Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Intel Simplifies Microcode Update License Following Complaints

Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.

Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.

Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.

The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.

“Unless expressly permitted under the Agreement, You will not, and will not allow any third party to […] publish or provide any Software benchmark or comparison test results,” the license read.

The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.

Someone at Intel apparently attempted to prevent users from making public the results of performance impact testing for the latest mitigations, but people quickly noticed.

“Lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license,” Bruce Perens, one of the founders of the open source movement, wrote in a blog post.

“Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can’t trust your components when you do that,” he added.

Advertisement. Scroll to continue reading.

Lucas Holt, project lead at MidnightBSD, noted on Twitter, “Performance is so bad on the latest spectre patch that intel had to prohibit publishing benchmarks.”

Following complaints, Intel has decided to significantly simplify the license. It now only says that redistributions of the microcode updates must include a copyright notice and a disclaimer, Intel’s name cannot be used to endorse or support products derived from its software, and that reverse engineering or disassembly of its software are not permitted.

“We have simplified the Intel license to make it easier to distribute CPU microcode updates,” said Imad Sousou, corporate VP and GM of Intel’s Open Source Technology Center. “As an active member of the open source community, we continue to welcome all feedback and thank the community.”

Intel allows microcode update benchmarks after user complaints

Related: Microsoft Releases Mitigations for Spectre-Like ‘Variant 4’ Attack

Related: Industry Reactions to Foreshadow Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.