 08/23/2018 10:38 AM, Michael Tremer wrote:
> On Thu, 2018-08-23 at 10:26 -0400, Tom Rymes wrote:
>> On 08/23/2018 9:34 AM, Michael Tremer wrote:
>>> On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote:

[snip]

>> I see the desire to err on the side of caution, plus the desire to put
>> pressure on Intel to modify the license, but I'd argue it's overkill.
> 
> It is just ridiculous from my angle. Their primary sales argument is to
> be on top of the list of each benchmark out there. They probably forgot
> about that.
> 
> But this is more about a slight change to hide that they messed up
> *massively* here and a very bad attempt to cover it up. Now they got a
> proper Streisand going. Well done Intel.

[snip]

I'm all for holding off on this as a principle thing, as it's clear that 
Intel's lawyers are trying to pull a fast one. From a practical 
standpoint, though, it's probably less of a problem.

Tom

Re: Intel Microcode

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1493 bytes --]

On Thu, 2018-08-23 at 10:49 -0400, Tom Rymes wrote:
> On 08/23/2018 10:38 AM, Michael Tremer wrote:
> > On Thu, 2018-08-23 at 10:26 -0400, Tom Rymes wrote:
> > > On 08/23/2018 9:34 AM, Michael Tremer wrote:
> > > > On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote:
> 
> [snip]
> 
> > > I see the desire to err on the side of caution, plus the desire to put
> > > pressure on Intel to modify the license, but I'd argue it's overkill.
> > 
> > It is just ridiculous from my angle. Their primary sales argument is to
> > be on top of the list of each benchmark out there. They probably forgot
> > about that.
> > 
> > But this is more about a slight change to hide that they messed up
> > *massively* here and a very bad attempt to cover it up. Now they got a
> > proper Streisand going. Well done Intel.
> 
> [snip]
> 
> I'm all for holding off on this as a principle thing, as it's clear that 
> Intel's lawyers are trying to pull a fast one. From a practical 
> standpoint, though, it's probably less of a problem.

That's indeed a very good question. Licenses are there to be enforced.

I want the GPL and other licenses that IPFire is under to be honoured
and I will enforce them if I need to. And therefore I will do the same
with any other license of any other software that we use. Otherwise
there is no point in using any license at all.

Let's hope that Intel will change this very soon and make sure that we
are able to supply the fixes to their CPUs for free.

-Michael

> Tom

Re: Intel Microcode

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3858 bytes --]

Hello,

> Hi,
>> [snip]
>>
>>> It looks like we have to rollback the microcode update. Intel has
>>> changed the licensing terms in such a way that we won't be able (and no
>>> third party either) to provide any performance benchmarks.
>>>
>>> So if someone says on the forum that IPFire is "a little bit slower
>>> since the last update", that would violate that license.
>>
>> That's a VERY broad reading of the license. What you describe is a 
>> subjective opinion of the performance of one installation from someone 
>> not associated with the project, as opposed to the project itself 
>> posting controlled performance benchmarks with before-and-after numbers.
> 
> That didn't come from me, but Debian and Gentoo:
> 
> * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158
> * https://bugs.gentoo.org/664134
> 
> RedHat and SuSE seem to be shipping the new microcode. Not sure if they
> saw the change of the license.
> 
> There is also a number of articles in the German news (at least) who
> share this opinion:
> 
> * https://www.golem.de/news/side-channel-angriffe-intel-untersagt-benchmarks-und-haertet-naechste-generation-1808-136151.html
Heise has published one, too:
https://www.heise.de/newsticker/meldung/Aerger-ueber-Intels-Lizenzbedingungen-fuer-Sicherheits-Updates-4144515.html

It says there: Intel announces to publish a changed version of the license
soon. Seems like the current version was copied from a NDA template, as
confidentiality is one of the listed aspects - which does not make any sense
at all in a public document.

However, as Michael mentioned, it illustrates the problem we all have with
Intel: Technical mistakes with security impact happen - they must not happen,
but unfortunately they do. A "normal" vendor would publish updates and a
security advisory as soon as possible, keep customers and partners up
to date, and maybe apologises for the problem.

They company did none of those in time. And it does not look like they are
going to do so in future. Of course, that's exactly the problem with all
major IT companies, there is no need to name them here. But if you do not
like your ISP, there is an alternative. If you do not like an operating
system, choose another. But nobody can afford to stop using nearly all
modern computer hardware from one day to another - not speaking about the
poor diversity situation on the market.

