Microsoft may abandon Palladium for AMD's NX-bit

Y

Yousuf Khan

Now these two stories confuse me a little bit. When we first heard about
Palladium (or NGSCB or whatever it's being called today), it was supposed to
be this dire invasion of our privacies, etc., etc. But now it simply looks
like it was something to stop viruses. So how exactly was Palladium supposed
to work anyways? Was there supposed to be some hardware support for this
technology, or was it entirely software? If there was hardware support, were
they using separated code and data segments as has existed in 32-bit
processors but never implemented, since the 386? What was Palladium supposed
to be really?

http://www.theinquirer.net/?article=15737

http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=49936

Yousuf Khan
 
W

Wes Felter

Now these two stories confuse me a little bit.
Click to expand...

Not surprising since the Inquirer article is bogus. The NX bit is
orthogonal to Palladium.
When we first heard about
Palladium (or NGSCB or whatever it's being called today), it was supposed to
be this dire invasion of our privacies, etc., etc. But now it simply looks
like it was something to stop viruses.
Click to expand...

Palladium provides little protection against viruses/worms; it's not
intended to.
So how exactly was Palladium supposed
to work anyways? Was there supposed to be some hardware support for this
technology, or was it entirely software? If there was hardware support, were
they using separated code and data segments as has existed in 32-bit
processors but never implemented, since the 386? What was Palladium supposed
to be really?
Click to expand...

http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
 
A

Alex Johnson

CRN said:
"Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
Systems will also support the NX feature in Intel Itanium processors for
clients due out in the second half."

I'd like to know how they do it now and how they plan to do it in the
future, considering this sentence makes no sense to me. The Itanium
architecture doesn't have an NX bit. There are two things they could
do. First they could actually use the fact that Itanium has separate
ITB and DTB and don't map your code pages into the data TLB! Second
they could set their data pages' access rights level to 2 (read, write),
and their instruction pages' access rights to 1 (read, execute) (other
combinations would give more useful but equally safe access to various
priviledged code). But really, what is the chance than Microsoft would
write correct, much less safe, code? They don't even use the split TLB
system properly or allow any page size besides 8KB, AFAIK.

Alex
 
S

Sam Iam

Yousuf said:
Oh yes, now I remember what we were so afraid of Palladium for. :)

Your computer breaks down and you call for tech support, and part of the
tech support questions would be, "were you trying to run something
illegal, sir?"
Click to expand...

Well, more like:

We determined that you have run something illegal. Homeland Security has
been alerted!

(back in the lurk mode :)
 
J

Jan Panteltje

Oh yes, now I remember what we were so afraid of Palladium for. :)

Your computer breaks down and you call for tech support, and part of the
tech support questions would be, "were you trying to run something illegal,
sir?"

Yousuf Khan
Click to expand...
In the US that would be:
'Can you PROVE you were not running anything illegal'?
This law will make it, as it saves companies ++++ on support.
JP
 
Y

Yousuf Khan

Alex Johnson said:
CRN said:
"Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
Systems will also support the NX feature in Intel Itanium processors for
clients due out in the second half."

I'd like to know how they do it now and how they plan to do it in the
future, considering this sentence makes no sense to me. The Itanium
architecture doesn't have an NX bit. There are two things they could
do. First they could actually use the fact that Itanium has separate
ITB and DTB and don't map your code pages into the data TLB! Second
they could set their data pages' access rights level to 2 (read, write),
and their instruction pages' access rights to 1 (read, execute) (other
combinations would give more useful but equally safe access to various
priviledged code). But really, what is the chance than Microsoft would
write correct, much less safe, code? They don't even use the split TLB
system properly or allow any page size besides 8KB, AFAIK.
Click to expand...

I was wondering about that, i.e. how data and instruction pages are
separated in Itanium? So it's actually done with two separate page tables,
as opposed to a single page table with a special attribute. This would also
make more sense in long-term architectural design point of view, as Itanium
is brand new and they can take brand new paths like this, whereas with x86
you have to take somewhat more limited steps.

Yousuf Khan
 
E

Eugene Nalimov

Alex Johnson said:
CRN said:
"Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
Systems will also support the NX feature in Intel Itanium processors for
clients due out in the second half."

