Intel Simplifies Microcode Update License Following Complaints
24.8.18 securityweek Hacking
Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.
Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.
The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.
“Unless expressly permitted under the Agreement, You will not, and will not allow any third party to [...] publish or provide any Software benchmark or comparison test results,” the license read.
The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.
Someone at Intel apparently attempted to prevent users from making public the results of performance impact testing for the latest mitigations, but people quickly noticed.
“Lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license,” Bruce Perens, one of the founders of the open source movement, wrote in a blog post.
“Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can’t trust your components when you do that,” he added.
Lucas Holt, project lead at MidnightBSD, noted on Twitter, “Performance is so bad on the latest spectre patch that intel had to prohibit publishing benchmarks.”
Following complaints, Intel has decided to significantly simplify the license. It now only says that redistributions of the microcode updates must include a copyright notice and a disclaimer, Intel’s name cannot be used to endorse or support products derived from its software, and that reverse engineering or disassembly of its software are not permitted.
“We have simplified the Intel license to make it easier to distribute CPU microcode updates,” said Imad Sousou, corporate VP and GM of Intel’s Open Source Technology Center. “As an active member of the open source community, we continue to welcome all feedback and thank the community.”