New Intel microarchitecture: fast, but not free

Identifying the Specter and Meltdown hardware vulnerabilities in Intel processors posed a major challenge for the company's architects — to make changes to the CPU micro-architecture to ensure complete execution security while maintaining and even improving the performance of the processors. Now, six months later, it is time to share the results of this work. Of course, not all, but only a part that is not Intel Top Secret.

According to security experts, it is impossible to create an absolutely secure system in any area, including computer. It is only possible to make the protection such that the cost of its hacking exceeds the cost of what it protects. And this task is quite feasible. There is only one problem: the requirements for high security and high performance are very poorly compatible with each other.

Therefore, as mentioned above, the task of combining security and high CPU performance is extremely difficult. And Intel, one of the possible ways of solving it, was guided by such an Intel, seemingly non-technical area as SEO - Search Engine Optimization.
')
In fact, between the principles of the processor and search engines have a lot in common. If in search engines the most popular sites fall on the first page of issue, then in the processor the most popular data and instructions fall into the cache memory. Both on the indexed sites, and in the program code, there is an opportunity to manually influence the “promotion” - keywords on the sites and the prefetch instruction in the processor. But both there and there the results are generally unpredictable, and they are not advised to do so in modern systems. Just as search engines track all the links leading to the site to determine page ranking, so processors, in the course of a disorderly execution, track communications according to the data of all executable instructions.



A few years ago, the search engines, which, by the way, never fully disclose their page ranking algorithms, learned how to deal with “black optimization”. Similarly, the new Intel CPU microarchitecture, in which the algorithms of disordered execution (OOO execution) and branch predictions (Branch Prediction) will be completely classified, will be able to cope with the situation of “cheating” the branch predictor used in one of the versions of Specter vulnerabilities.

And now - about the main change in the micro-architecture. In search engines, there is a possibility that has not yet had an analogy in processors. These are paid advertisements appearing at the beginning of the search results, in fact, making it possible to significantly advance your site for a fee. If you go to the processors, the first thing that comes to mind is paid cache memory, that is, the ability to reserve part of the cache for a certain application for a certain period of time, eliminating its displacement and thus ensuring its maximum performance.

But, unfortunately, in the general case it is impossible to significantly increase the performance of a software product in this way - the cache is only one link in the application speed chain. Therefore, Intel engineers have found another solution. Namely, it is planned to add a separate core to new processors, which can be used for a certain time by any application in an exclusive mode.



The frequency of the new core will be twice the operating frequency of the remaining cores of the processor - in fact, the core will always be in Turbo Boost mode, and its micro-architecture will differ from the other cores - "neighbors" in the crystal. The main difference is that, due to the guaranteed exclusive work of the application on the kernel, there is an opportunity to refuse a lot of security requirements, respectively, there will be no need for very expensive operations from the point of view of performance - for example, switching from user mode to protected when making system calls. To support innovations, of course, the corresponding changes will be made to the operating system.

According to preliminary estimates, the performance of applications using the new core will grow by an average of 3-4 times.


Intel Software Guard Extensions Application Structures (Intel SGX)

An upgraded version of the Intel SGX 1.04 will be used to provide exclusive kernel access to a particular application. In fact, the entire kernel will be a protected SGX enclave, which other applications do not have access to regardless of their current level of rights. Of course, such a scheme of work will require a significant change in the OS, but Intel has relevant experience in developing similar components for Xeon Phi.

Of course, the new functionality will be in demand by software manufacturers and end users, respectively, charging is expected for its use. After a simple online payment process, users will receive the generated electronic key required for the application to access the new kernel.

Intel is very serious about protecting the personal data of users, so payment will be possible not only with traditional money, but also with Bitcoins.

Upd. When reading, please pay close attention to the Intel SGX version or to the date this post was created - at your request.