There is no question that Meltdown and Spectre have rocked the computing industry and left many concerned that their systems are vulnerable to attack. Vulnerabilities and viruses are nothing new so what makes both Meltdown and Spectre unusual is that they are vulnerabilities within the processors that power each computer. CPUs from Intel, ARm and AMD chips are affected. Click here to read our blog post explaining all about Meltdown and Spectre.
Companies are scrambling to get fixes out - in the form of software patches - to resolve the issues and generally appear to be doing the best they can. So what has Linus Torvalds, creator of Linux, so angry? Well apparently Intel’s best idea for having its CPUs fight Spectre variant 2 (the design flaw hobbling most of its chips) is to ignore it for a few years. Until, that is, microarchitecture changes are rolled out with newer chips which will include the fix without the hampered performance. That means that their chips currently being manufactured are still leaving factories with the vulnerabilities in place.
The chips will include a protection flag within software that users can use to activate protection from the Spectre bug. Instead of being a default setting users have a choice over whether to use security needed for the design flaw. Intel is treating their solution for Spectre as a feature rather than a cure. This is what has Torvalds in such a rage. In a message to the Linux kernel mailing list, he wrote: “As it is, the patches are COMPLETE AND UTTER GARBAGE.”
"All of this is pure garbage. Is Intel really planning on making this ** architectural?" he asked. "Has anybody talked to them and told them they are ** insane? Please, any Intel engineers here – talk to your managers."
Intel has explained its thinking in a message about Spectre mitigation: Speculative Execution Side Channel Mitigations.
Later Torvalds responded to the assertion that patches were necessary: “They do literally insane things. They do things that do not make sense ... The patches do things that are not sane.”
Intel’s fix will need to be enabled at boot time by setting a flag called IBRS_ALL bit. IBRS stands for: Indirect Branch Restricted Speculation. This is just one of three hardware patches Intel is rolling out as CPU microcode updates and is necessary to fully protect Intel CPUs against Spectre.
Others include: STIBP, which stands for Single Thread Indirect Branch Predictors, and IBPB: Indirect Branch Predictor Barrier.
The patches may hobble the chip’s performance so this may be part of Intel’s approach: giving the user the choice between safety and optimum performance. Torvalds has commented that he believes the cost of the patches, in terms of speed, will be prohibitive to heavy users and that most will avoid using them.
Marketing the opt-in patches as a security feature may be Intel’s way of avoiding admitting to consumers that there is a major flaw within the depths of the CPU design. Rather than having the patch activated by default and hobbling processor speed from the outset Intel are giving users a potentially security-threatening choice.
Many organisations around the world use Linux as the foundation for their systems and security is paramount to them. We at EDC4IT take security very seriously and our courses have been specially designed to help you get the best from Linux for your business needs. Take a look at our Linux admin course and get in touch for yourself or your team.