Intel has introduced microcode updates for mitigating the recently disclosed speculative execution vulnerabilities known as ‘Foreshadow’ a.k.a the L1 Terminal Fault (L1TF). These microcode patches were supposed to handle various side-channel and timing attacks. A new license term applied to the new microcode is as follows:
You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results.
However, this was not very well received by the public.
Let’s find out why.
Issues in the Security Patches
The security fixes introduced apparently slow down Intel processors. Intel could very well be facing a backlash from the public on this. Imagine companies that run huge server farms or provide cloud services having to face a significant 5-10% speed reduction in their server. Security and reputation, both would be at stake.
Another dilemma is whether the customer should install the fix or not. Many computer users don’t allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, the slowdown incurred by installing the fix is unnecessary.
Through its license, Intel has now attempted to gag anyone who would collect information for reporting about speed loss incurred penalties. Bad move. When in reality, it should have focussed on ways to handle security problems by owning up to the damage and publish mitigations. This clause of the license just hides how they are damaged. By Silencing free speech of those who would merely publish benchmarks is bad ethics .
Intel’s decision to include this clause in the license also gained attention by many big names in the tech industry.
The Register reported on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license. After this, open-source pioneer Bruce Perens called out Intel for trying to “gag” netizens.
Here is what Lucas Holt, MidnightBSD project lead, had to say in a tweet.
Terms of the License stand re-written
To save further confusion and chaos of the masses, Intel has backtracked on the license for its latest microcode update after the previous wording outlawed public benchmarking of the chips.
The reworked license no longer prohibits benchmarking.
In an announcement via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: “We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community.”
While Intel could have faced major trust issues not only from their dedicated users, it managed to re-trace its steps just in time. It’s about time Intel starts taking responsibility of its own machines. Hopefully, the company thinks twice before introducing any other changes that could lead to a backlash.
You can read all about the origins of the discussion on Bruce Perens blog.