Friday, January 5th 2018

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
Add your own comment

111 Comments on Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

#1
GreiverBlade
"Prima.Vera said:
Why do I have a feeling that things are blowing out of proportions again...
actually it's refreshing ....

usually it's ...
"oh it's Intel, no biggies, we can forgive them"
"what? AMD has a bug in their CPU? BURN DOWN THE WITCHE!"

actually considering financial disparities between these two ... i consider Intel blunder to be unforgivable :laugh:
Posted on Reply
#2
David Fallaha
"Flaky said:
Thank god I still have an atom n450 netbook :D

Anyway...
There would be no point in halting the release of coffee lake, especially when ES/QS cpus are being provided, and all partners already have working prototypes of new platform.
Er excuse me? Then announce the flaw then try selling it, or don't sell it at all. What planet do you come from?
Posted on Reply
#3
R0H1T
"David Fallaha said:
Er excuse me? Then announce the flaw then try selling it, or don't sell it at all. What planet do you come from?
Would definitely love to know how many would raise their hands knowing Intel chips had a meltdown bug, with a fix probably six months away? Pretty sure the loss in sales would be in the tens of billions, with a capital B, as it stands right now they might get away with just a slap on the wrist - like the last so many times! In fact their server sales would also be devastated, I'd say Google saved them anywhere between 10 to 30 billion in lost sales over the last 6 months.
Posted on Reply
#4
lexluthermiester
"David Fallaha said:
Er excuse me? Then announce the flaw then try selling it, or don't sell it at all. What planet do you come from?
It's called capitalism. Welcome to planet Earth.
"R0H1T said:
Would definitely love to know how many would raise their hands knowing Intel chips had a meltdown vulnerability
Fixed that for you. The difference is that the CPU's in question operate perfectly, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.
Posted on Reply
#5
R0H1T
"lexluthermiester said:
It's called capitalism. Welcome to planet Earth.

Fixed that for you. The difference is that the CPU's in question operate perfectly, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.
Both spectre & meltdown are vulnerabilities, except AMD doesn't need a meltdown fix because it doesn't allow a rogue data cache load in the way Intel does. Hence the bug(gy) part wrt Intel.

This isn't true for meltdown as can be seen with AMD chips right now.
Posted on Reply
#6
lexluthermiester
"R0H1T said:
Both Spectre & Meltdown are vulnerabilities
True.
"R0H1T said:
except AMD doesn't need a meltdown fix because it doesn't allow a rogue data cache load in the way Intel does.
Actually, that is an incorrect conclusion.
"R0H1T said:
Hence the bug(gy) part wrt Intel.
Meltdown is a vulnerability. A vulnerability is not "bug", nor a flaw, nor a defect of design. You are mixing up and confusing proper terminology.
"R0H1T said:
This isn't true for meltdown as can be seen with AMD chips right now.
My information and understanding comes from the people who discovered the problems, have been researching and documenting it.
https://meltdownattack.com/
That website is one they created to publish the information for everyone to read. According to them and the documentation they have provided, your conclusions are incorrect.
Posted on Reply
#7
R0H1T
"lexluthermiester said:
Actually, that is an incorrect conclusion.
How so?
Meltdown is a vulnerability. A vulnerability is not "bug", nor a flaw, nor a defect of design. You are mixing up and confusing proper terminology.
Am I? Intel chips allow user apps to read data from the kernel memory but AMD does not, so how is that not a bug or defective design?
My information and understanding comes from the people who discovered the problems, have been researching and documenting it.
https://meltdownattack.com/
That website is one they created to publish the information for everyone to read. According to them and the documentation they have provided, your conclusions are incorrect.
I've read everything from Ars, AMD, project zero, the register & no where does it say that meltdown was a feature of OoO chips. The unintended feature you're talking is speculative branching i.e. spectre.
On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen <andi@firstfloor.org> wrote:
> This is a fix for Variant 2 in
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> Any speculative indirect calls in the kernel can be tricked
> to execute any kernel code, which may allow side channel
> attacks that can leak arbitrary kernel data.

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.


I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind
.

Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

Linus
Posted on Reply
#8
I No
And again things are getting blown out of proportion .... give it a rest .... not even the involved parties aren't making such a big fuss out of this
Posted on Reply
#9
goodeedidid
"eidairaman1 said:
Ouch another one, not good at all
Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?
Posted on Reply
#10
eidairaman1
The Exiled Airman
"goodeedidid said:
Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?
Intel launched serveral products that had this architecture flaw and they knew about it. That is criminal period. This will impact their wallets across the board.

By the way welcome to my ignore list.
Posted on Reply
#11
HammerON
The Watchful Moderator
"goodeedidid said:
Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?
Not the best analogy there. You can get your point across without using such an analogy. Sometimes it is okay to agree to disagree and then move on. Do so in this case.
Posted on Reply
#12
Berfs1
Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.
Posted on Reply
#13
64K
"Berfs1 said:
Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.
Not really similar to the 970 though. The 970 performed exactly the same in reviews before and after the the deception by Nvidia was made known.

In this case we have CPUs that don't perform exactly the same as before and after the news broke of it's security vulnerabilities and the patch and the potential risks on down the road. At least thus far.
Posted on Reply
#14
eidairaman1
The Exiled Airman
"64K said:
Not really similar to the 970 though. The 970 performed exactly the same in reviews before and after the the deception by Nvidia was made known.

In this case we have CPUs that don't perform exactly the same as before and after the news broke of it's security vulnerabilities and the patch and the potential risks on down the road. At least thus far.
Considering that card was falsely advertised as having 4 gigs when in fact it only had 3.5
Posted on Reply
#15
64K
It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.
Posted on Reply
#16
eidairaman1
The Exiled Airman
"64K said:
It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.
I see legal suits in their future
Posted on Reply
#17
xorbe
"Berfs1 said:
Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.
Technically, it's the OS that slowed down ...
Posted on Reply
#18
lexluthermiester
"xorbe said:
Technically, it's the OS that slowed down ...
It was more than the OS. In games, whenever that last 512mb of VRAM were accessed the game itself would stutter and chug. Never understood why and thought it was a driver problem until after the info went public. But it was an unpleasantness for sure. I will not touch that card because of the inconsistent performance. It would literally have been better to release the card with only 3.5GB of ram.
Posted on Reply
#19
evernessince
"First Strike said:
It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.
It's not in any way acceptable. They released a product they knew would take a performance hit and would get bad publicity during the holiday season to reap maximum sales before customers could realize what was up. That's not even the full picture either, we are getting reports of 8000 series processors getting up to 30% less performance on lower end motherboards. It definitely looks like Intel essentially released these processors with only their top end motherboards and super lower base clocks because they knew people would buy based off reviews, regardless of whether or not they are actually getting that performance on their lower end motherboards.

The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.

"64K said:
It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.
In most cases, Companies are not required to admit fault, merely they are required to pay money. It's shitty but it's the way the system works. Companies are granted far more rights and power than individuals.

"lexluthermiester said:
It's called capitalism. Welcome to planet Earth.

Fixed that for you. The difference is that the CPU's in question operate perfectly, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.
Well, when you say it like that you make it sounds like one of the most horrible economic systems out there. Granted, we are definitely seeing how bad unmitigated capitalism can really be.
Posted on Reply
#20
I No
"evernessince said:
It's not in any way acceptable. They released a product they knew would take a performance hit and would get bad publicity during the holiday season to reap maximum sales before customers could realize what was up. That's not even the full picture either, we are getting reports of 8000 series processors getting up to 30% less performance on lower end motherboards. It definitely looks like Intel essentially released these processors with only their top end motherboards and super lower base clocks because they knew people would buy based off reviews, regardless of whether or not they are actually getting that performance on their lower end motherboards.
Giving the circumstances you would've done the same thing. Let's see ... Coffee Lake is built upon Kaby Lake which is built upon Skylake and the list goes on, they share the same arch. Now Intel would have to scrap the whole arch and send it back to the drawing board thus sending the arch back into development stages... that would be what 6-8 months? Also there are contracts and deadlines that they need to deliver that would not only mean an impact on sales but also would result in the company owing money to 3rd parties for a deadline breach. Would you put the company in a more awkward position than it already is? Bad publicity can be mitigated while shipping out trucks worth of money for contract breaches cannot. You're making this sound like they didn't intend to fix anything regarding both Meltdown and Specter although the public statement was due today. The only reason this is news is because someone decided to blow the horn early otherwise the statement given today would be "we had some vulnerabilities and they've been patched" .
It's not Intel's motherboards, it's Intel's chipset granted, the rest is handled by AIB's, last time I checked Intel wasn't in charge of that. Furthermore would you get a 8700k and stick it on a $20 MB?.
Any company out there would've done the same thing in Intel's position and if the Data Centers can live with it I'm betting so can the average user who won't notice the difference. If Intel cocked-up which they did they will pay there's no way around that. Mind posting the links to those 30% less performance benches? Asking out of sheer curiosity.

