Microsoft may abandon Palladium for AMD's NX-bit

Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

Now these two stories confuse me a little bit. When we first heard about
Palladium (or NGSCB or whatever it's being called today), it was supposed to
be this dire invasion of our privacies, etc., etc. But now it simply looks
like it was something to stop viruses. So how exactly was Palladium supposed
to work anyways? Was there supposed to be some hardware support for this
technology, or was it entirely software? If there was hardware support, were
they using separated code and data segments as has existed in 32-bit
processors but never implemented, since the 386? What was Palladium supposed
to be really?

http://www.theinquirer.net/?article=15737

http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=49936

Yousuf Khan

--
Humans: contact me at ykhan at rogers dot com
Spambots: just reply to this email address ;-)
18 answers Last reply
More about microsoft abandon palladium
  1. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    On Wed, 05 May 2004 16:33:27 +0000, Yousuf Khan wrote:

    > Now these two stories confuse me a little bit.

    Not surprising since the Inquirer article is bogus. The NX bit is
    orthogonal to Palladium.

    > When we first heard about
    > Palladium (or NGSCB or whatever it's being called today), it was supposed to
    > be this dire invasion of our privacies, etc., etc. But now it simply looks
    > like it was something to stop viruses.

    Palladium provides little protection against viruses/worms; it's not
    intended to.

    > So how exactly was Palladium supposed
    > to work anyways? Was there supposed to be some hardware support for this
    > technology, or was it entirely software? If there was hardware support, were
    > they using separated code and data segments as has existed in 32-bit
    > processors but never implemented, since the 386? What was Palladium supposed
    > to be really?

    http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

    --
    Wes Felter - wesley@felter.org - http://felter.org/wesley/
  2. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Wes Felter wrote:

    > On Wed, 05 May 2004 16:33:27 +0000, Yousuf Khan wrote:
    >
    >> What was Palladium
    >> supposed to be really?
    >
    > http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
    >
    > http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
    >

    Looks like security for THEM at our expense. I love being treated like a
    thief! This BS is why I stopped using MS products to start with!
    --

    Stacey
  3. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Wes Felter wrote:
    > Palladium provides little protection against viruses/worms; it's not
    > intended to.
    >
    >> So how exactly was Palladium supposed
    >> to work anyways? Was there supposed to be some hardware support for
    >> this technology, or was it entirely software? If there was hardware
    >> support, were they using separated code and data segments as has
    >> existed in 32-bit processors but never implemented, since the 386?
    >> What was Palladium supposed to be really?
    >
    > http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
    >
    > http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

    Oh yes, now I remember what we were so afraid of Palladium for. :-)

    Your computer breaks down and you call for tech support, and part of the
    tech support questions would be, "were you trying to run something illegal,
    sir?"

    Yousuf Khan
  4. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    CRN said:
    "Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
    Systems will also support the NX feature in Intel Itanium processors for
    clients due out in the second half."

    I'd like to know how they do it now and how they plan to do it in the
    future, considering this sentence makes no sense to me. The Itanium
    architecture doesn't have an NX bit. There are two things they could
    do. First they could actually use the fact that Itanium has separate
    ITB and DTB and don't map your code pages into the data TLB! Second
    they could set their data pages' access rights level to 2 (read, write),
    and their instruction pages' access rights to 1 (read, execute) (other
    combinations would give more useful but equally safe access to various
    priviledged code). But really, what is the chance than Microsoft would
    write correct, much less safe, code? They don't even use the split TLB
    system properly or allow any page size besides 8KB, AFAIK.

    Alex
    --
    My words are my own. They represent no other; they belong to no other.
    Don't read anything into them or you may be required to compensate me
    for violation of copyright. (I do not speak for my employer.)
  5. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Yousuf Khan wrote:

    > Oh yes, now I remember what we were so afraid of Palladium for. :-)
    >
    > Your computer breaks down and you call for tech support, and part of the
    > tech support questions would be, "were you trying to run something
    > illegal, sir?"
    >

    Well, more like:

    We determined that you have run something illegal. Homeland Security has
    been alerted!