And so, trustworthy hardware remains a dream - at least for those users who
care (or have to care) about security. It is wretched, absolutely wretched.
> 
>> [snip]
>>
>>> Basically, it isn't an option to ship this. Other distributions think
>>> the same.
>>
>> I see the desire to err on the side of caution, plus the desire to put 
>> pressure on Intel to modify the license, but I'd argue it's overkill.
> 
> It is just ridiculous from my angle. Their primary sales argument is to
> be on top of the list of each benchmark out there. They probably forgot
> about that.
> 
> But this is more about a slight change to hide that they messed up
> *massively* here and a very bad attempt to cover it up. Now they got a
> proper Streisand going. Well done Intel.
> 
> I am so fed up with spending so much of my time trying to fix something
> that they got wrong and don't even own up to it. They are a shit
> company.
ACK.
> 
> *Goes and punches a wall now*
"Wo sich sicherheitsmäßig alles in der Scheiße suhlt und stinkt zum
Gottserbarmen..." (Sorry for the German swearwords, I do not have an
English translation at hand. Feeling with Michael here...)

Best regards,
Peter Müller
> 
> -Michael-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Intel Microcode

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

On Thu, Aug 23, 2018 at 09:11:20PM +0200, Peter Müller (peter.mueller(a)link38.eu) wrote:

> https://www.heise.de/newsticker/meldung/Aerger-ueber-Intels-Lizenzbedingungen-fuer-Sicherheits-Updates-4144515.html
> 
> It says there: Intel announces to publish a changed version of the license
> soon.

They have. Without that obnoxious "no benchmarking" clause.
I believe the new version is this:

https://01.org/mcu-path-license-2018

-- 
Tapani Tarvainen

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Intel Microcode

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-24 at 09:25 +0300, Tapani Tarvainen wrote:
> On Thu, Aug 23, 2018 at 09:11:20PM +0200, Peter Müller (peter.mueller(a)link38.eu) wrote:
> 
> > https://www.heise.de/newsticker/meldung/Aerger-ueber-Intels-Lizenzbedingungen-fuer-Sicherheits-Updates-4144515.html
> > 
> > It says there: Intel announces to publish a changed version of the license
> > soon.
> 
> They have. Without that obnoxious "no benchmarking" clause.
> I believe the new version is this:
> 
> https://01.org/mcu-path-license-2018

Yes, that is the new license. Guess we will have to update the package
again...
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/3VUACgkQgHnw/2+Q
CQe4tw//ffXgVY8JiLNIUFa/vEee8yX52jphBH6YSTe57OuOd+Se96o9ndapKr0+
BN6N0HIXfrRspHEnQ9tXWrRZRlHBSeqeWJSsABqctfCFuty1TMqbSL53U7CP7jEd
tOTrbofR9TS3PO/zS+vq2dVZtPX8FFroQtxYjn4Vge2GGNU1y+UGa7gjx+wrkIzq
pbqEuDNiiP7ThYquyOh2OKPW1v5S6oStB5jbfgZRF7AlLCO1ObhspUBURrp9xTHb
tG/tmCaN0btnwVbkLAOCU4V3VHvIc9fguA/id1e5ddnG4g0/rBSjh3Br/mdtuh8Y
n6hRebrjud4pD9DiUFcji06RxwumLUEanDn3ub7Z5lXOkkOK1kO6ZkmiUGR1FdZJ
xO/nlLj4mhblWmxJTKJsCrD1JoWwMOxT8Ti6wHPZPEUDN7StV1A+CkNJun1tTRiW
7JIoZ2DYP4bqevT3HTlBqZHBe/mjx7HqK+l48SjGnY+YHIx/VtbxCZkswZ1Vbyzi
37ORhrSIhDILJXIvXoKHAsdhXbnW2zror51Fd2oyOQCmlqtjVw/VXx850Ca0itmc
XbtbEnNBnPpNMxR1jIVyciCDESx4mArzSbqGNLoeU0GL3Ehnrs4Zz7H4ikKO9WC+
En7VYFir0aMpjBjDuTWF72978UVIWmwwdPjhOO6bXkyQ8ZnxlLE=
=A3sl
-----END PGP SIGNATURE-----

Re: Intel Microcode

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5774 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 2018-08-23 at 21:11 +0200, Peter Müller wrote:
> Hello,
> 
> > Hi,
> > > [snip]
> > > 
> > > > It looks like we have to rollback the microcode update. Intel has
> > > > changed the licensing terms in such a way that we won't be able (and no
> > > > third party either) to provide any performance benchmarks.
> > > > 
> > > > So if someone says on the forum that IPFire is "a little bit slower
> > > > since the last update", that would violate that license.
> > > 
> > > That's a VERY broad reading of the license. What you describe is a 
> > > subjective opinion of the performance of one installation from someone 
> > > not associated with the project, as opposed to the project itself 
> > > posting controlled performance benchmarks with before-and-after numbers.
> > 
> > That didn't come from me, but Debian and Gentoo:
> > 
> > * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158
> > * https://bugs.gentoo.org/664134
> > 
> > RedHat and SuSE seem to be shipping the new microcode. Not sure if they
> > saw the change of the license.
> > 
> > There is also a number of articles in the German news (at least) who
> > share this opinion:
> > 
> > * https://www.golem.de/news/side-channel-angriffe-intel-untersagt-benchmarks-und-haertet-naechste-generation-1808-136151.html
> 
> Heise has published one, too:
> https://www.heise.de/newsticker/meldung/Aerger-ueber-Intels-Lizenzbedingungen-fuer-Sicherheits-Updates-4144515.html
> 
> It says there: Intel announces to publish a changed version of the license
> soon. Seems like the current version was copied from a NDA template, as
> confidentiality is one of the listed aspects - which does not make any sense
> at all in a public document.

