Realized that we don't quite agree on the term "fix" and likely that's the problem. If you look at the language (Intel, AMD, ARM, Apple, Microsoft, CERT), nobody is "resolving" this, everybody is "mitigating", Google is a bit more specific and notes that it is against "known vectors". It's not even clear that there can be a"fix" as even with new hardware, Spectre could become an ongoing issue but new hardware certainly increases one's chances.
And do remember that security is a design decision, just like in IoT. ..
Spotted this on Reuters yesterday but can't find more details
"ARM's Segars said his company has been tweaking designs for future chips to add "maximum flexibility." The biggest change is adding more transistors to chips, a negligible cost, to make it easier to turn chip features on and off, he said.Giving yourself "maximum flexibility" means it will be easier to respond to future flaw discoveries, Segars said."
If you have sharing of VMs or protection domains in the same memory hierarchy, you will have information leakage paths. This latest one was based on speculation, but the information flow through shared caches still exists. It is readily blocked by wiping the cache when changing VMs or protection domains, but only at a terrible penalty. There are obfuscation approaches that can be put in hardware, as was done with OS to defeat some attacks. But fundamentally if two share hardware, we cannot completely isolate them. We can only slow the information flow.
Oogh...let's be civil, folks.
This is a tech forum, not a political smackdown.
So processor architects got caught with their collective pants down.
This isn't the first time they have outsmarted themselves.
I remember the 'my processor has more MHz/GHz than yours' duel between Intel and AMD, with CPU temps and coolers growing to gargantual proportions and 'flaming motherboard' posts from opposing sides.
Then there was that silly Pentium arithmetic problem (in 1885, was it?).
OK, mistakes were made.
And what do we, as the engineering community as a whole, do about it?
Throwing PIs with more digits of precision doesn't help.
Yes, replacing all exsiting silicon with the problem would be nice but...that won't happen. Think of the British NHS vuln to recent ransomware - Windows XP Everywhere...
I'm guessing it will take a decade or more for all silicon to be replaced. Heck, my main box was a Z-80 system running CP/M from 1979 to 1985. But it wasn't vulnerable to malware - or was it? Maybe that's why my thesis reads so oddly today.
We need solutions, not recrimations.
And, I, for one, have no solution. Mea Culpa. Mea Maxima Culpa.
Oh, well, what the h**l - fly into the mountain.
I wasn't addressing this from a customer's perspective at all, just what CPU vendors need to do - the fact that you are trying to undermine my argument by putting words in my mouth could be seen as suspicious.
You got 3 key metrics impacted here, security, perf and power, a fix needs to address all of those. What customers do is up to them and we all know that cost is the primary factor. You are right that it will take time and that's why this kind of spin is showing up in the press as they don't want a negative impact on sales in the next few years with folks delaying purchase and waiting for fixed hardware. Hardware , ISA and OSes likely need substantial changes for a proper fix.
"would be hard to find a high end processor" - Is this an official Intel taking point? I bet they are nice enough to assist the press and analysts in understanding this issue. High end is code for Intel as nobody would claim that high end is more than a niche. Do remember that this is not just about where everyone is today, it's also about the timing of a fix and how it is fixed and that's very important - as i said, this kind of article enables bad behavior and I know with certainty that you would not want a device that sacrifices your privacy for some extra perf, lower power, lower cost.
Qualcomm PR just sent me the following statement:
"Qualcomm Technologies, Inc. is aware of the security research on industry-wide processor vulnerabilities that have been reported. Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with Arm and others to assess impact and develop mitigations for our customers. We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available."
@realjjj: Certainly this hole in speculative execution needs to be plugged in future microprocessors.
Are you seriously recommending all existing systems need to have those chips torn out and replaced with something else? Besides the expense and time, it would be hard to find a high end processor that is not affected and didn't require a major software rewrite and probably a perforance hit.
Still you have to admit that very few laptops users will fix both Meltdown and Spectre variants. They willl recive the windows patch but i think only spare people will dowlnoad the last Bios revision from their manufacturer flashing it in its own cpu.
In average Laptops users will not be afflicted by performance penality because the patch is not active without the bios update. Few users knows what is a Bios :). Moreover the average user is definitively not a target of these very focused attacks.
So at the end of the day only informed desktop users and server users in general will be nearly protected by these exploits and they will have performance penality on their machines.
Le future lack of protection against Meltdown and Spectre will be trained by the lack of expertise of the end user of consumer devices.
This stinks, it really really stinks. You are trying to provide cover to folks that will do the wrong thing, folks that will keep selling crap. You are trying to make this seem like any other security issue and even worse, you suggest that fixing it in hardware is not the way to go. This is not just another security issue and the fix is both hardware and software- you seem to think that a hardware fix implies removing speculative execution but that's not the case and nobody has ever suggested that.
First CERT edits out their recommendation to replace the hardware after being "ïn contact" with Intel and now ... would love to know if the analysts and the press have been chatting with Intel about the right way to fix this. What would you do if you couldn't fix this for quite some years, maybe try to convince everybody that there is no need for a fix?
Such articles enable and encourage bad behavior. Would be great if you could remember what/who inspired this article and the line of thinking it promotes. Removing speculative execution as a fix is as absurd as trying to cure the flu with a shotgun, so who came up with that argument, who claimed that the fix must be software because you can't just remove speculative execution? Whoever planted that idea, is someone you can't trust.