    (back in the lurk mode :)
    --
    Sam I am
    Spam alert! Reply-to address is bogus
    spam_heaven at sympatico dot ca is where I can be reached
  6. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    "Alex Johnson" <compuwiz@acm.org> wrote in message
    news:c7fvk5$6le$1@news01.intel.com...
    > CRN said:
    > "Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
    > Systems will also support the NX feature in Intel Itanium processors for
    > clients due out in the second half."
    >
    > I'd like to know how they do it now and how they plan to do it in the
    > future, considering this sentence makes no sense to me. The Itanium
    > architecture doesn't have an NX bit. There are two things they could
    > do. First they could actually use the fact that Itanium has separate
    > ITB and DTB and don't map your code pages into the data TLB! Second
    > they could set their data pages' access rights level to 2 (read, write),
    > and their instruction pages' access rights to 1 (read, execute) (other
    > combinations would give more useful but equally safe access to various
    > priviledged code). But really, what is the chance than Microsoft would
    > write correct, much less safe, code? They don't even use the split TLB
    > system properly or allow any page size besides 8KB, AFAIK.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/large_page_support.asp

    Thanks,
    Eugene

    > Alex
    > --
    > My words are my own. They represent no other; they belong to no other.
    > Don't read anything into them or you may be required to compensate me
    > for violation of copyright. (I do not speak for my employer.)
    >
  7. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Alex Johnson <compuwiz@acm.org> wrote in message news:<c7fvk5$6le$1@news01.intel.com>...
    > The Itanium
    > architecture doesn't have an NX bit. There are two things they could
    > do. First they could actually use the fact that Itanium has separate
    > ITB and DTB and don't map your code pages into the data TLB! Second
    > they could set their data pages' access rights level to 2 (read, write),
    > and their instruction pages' access rights to 1 (read, execute) (other
    > combinations would give more useful but equally safe access to various
    > priviledged code). But really, what is the chance than Microsoft would
    > write correct, much less safe, code? They don't even use the split TLB
    > system properly or allow any page size besides 8KB, AFAIK.


    This is silly. Page access rights on IPF let you do everything you
    can do with the U/S, R/W and NX bits on an x86, and then some. Or do
    you think that somehow being able to explicitly disable execution on a
    page is somehow different than having to explicitly enable it?
  8. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    On a sunny day (Thu, 06 May 2004 21:09:53 GMT) it happened "Yousuf Khan"
    <news.tally.bbbl67@spamgourmet.com> wrote in
    <BQxmc.432375$2oI1.147591@twister01.bloor.is.net.cable.rogers.com>:

    >Wes Felter wrote:
    >> Palladium provides little protection against viruses/worms; it's not
    >> intended to.
    >>
    >>> So how exactly was Palladium supposed
    >>> to work anyways? Was there supposed to be some hardware support for
    >>> this technology, or was it entirely software? If there was hardware
    >>> support, were they using separated code and data segments as has
    >>> existed in 32-bit processors but never implemented, since the 386?
    >>> What was Palladium supposed to be really?
    >>
    >> http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
    >>
    >> http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
    >
    >Oh yes, now I remember what we were so afraid of Palladium for. :-)
    >
    >Your computer breaks down and you call for tech support, and part of the
    >tech support questions would be, "were you trying to run something illegal,
    >sir?"
    >
    > Yousuf Khan
    In the US that would be:
    'Can you PROVE you were not running anything illegal'?
    This law will make it, as it saves companies ++++ on support.
    JP
    >
    >
  9. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    "Alex Johnson" <compuwiz@acm.org> wrote in message
    news:c7fvk5$6le$1@news01.intel.com...
    > CRN said:
    > "Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
    > Systems will also support the NX feature in Intel Itanium processors for
    > clients due out in the second half."
    >
    > I'd like to know how they do it now and how they plan to do it in the
    > future, considering this sentence makes no sense to me. The Itanium
    > architecture doesn't have an NX bit. There are two things they could
    > do. First they could actually use the fact that Itanium has separate
    > ITB and DTB and don't map your code pages into the data TLB! Second
    > they could set their data pages' access rights level to 2 (read, write),
    > and their instruction pages' access rights to 1 (read, execute) (other
    > combinations would give more useful but equally safe access to various
    > priviledged code). But really, what is the chance than Microsoft would
    > write correct, much less safe, code? They don't even use the split TLB
    > system properly or allow any page size besides 8KB, AFAIK.