I'd like to know how they do it now and how they plan to do it in the
future, considering this sentence makes no sense to me. The Itanium
architecture doesn't have an NX bit. There are two things they could
do. First they could actually use the fact that Itanium has separate
ITB and DTB and don't map your code pages into the data TLB! Second
they could set their data pages' access rights level to 2 (read, write),
and their instruction pages' access rights to 1 (read, execute) (other
combinations would give more useful but equally safe access to various
priviledged code). But really, what is the chance than Microsoft would
write correct, much less safe, code? They don't even use the split TLB
system properly or allow any page size besides 8KB, AFAIK.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/large_page_support.asp

Thanks,
Eugene

Alex
Click to expand...
 
R

Robert Wessel

Alex Johnson said:
The Itanium
architecture doesn't have an NX bit. There are two things they could
do. First they could actually use the fact that Itanium has separate
ITB and DTB and don't map your code pages into the data TLB! Second
they could set their data pages' access rights level to 2 (read, write),
and their instruction pages' access rights to 1 (read, execute) (other
combinations would give more useful but equally safe access to various
priviledged code). But really, what is the chance than Microsoft would
write correct, much less safe, code? They don't even use the split TLB
system properly or allow any page size besides 8KB, AFAIK.
Click to expand...


This is silly. Page access rights on IPF let you do everything you
can do with the U/S, R/W and NX bits on an x86, and then some. Or do
you think that somehow being able to explicitly disable execution on a
page is somehow different than having to explicitly enable it?
 
S

Stacey

Jan said:
In the US that would be:
'Can you PROVE you were not running anything illegal'?
This law will make it, as it saves companies ++++ on support.
JP
Click to expand...

That was my thinking, this will give them something to blame ANY problem
on!!! And yes I'm sure "protection" laws are just around the corner. This
kind of BS is exactly what will end up killing the internet for many
people.
 
J

Jim Hull

Yousuf Khan said:
I was wondering about that, i.e. how data and instruction pages are
separated in Itanium? So it's actually done with two separate page tables,
as opposed to a single page table with a special attribute.
Click to expand...

No. The ITLB and DTLB serve as on-chip caches of translations from a
single page table (the VHPT). Furthermore, the TLBs need not be separate
structures, but can be implemented as a single unified TLB if desired
(although no processor has yet done so). Given this, the only way the OS
can guarantee that data pages aren't executable is to set the access
rights field to a value that doesn't include execute permission. For
details of the access rights combinations defined by the Itainum
architecture, see Section 4.1.1.6, here:

http://developer.intel.com/design/itanium/manuals/245318.pdf#page=64

You might want to peruse the other parts of Chapter 4 of this document,
which describe other aspects of the Itanium addressing and protection
architecture.
This would also
make more sense in long-term architectural design point of view, as Itanium
is brand new and they can take brand new paths like this, whereas with x86
you have to take somewhat more limited steps.
Click to expand...

Actually, the Itanium system architecture is, in general, pretty standard
stuff - mostly just combining various parts of the system architectures of
PA-RISC and IA32. This was done by design, to help minimize the effort of
porting OSs to Itanium. Not to say that there aren't interesting twists
(like explicit serialization) and new features (e.g., the RSE) to deal
with, but mostly it's supposed to look familiar to an OS designer.

-- Jim
HP Itanium Processor Architect
 
A

Alex Johnson

Jim said:
No. The ITLB and DTLB serve as on-chip caches of translations from a
single page table (the VHPT).
Click to expand...

This is generally true because the intent was to have the VHPT enabled.
However, this is not required. There can be separate software tables
which each handler uses. This does have a performance hit, but often
security is gained at the cost of performance. The actual
implementation of split caches makes this unexpected bonus possible.
Furthermore, the TLBs need not be separate
structures, but can be implemented as a single unified TLB if desired
(although no processor has yet done so). Given this, the only way the
OS can guarantee that data pages aren't executable is to set the
access rights field to a value that doesn't include execute
permission.
Click to expand...

Sadly, you are wrong here, Jim. Intel will *never* go to a unified TLB
on Itanium because that would break legacy code. Intel sets up things
as "undefined" or having behavior which may change in each
microarchitecture, but invariably forces its designers to duplicate all
past "undefined" and optional behaviors to guarantee a customer's
incorrectly written code still functions. (Personal opinion, that
customer is almost always Microsoft.)

Alex
 
J

Jim Hull

Alex Johnson said:
This is generally true because the intent was to have the VHPT enabled.
However, this is not required. There can be separate software tables
which each handler uses. This does have a performance hit, but often
security is gained at the cost of performance. The actual
implementation of split caches makes this unexpected bonus possible.
Click to expand...

