amrnuke
Golden Member
- Apr 24, 2019
- 1,181
- 1,772
- 136
It may have been an engineering trade-off. If I were a betting man, however, I'd argue it was a conscious corporate decision of trading security for marketing.While I agree that companies cheat intentionally, I'm not so sure this as the case here. Maybe it was simply an engineering trade-off or they didn't even think about it. I say that because back then when this general uArch was designed (Core uarch, I think Yonah) such security consideration sure weren't such a great deal and cloud was non-existent back then. In case of VW intentionally cheating the law is something entirely different.
Intel have known since 1995 (at least) that the TLB, spec-ex, etc on their P6 uarch was a major security problem. They continued to use the same known-compromised design for 20+ years. They've definitely known that their SMT implementation was insecure for some time as well, since at least 2005 when the first CVE for their hyperthreading implementation was released.
Apple and other vendors almost a decade ago started to try to mitigate these at the kernel level, and Linux/Unix followed suit. KASLR and KPTI were some of the fixes, I can't recall the details of what OS vendors have done.
Long story short, Intel has been sharing bits between cores since P6 and have known about the security implications for at least 24 years, if not longer, and continued to excuse their behavior because "no one would ever run malicious code on the same computer that is running other important stuff" (paraphrased). It's not even sharing cache - the in-flight data can be snooped because of their design decisions.
Intel wanted multiple cores. Then they wanted hyperthreading. They decided that rather than completely rewrite the playbook, they'd shoe-horn old design decisions into a new era of computing. Then, marketing again, they had to go after speed too. And they traded security for speed. And I just can't see an engineering team trading security for more speed on uarch that they know are going into servers. I think it's far more likely they had a direction given to them by executives. But maybe I'm naive about that. Maybe their engineers really are that ignorant.