    I was wondering about that, i.e. how data and instruction pages are
    separated in Itanium? So it's actually done with two separate page tables,
    as opposed to a single page table with a special attribute. This would also
    make more sense in long-term architectural design point of view, as Itanium
    is brand new and they can take brand new paths like this, whereas with x86
    you have to take somewhat more limited steps.

    Yousuf Khan
  10. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Jan Panteltje wrote:

    >
    > In the US that would be:
    > 'Can you PROVE you were not running anything illegal'?
    > This law will make it, as it saves companies ++++ on support.
    > JP

    That was my thinking, this will give them something to blame ANY problem
    on!!! And yes I'm sure "protection" laws are just around the corner. This
    kind of BS is exactly what will end up killing the internet for many
    people.

    --

    Stacey
  11. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Yousuf Khan <news.tally.bbbl67@spamgourmet.com> wrote ...
    > "Alex Johnson" <compuwiz@acm.org> wrote in message
    > news:c7fvk5$6le$1@news01.intel.com...
    > > CRN said:
    > > "Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended
    > > Systems will also support the NX feature in Intel Itanium processors for
    > > clients due out in the second half."
    > >
    > > I'd like to know how they do it now and how they plan to do it in the
    > > future, considering this sentence makes no sense to me. The Itanium
    > > architecture doesn't have an NX bit. There are two things they could
    > > do. First they could actually use the fact that Itanium has separate
    > > ITB and DTB and don't map your code pages into the data TLB! Second
    > > they could set their data pages' access rights level to 2 (read, write),
    > > and their instruction pages' access rights to 1 (read, execute) (other
    > > combinations would give more useful but equally safe access to various
    > > priviledged code). But really, what is the chance than Microsoft would
    > > write correct, much less safe, code? They don't even use the split TLB
    > > system properly or allow any page size besides 8KB, AFAIK.
    >
    > I was wondering about that, i.e. how data and instruction pages are
    > separated in Itanium? So it's actually done with two separate page tables,
    > as opposed to a single page table with a special attribute.

    No. The ITLB and DTLB serve as on-chip caches of translations from a
    single page table (the VHPT). Furthermore, the TLBs need not be separate
    structures, but can be implemented as a single unified TLB if desired
    (although no processor has yet done so). Given this, the only way the OS
    can guarantee that data pages aren't executable is to set the access
    rights field to a value that doesn't include execute permission. For
    details of the access rights combinations defined by the Itainum
    architecture, see Section 4.1.1.6, here:

    http://developer.intel.com/design/itanium/manuals/245318.pdf#page=64

    You might want to peruse the other parts of Chapter 4 of this document,
    which describe other aspects of the Itanium addressing and protection
    architecture.

    > This would also
    > make more sense in long-term architectural design point of view, as Itanium
    > is brand new and they can take brand new paths like this, whereas with x86
    > you have to take somewhat more limited steps.

    Actually, the Itanium system architecture is, in general, pretty standard
    stuff - mostly just combining various parts of the system architectures of
    PA-RISC and IA32. This was done by design, to help minimize the effort of
    porting OSs to Itanium. Not to say that there aren't interesting twists
    (like explicit serialization) and new features (e.g., the RSE) to deal
    with, but mostly it's supposed to look familiar to an OS designer.

    -- Jim
    HP Itanium Processor Architect
  12. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Jim Hull wrote:
    > No. The ITLB and DTLB serve as on-chip caches of translations from a
    > single page table (the VHPT).

    This is generally true because the intent was to have the VHPT enabled.
    However, this is not required. There can be separate software tables
    which each handler uses. This does have a performance hit, but often
    security is gained at the cost of performance. The actual
    implementation of split caches makes this unexpected bonus possible.

    > Furthermore, the TLBs need not be separate
    > structures, but can be implemented as a single unified TLB if desired
    > (although no processor has yet done so). Given this, the only way the
    > OS can guarantee that data pages aren't executable is to set the
    > access rights field to a value that doesn't include execute
    > permission.