"evernessince said:
The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.
Skylake sold, Kaby sold, Coffee sold. If a product is inferior by any means in your opinion you have other options which now you do: Ryzen. The only one responsible for Intel's tight grip on the market is whom? If the answer is the lack of competition you are right and I'm not sure if Intel is worried about AMD at this point either since they still control the enterprise segment and they will as long as contracts are still running.
The rest is politics which I won't get into.
Posted on Reply
#21
eidairaman1
The Exiled Airman
"I No said:
Giving the circumstances you would've done the same thing. Let's see ... Coffee Lake is built upon Kaby Lake which is built upon Skylake and the list goes on, they share the same arch. Now Intel would have to scrap the whole arch and send it back to the drawing board thus sending the arch back into development stages... that would be what 6-8 months? Also there are contracts and deadlines that they need to deliver that would not only mean an impact on sales but also would result in the company owing money to 3rd parties for a deadline breach. Would you put the company in a more awkward position than it already is? Bad publicity can be mitigated while shipping out trucks worth of money for contract breaches cannot. You're making this sound like they didn't intend to fix anything regarding both Meltdown and Specter although the public statement was due today. The only reason this is news is because someone decided to blow the horn early otherwise the statement given today would be "we had some vulnerabilities and they've been patched" .
It's not Intel's motherboards, it's Intel's chipset granted, the rest is handled by AIB's, last time I checked Intel wasn't in charge of that. Furthermore would you get a 8700k and stick it on a $20 MB?.
Any company out there would've done the same thing in Intel's position and if the Data Centers can live with it I'm betting so can the average user who won't notice the difference. If Intel cocked-up which they did they will pay there's no way around that. Mind posting the links to those 30% less performance benches? Asking out of sheer curiosity.



Skylake sold, Kaby sold, Coffee sold. If a product is inferior by any means in your opinion you have other options which now you do: Ryzen. The only one responsible for Intel's tight grip on the market is whom? If the answer is the lack of competition you are right and I'm not sure if Intel is worried about AMD at this point either since they still control the enterprise segment and they will as long as contracts are still running.
The rest is politics which I won't get into.
Well it put them in an even more awkward position because of multiple security breaches in the architecture, they were not upfront about it but tried hiding it.
Posted on Reply
#22
trparky
"evernessince said:
The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.
Don't get me started on that crap. All of these issues and yet we still have people around here defending Intel and going so far as to still recommend people to buy their processors. Where is the hate for Intel? Where is the kind of hate that everyone loves to spew in Microsoft's direction? Oh yeah... I forgot. *crickets*
Posted on Reply
#23
lexluthermiester
"eidairaman1 said:
they were not upfront about it but tried hiding it.
Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
EDIT sorry for the late response, didn't see it earlier..
Posted on Reply
#24
eidairaman1
The Exiled Airman
"lexluthermiester said:
Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
EDIT sorry for the late response, didn't see it earlier..
Ok
"lexluthermiester said:
Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
EDIT sorry for the late response, didn't see it earlier..
For it to date back as far as it has that is pretty serious and they were hiding it
Posted on Reply
#25
lexluthermiester
"eidairaman1 said:
For it to date back as far as it has that is pretty serious and they were hiding it
You'd think, but the reality is most companies and researchers do not release vulnerability findings like this to the pubic without giving those affected by it a chance to research it themselves. Just throwing out to the public willy-nilly would be an act of gross irresponsibility. So yes, companies like Microsoft, Apple, Google, Intel, AMD, Nvidia, etc., etc. will keep such info confidentual until they have time to solve the problem. Intel and the researchers were being responsible, not secretive or sneaky. Meltdown is effectively solved and that solution will be refined in the coming months. And this is why we have a fix for within days instead of weeks or months.
Posted on Reply
Add your own comment