That bit sounds to me like Intel is trying to pull a "Volkswagen": have it perform better in benchmarks than in real life (when hopefully secure execution will be enabled).
More generally, an opt-in switch to disable unsafe behaviour expresses a clear intent to preserve the unsafe behaviour for the foreseeable future.
Disabling unsafe behaviour for good on current chips and removing it from future ones would be equally easy, and clearly it isn't Intel's intent.
Plausible reasons, apart from looking good in benchmarks, include ease of access for their three-letter friends and not bothering with the cost of designing safe and high performance processors.
I would hope that it would not be removed if there is a performance difference. Not all systems are multi user, thinking stuff like includeos or systems that can control their interaction such that the risk in very minimal and not worth the cost.
If it were removed, the new processors would simply be worth less than the ones that immediately preceded them. The systems you're thinking about would then cost less. What's the problem?
The problem, of course, is that vendors couldn't pretend to sell systems that are worth the prices they would have quoted before all of this awfulness was exposed. That would be a problem for the vendors only. The rest of us would be better off.
But that penalizes the single process systems, they exist. One already pays a cost of overhead for multiprocess/multiuser systems and this is part of it. Pay for what you use. But have sane defaults(protect the common case).
Then again, I cannot see this costing much in future chips.
This debate is about desktop and server processors. You are imagining there is a market segment, worth caring about for non-niche companies like Intel, of non-hackable systems with no network access that use high-end microprocessors, but it isn't so.
Most relatively complex systems that use deluxe microprocessors and could be air-gapped are accessible for convenience instead, and more extreme actually inaccessible systems are likely to use different, specialized processors.
Why do you exclude all single-purpose networked servers? e.g. why wouldn't it be reasonable tradeoff for a private compute cluster with a limited set of applications (or even just one), systems running really dumb services, ...?
On another forum somebody suggested laywer / legal reasons. That if default performance takes too big of a dive the case for lawsuits is stronger. They already have a class action filed against them. A benchmark performance dive would be one angle to use in court.
Coming to a court with "unclean hands" won't help their case either. And showing bad faith can really crank up the damages awarded if it's a jury trial.
The processor's security features should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to insecure behaviour for performance, but insecurity absolutely must be opt-in rather than opt-out.
"The processor should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to less performant behaviour for security, but bad performance absolutely must be opt-in rather than opt-out."
Take away: it all depends on the users preferences. I am with you, in most cases, it should be about security, but I guess there are legitimate use-cases for the opposite as well.
I do video crunching on internal systems, I'm happy that the code I run has nothing to gain from spectre or meltdown, but even a 10% drop in performance is bad, and sometimes can mean doubling the cost (if the cpu that was encoding two real time feeds is no longer powerful enough to do so without dropping frames)
Not every one runs a lamp stack on the intenet.
That said the default should be security. I have to opt in for "maximum performance" in the bios of my hp kit, rather than "balanced power and performance", why shouldn't I have to opt in to "faster but less secure"?
> "The processor should perform as described - anything less is a very nasty surprise waiting for users. Intel could allow users to opt-in to less performant behaviour for security, but bad performance absolutely must be opt-in rather than opt-out."
But that isn't true. Poor performance is not remotely in the same class of "very nasty surprise" that security model violations are.
Users can already choose. They can buy old processors without the fix.
I really don't see what case anyone could have against Intel if they just fixed this. Having a fix but turning it off by default seems far more dangerous from a legal perspective. Or having the processor perform far worse in reality than advertised.
Tell me where you could buy old processors in sufficient quantity today and please explain how a modern motherboard with sufficient RAM would hold such an old processor?
But if you want a processor without this fix, then you're in luck: from what I understand, all modern Intel processors don't have this fix yet. And they're very well supported by motherboards.
And by the time the current crop of processors becomes unavailable, I suspect newer processors will be much faster than anything currently available.
Yeah if you could point me towards instructions on how I can install this old processor I just bought in my Macbook that'd be great, also if you know how I can install this old processor in my AWS instances that'd be awesome too.
I winced as an owner of Volks Wagon stock when I read that. 3 people on this thread have now reacted to it.
If that type of behavior gets branded as "pulling a VW", that is the type of thing that could destroy VW in the long term. I agree it is a great analogy though.
Disabling unsafe behaviour for good on current chips and removing it from future ones would be equally easy, and clearly it isn't Intel's intent.
Plausible reasons, apart from looking good in benchmarks, include ease of access for their three-letter friends and not bothering with the cost of designing safe and high performance processors.