**rysiek ✅** @rysiek · Jan 02, 2018, 23:26

**rysiek ✅** @rysiek · Jan 02, 2018, 23:26

rysiek ✅ @rysiek

Welp: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

> A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

> Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down.

> A spokesperson for Intel was not available for comment

Weren't they now.

**Nate Cull** @natecull · Jan 03, 2018, 00:08

**Nate Cull** @natecull · Jan 03, 2018, 00:08

@rysiek Good lord. That and Management Extensions.

But it's funny how the cloud systems are scrambling to fix this when the owner of the cloud can still read everyone's kernel RAM. Somehow THAT huge security hole doesn't worry the cloud owners.

**rysiek ✅** @rysiek · Jan 03, 2018, 00:19

**rysiek ✅** @rysiek · Jan 03, 2018, 00:19

@natecull they are the ones who can read RAM so why do they care?

They do care about cloud users being able to read kernel mem though, for obvious reasons.

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:14

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:14

@rysiek @natecull they own the hardware, and IMO any way of preventing somoene from reading RAM on their own hardware is as evil and unethical as DRM.

**Nate Cull** @natecull · 2018-01-03T09:27:13Z

Nate Cull @natecull

@Wolf480pl @rysiek There ARE claimed ways (from the chipmakers, eg Intel) of putting 'secure enclaves' into the chips such that the owners of the hardware CAN'T access RAM, even in Ring 0 or -1 or whatever hypervisors / Intel ME gives access to.

But, um. One, how much do we trust the chipmakers? And two, how do we get encrypted data into and out of this 'secure RAM' through insecure RAM?

It's maybe possible, but it seems really awkward, and still a big trust point being the chip makers.

Jan 03, 2018, 09:27 · Web · 0 · 0

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:30

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:30

@natecull @rysiek with Intel SGX I think it has some way of establishing a TLS connection between you and the enclave. But 1) this makes Intel the hardware owner, and 2) IntelME has an unfixable vulnerability anyway, so whole SGX is useless atm.

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:31

**Wolf480pl** @Wolf480pl@niu.moe · Jan 03, 2018, 09:31

@rysiek @natecull and by unfixable I mean, the only way to fix it is to replace the hardware. Any software patch can be easily reverted.

**Nate Cull** @natecull · Jan 03, 2018, 09:32

**Nate Cull** @natecull · Jan 03, 2018, 09:32

@Wolf480pl @rysiek Yep. It all just seems like piling on more and more complexity to solve an unsolveable problem.

Corporations want cheap cheap compute!

They also want privacy, or *should*.

It's hard. More and more businesses just don't want to run their own physical datacenters. Air conditioning and power costs a lot. They just want to make the whole cost center go away. Amazon's right there.

We've kinda gone right back to the IBM days, now with Amazon as IBM.