    Sadly, you are wrong here, Jim. Intel will *never* go to a unified TLB
    on Itanium because that would break legacy code. Intel sets up things
    as "undefined" or having behavior which may change in each
    microarchitecture, but invariably forces its designers to duplicate all
    past "undefined" and optional behaviors to guarantee a customer's
    incorrectly written code still functions. (Personal opinion, that
    customer is almost always Microsoft.)

    Alex
    --
    My words are my own. They represent no other; they belong to no other.
    Don't read anything into them or you may be required to compensate me
    for violation of copyright. (I do not speak for my employer.)
  13. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Alex Johnson <compuwiz@acm.org> wrote ...
    > Jim Hull wrote:
    > > No. The ITLB and DTLB serve as on-chip caches of translations from a
    > > single page table (the VHPT).
    >
    > This is generally true because the intent was to have the VHPT enabled.
    > However, this is not required. There can be separate software tables
    > which each handler uses. This does have a performance hit, but often
    > security is gained at the cost of performance. The actual
    > implementation of split caches makes this unexpected bonus possible.

    Yes, I probably should have made it clearer that I was assuming that the
    VHPT walker is enabled, since as you say, there is a substantial
    performance advantage in doing so. I was trying to avoid going into too
    many details, but now that you've brought it up, here are some more:

    The architecture allows the walker to be enabled for some portions of the
    address space and disabled for others (this is controlled by the "ve" bit
    in each region register). For regions where it is enabled, you must have
    a single VHPT in one of the architecturally-defined formats. For regions
    where the walker is disabled, all TLB misses result in faults to special
    OS handlers, which can be written to access separate page tables, tables
    in whatever format the OS likes, or even no tables at all (linux uses the
    latter to create "identity-mapped" memory).

    > > Furthermore, the TLBs need not be separate
    > > structures, but can be implemented as a single unified TLB if desired
    > > (although no processor has yet done so). Given this, the only way the
    > > OS can guarantee that data pages aren't executable is to set the
    > > access rights field to a value that doesn't include execute
    > > permission.
    >
    > Sadly, you are wrong here, Jim.

    I don't think so. I did, however, over simplify things again. The
    architecture defines two sub-sections in the TLBs, Translation Registers
    (TRs), which you can think of as "pinned" entries, and Translation Cache
    (TC) entries. The TRs are guaranteed to not to be unified, but the TCs
    can be.

    > Intel will *never* go to a unified TLB
    > on Itanium because that would break legacy code.

    I'd love to hear about what existing code you think will break.

    > Intel sets up things
    > as "undefined" or having behavior which may change in each
    > microarchitecture, but invariably forces its designers to duplicate all
    > past "undefined" and optional behaviors to guarantee a customer's
    > incorrectly written code still functions. (Personal opinion, that
    > customer is almost always Microsoft.)

    I agree that this is how Intel behaves in the IA-32 world. I think part
    of the problem there is that too much of the architecture was
    underspecified, and mixed in with implementation specifics, with no way
    for software to separate the two.

    However, my experience in the Itanium world is different. Intel seems to
    be more willing to change implementations in order to take advantage of
    optional or undefined behavior, so long as it is clearly documented in the
    architecture that such implementations are allowed, as in this case - see
    Volume 2, Section 4.1.1.3, here:

    http://developer.intel.com/design/itanium/manuals/245318.pdf#page=60

    -- Jim
    HP Itanium Processor Architect
  14. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    "Yousuf Khan" <news.tally.bbbl67@spamgourmet.com> writes:
    > What was Palladium supposed to be really?