Yes, I probably should have made it clearer that I was assuming that the
VHPT walker is enabled, since as you say, there is a substantial
performance advantage in doing so. I was trying to avoid going into too
many details, but now that you've brought it up, here are some more:

The architecture allows the walker to be enabled for some portions of the
address space and disabled for others (this is controlled by the "ve" bit
in each region register). For regions where it is enabled, you must have
a single VHPT in one of the architecturally-defined formats. For regions
where the walker is disabled, all TLB misses result in faults to special
OS handlers, which can be written to access separate page tables, tables
in whatever format the OS likes, or even no tables at all (linux uses the
latter to create "identity-mapped" memory).
Sadly, you are wrong here, Jim.
Click to expand...

I don't think so. I did, however, over simplify things again. The
architecture defines two sub-sections in the TLBs, Translation Registers
(TRs), which you can think of as "pinned" entries, and Translation Cache
(TC) entries. The TRs are guaranteed to not to be unified, but the TCs
can be.
Intel will *never* go to a unified TLB
on Itanium because that would break legacy code.
Click to expand...

I'd love to hear about what existing code you think will break.
Intel sets up things
as "undefined" or having behavior which may change in each
microarchitecture, but invariably forces its designers to duplicate all
past "undefined" and optional behaviors to guarantee a customer's
incorrectly written code still functions. (Personal opinion, that
customer is almost always Microsoft.)
Click to expand...

I agree that this is how Intel behaves in the IA-32 world. I think part
of the problem there is that too much of the architecture was
underspecified, and mixed in with implementation specifics, with no way
for software to separate the two.

However, my experience in the Itanium world is different. Intel seems to
be more willing to change implementations in order to take advantage of
optional or undefined behavior, so long as it is clearly documented in the
architecture that such implementations are allowed, as in this case - see
Volume 2, Section 4.1.1.3, here:

http://developer.intel.com/design/itanium/manuals/245318.pdf#page=60

-- Jim
HP Itanium Processor Architect
 
T

Terje Mathisen

Jan said:
On a sunny day (21 May 2004 17:29:11 -0400) it happened Christopher Brian


Interesting and clearly written, but some questions remain, such as for example
Click to expand...

Do I really want all my hw to support/require encrypted tunnels?
the coordinates of redmond for a nuclear attack.
Click to expand...

No problem! :)
(Or should that be :-( ?)

From Garmin's City Select:

Microsoft-Corporate Headquarters
1 Microsoft Way
Redmond, WA 98052
425-882-8080

N47.64376 W122.13050

Terje
 
A

Alex Johnson

Jim said:
For regions
where the walker is disabled, all TLB misses result in faults to special
OS handlers, which can be written to access separate page tables, tables
in whatever format the OS likes, or even no tables at all (linux uses the
latter to create "identity-mapped" memory).
Click to expand...

That's interesting. I've learned something new. Linux uses no page
table structure? What exactly is identity-mapped memory? Funny, I
hacked the kernel and simulated bootup sequences but never had the time
to delve into what was going on in those sequences.
http://developer.intel.com/design/itanium/manuals/245318.pdf#page=60
Click to expand...
Sadly (or not), I'm wrong. That's a small paragraph in a large book.
But it looks like intel did plan ahead for that.
I'd love to hear about what existing code you think will break.
Click to expand...

I don't know of any real examples, but I've been told enough horror
stories from the trenches of vendors NOT following the published specs
and doing implementation specific behaviors because it is easier for
them, or enables some copy protection scheme. I'm sure there are people
out there that don't obey the rules for translations either because they
don't know what they are doing or don't care. And when those large
vendors' software is broken by a new design and they complain, intel
will not point to the books and say "you didn't do this the way we told
you", they'll say "oh, you need it to work like this? here, i'll just
go get the engineers to change it back for you." But usually that kind
of thing only happens for bug-dependent code or code dependent on
undefined behaviors, which later become defined to be whatever the first
chip did since some valuable code depends on it.

Alex
 
I

I R T

In the US that would be:
'Can you PROVE you were not running anything illegal'?
This law will make it, as it saves companies ++++ on support.
Click to expand...

And a free holiday in Guantanomo Bay, for anyone who looks even
slightly suspicious.

I hope that they have cleaned the chemical lights after use....
 
Top