Security

Intel rips up microcode security fix license that banned benchmarking

It really really really didn't want you to know that there may be a significant performance hit

By Thomas Claburn in San Francisco

79 SHARE

Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors – after the previous wording outlawed public benchmarking of the chips.

The software, released this month, counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic.

Following The Register's report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens called out Intel for trying to gag netizens.

Intel's gagging order came in the form of this license clause: "You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results." That made it impossible for free-software bastion Debian to push Intel's microcode to its users as a security update.

The reason for Intel's insistence on a vow of silence is that – even with the new microcode in place – turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow – and that move comes with a potential performance hit. Red Hat, which evidently didn't get the memo to shut up about benchmarks, earlier this month noted: "The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range."

Predictably, Intel's contractual omertà had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," said Lucas Holt, MidnightBSD project lead, via Twitter.

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

READ MORE

In response to the outcry, Intel subsequently said it would rewrite the licensing terms. And now the fix is in.

Via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."

The reworked license no longer prohibits benchmarking.

Perens, in a phone interview with The Register, approved of the change.

"This is a relatively innocuous license for proprietary software and it can be distributed in the non-free section of Debian, which is where is used to be, and it should be distributable by other Linux distributions," he said.

As to how Intel managed to shoot itself in the foot, Perens speculates that whoever wrote the text did not consider where the microcode was going and what the implications could be.

"You can't expect every lawyer to understand CPUs," he said. "Sometimes they have to have a deep conversation with their technical people."

Let the tests begin. ®

Booted-note

OpenBSD supremo Theo de Raadt today reiterated his plea to people to disable Intel's hyper-threading for security reasons. "DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS," he carefully suggested in a mailing post post to OpenBSD developers and users.

"Take responsibility for your own machines: Disable SMT in the BIOS menu, and upgrade your BIOS if you can. I'm going to spend my money at a more trustworthy vendor in the future."

Sign up to our NewsletterGet IT in your inbox daily

79 Comments

More from The Register

Analyst: Intel flash supply partnership prospects could point to SK Hynix

Analysis CEO Bob Swan sees NAND as a ugly duckling, apparently

Dual carriageway to autobahn: Intel revs up Optane caching memory by doubling PCIe lanes

Deep-sleep state sips less juice, but active state slurps more

As you wrap up this month's patch installs, don't forget these Intel fixes

Chipzilla kicks out firmware patches plus a side channel Spoiler alert

Let our powers combine! Intel smushes Optane speed and QLC flash capacity into one drive

Gumstick card for notebooks

Intel swallows Brit chip slinger Omnitek in bid to boost FPGA business

Sure, FPGAs don't make much cash, but they might soon?

HP boss: Intel shortages are steering our suited customers to buy AMD

When supply doesn't meet demand, biz goes looking for action elsewhere

Quick maths refresher: Intel CPU shortages + consumer stock bottleneck = no computer sales growth in EMEA for 2019

Back 2 school and retail spending slows, but there's hope for commercial market as Microsoft turns off Win7 support taps

Custom chip vendor Barefoot Networks dips its toes in the water, Intel takes the whole schmear

Chipzilla smacks lips with eyes fixed on the cloud biz

Intel unveils Project Athena: Chipzilla tells lappy makers how to build their own kit

OEMs toe the line for that sweet, sweet marketing moolah

Real-time OS: Ordnance Survey gets snuggly with Intel's Mobileye

Noticed a missing bollard? Mappy partnership may help