    A while back when the FUD was flying everywhere, I wrote a brief
    description of what Palladium (and TCPA) is supposed to be, from a
    technical standpoint. Perhaps it would help clarify things:

    http://www.colohan.com/docs/trusted_computing.html

    Chris
    --
    Chris Colohan Email: chris@colohan.ca PGP: finger colohan@cs.cmu.edu
    Web: www.colohan.com Phone: (412)268-4751
  15. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    On a sunny day (21 May 2004 17:29:11 -0400) it happened Christopher Brian
    Colohan <colohan+@cs.cmu.edu> wrote in
    <uclsmdto4ew.fsf@cilento.stampede.cs.cmu.edu>:

    >"Yousuf Khan" <news.tally.bbbl67@spamgourmet.com> writes:
    >> What was Palladium supposed to be really?
    >
    >A while back when the FUD was flying everywhere, I wrote a brief
    >description of what Palladium (and TCPA) is supposed to be, from a
    >technical standpoint. Perhaps it would help clarify things:
    >
    >http://www.colohan.com/docs/trusted_computing.html
    Interesting and clearly written, but some questions remain, such as for example
    the coordinates of redmond for a nuclear attack.
    JP
  16. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Jan Panteltje wrote:

    > On a sunny day (21 May 2004 17:29:11 -0400) it happened Christopher Brian
    > Colohan <colohan+@cs.cmu.edu> wrote in
    >>http://www.colohan.com/docs/trusted_computing.html
    >
    > Interesting and clearly written, but some questions remain, such as for example

    Do I really want all my hw to support/require encrypted tunnels?

    > the coordinates of redmond for a nuclear attack.

    No problem! :-)
    (Or should that be :-( ?)

    From Garmin's City Select:

    Microsoft-Corporate Headquarters
    1 Microsoft Way
    Redmond, WA 98052
    425-882-8080

    N47.64376 W122.13050

    Terje

    --
    - <Terje.Mathisen@hda.hydro.com>
    "almost all programming can be viewed as an exercise in caching"
  17. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    Jim Hull wrote:
    > For regions
    > where the walker is disabled, all TLB misses result in faults to special
    > OS handlers, which can be written to access separate page tables, tables
    > in whatever format the OS likes, or even no tables at all (linux uses the
    > latter to create "identity-mapped" memory).

    That's interesting. I've learned something new. Linux uses no page
    table structure? What exactly is identity-mapped memory? Funny, I
    hacked the kernel and simulated bootup sequences but never had the time
    to delve into what was going on in those sequences.

    >> > Furthermore, the TLBs need not be separate
    >> > structures, but can be implemented as a single unified TLB if desired
    >> > (although no processor has yet done so). Given this, the only way the
    >> > OS can guarantee that data pages aren't executable is to set the
    >> > access rights field to a value that doesn't include execute
    >> > permission.
    >>
    >>Sadly, you are wrong here, Jim.

    >http://developer.intel.com/design/itanium/manuals/245318.pdf#page=60
    Sadly (or not), I'm wrong. That's a small paragraph in a large book.
    But it looks like intel did plan ahead for that.

    >>Intel will *never* go to a unified TLB
    >>on Itanium because that would break legacy code.
    >
    > I'd love to hear about what existing code you think will break.

    I don't know of any real examples, but I've been told enough horror
    stories from the trenches of vendors NOT following the published specs
    and doing implementation specific behaviors because it is easier for
    them, or enables some copy protection scheme. I'm sure there are people
    out there that don't obey the rules for translations either because they
    don't know what they are doing or don't care. And when those large
    vendors' software is broken by a new design and they complain, intel
    will not point to the books and say "you didn't do this the way we told
    you", they'll say "oh, you need it to work like this? here, i'll just
    go get the engineers to change it back for you." But usually that kind
    of thing only happens for bug-dependent code or code dependent on
    undefined behaviors, which later become defined to be whatever the first
    chip did since some valuable code depends on it.

    Alex
    --
    My words are my own. They represent no other; they belong to no other.
    Don't read anything into them or you may be required to compensate me
    for violation of copyright. (I do not speak for my employer.)
  18. Archived from groups: comp.arch,comp.sys.ibm.pc.hardware.chips,comp.sys.intel (More info?)

    > In the US that would be:
    > 'Can you PROVE you were not running anything illegal'?
    > This law will make it, as it saves companies ++++ on support.

    And a free holiday in Guantanomo Bay, for anyone who looks even
    slightly suspicious.

    I hope that they have cleaned the chemical lights after use....
Ask a new question

Read More

CPUs Hardware Microsoft