Yeah sure. An accident. Accidentally they had a spare restrictive
license next to the real one.

> However, as Michael mentioned, it illustrates the problem we all have with
> Intel: Technical mistakes with security impact happen - they must not happen,
> but unfortunately they do. A "normal" vendor would publish updates and a
> security advisory as soon as possible, keep customers and partners up
> to date, and maybe apologises for the problem.

I wouldn't assist on the latter, but it is just essential to provide
good quality updates as swiftly as possible.

They are a billion dollar company. It shouldn't be too hard.

> They company did none of those in time. And it does not look like they are
> going to do so in future. Of course, that's exactly the problem with all
> major IT companies, there is no need to name them here. But if you do not
> like your ISP, there is an alternative. If you do not like an operating
> system, choose another. But nobody can afford to stop using nearly all
> modern computer hardware from one day to another - not speaking about the
> poor diversity situation on the market.

Unfortunately that's true that there isn't many alternatives out there.

> And so, trustworthy hardware remains a dream - at least for those users who
> care (or have to care) about security. It is wretched, absolutely wretched.

However, we do have something in the pipeline that will be entirely
independent from Intel and x86 in fact. However, I cannot publicly talk
about this yet, and it will probably not be able to compete with
systems on the top end of the market like our Premium appliance.

But it will be a very powerful and small system and hopefully allow us
to get a step away from Intel.

> > > [snip]
> > > 
> > > > Basically, it isn't an option to ship this. Other distributions think
> > > > the same.
> > > 
> > > I see the desire to err on the side of caution, plus the desire to put 
> > > pressure on Intel to modify the license, but I'd argue it's overkill.
> > 
> > It is just ridiculous from my angle. Their primary sales argument is to
> > be on top of the list of each benchmark out there. They probably forgot
> > about that.
> > 
> > But this is more about a slight change to hide that they messed up
> > *massively* here and a very bad attempt to cover it up. Now they got a
> > proper Streisand going. Well done Intel.
> > 
> > I am so fed up with spending so much of my time trying to fix something
> > that they got wrong and don't even own up to it. They are a shit
> > company.
> 
> ACK.
> > 
> > *Goes and punches a wall now*
> 
> "Wo sich sicherheitsmäßig alles in der Scheiße suhlt und stinkt zum
> Gottserbarmen..." (Sorry for the German swearwords, I do not have an
> English translation at hand. Feeling with Michael here...)
> 
> Best regards,
> Peter Müller
> > 
> > -Michael-- 
> 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/4FsACgkQgHnw/2+Q
CQePHA//Y6kg9SkVjA7Q9ohJ+htxjosBQWNXeqTLYh0LXbcK27Lxl4QCGDSqDN6h
r3RYBrZK+WgQYfYvGVeo9b0YkZ4/EmjntsLqyH1BlHCxvdZu0t+ytE7zGEFKzdsP
mcXMlhMiOHDBTwnF0oQgt+nJTLYCuvHpNAkfIn1cmvpXX1qVrekT89S2qOvC+oHh
a0VxiV3uXAI10hFt583gqHq/TKvVHoRd7rOqtD1Ad5DOiqmcNozszWTqFwhfsv3z
JKvIHmR9x5RJxfUv0G9h4rYAqjxYjW5NrgqnYzIZkZAKigv0ZXFsIGiTV/xAnh9D
MnKXdnAl+mJqQWeP/BRLFn1SKgia75P44r1RJBrQevmnomlsAZDkp+qWQ9K/X4yV
PrbUSlDhT8bIrXTLWjjYIW/suwqOarD3JccC2Svt0HLgnSZSxeu/ezH7hkTm7h1X
A838Z1ZQsFqgDE4LQgXJX0I53HG4PhxqGpsyx1XTYzzLOATB+BKHLlRZcVqTFRW5
0EdmgHdmukVHZOpLv8v9KAh8w97uz+6xkAdOjgjOGBw9VYEPTUKYelwkAyWgdteg
i9+PsaYcs6IppnHW1oSVBceVzASf2rKx+bKnZe3b1tWdbOavBDpPVaJcfW3FQZW7
qAl1qhObEfFTghxsAhQbuiUgg67OkKY1k7dqYsivPpjh74ic/fI=
=O9N7
-----END PGP SIGNATURE-----