In which AMD defines a new instruction, and Intel copies it with a subtle difference which trips up everyone (AMD's way is better IMO, and it came first).
He's just very dramatically pointing out that, oh, there are some changes we now need to account for, and Intel didn't tell us poor open source developers about them, and that's (supposedly) totally unreasonable. Besides the fact that Intel does not owe De Raadt anything (other software makers pay a hefty sum to be partners, while OpenBSD developers insult anyone who doesn't give them free shit), these bugs are a given in any production process. I don't care if you're Ikea or Exxon or Apple, you don't adopt new shit into your product and not expect shit to break. So his outrage is both presumptuous and facile.
No, you're moving the goalposts. DeRaadt pointed out that x86 "barely" has a working paging system. A commenter on HN said there was no basis for that statement, that he was picking on something that wasn't broken, that it was just FUD. It was not FUD. That claim has been refuted.
I wasn't addressing the paging system issue, but that was definitely FUD too. FUD does not have to be disinformation per se. Its main property is the spread of a generally negative viewpoint that is intended to persuade the recipient to side with the negative actor.
Even if the paging system is broken, that's no reason to simply stop using VMs on it, or to say it's impossible to have a secure VM on a system with broken paging. It's perfectly possible to have a VM on a broken-paging machine that's more secure than a working-paging machine's OS, with or without a VM.
De Raadt was not trying to make a rational argument about the validity of VMs on faulty hardware. He was literally saying you are stupid if you put a VM on x86 and expect it to be secure. Which is a stupid thing to say without knowing anything about the OSes, or what the alternative might be, either platform or OS-wise, to say nothing of hardening.
De Raadt has a bone to pick with Intel and specifically x86-based machines, and is simply interested in convincing people not to use it by insinuating you're innately not capable of doing secure computing on it. Which is basically untrue. That's why it's FUD.
One thing does not follow from the other. Core 2 has had paging bugs, ergo x86 has a barely working paging system => Pentium had the FDIV bug, ergo x86 can't be trusted with arithmetic.
For the claim to be properly refuted, the claimer would have to show systemic problems in x86 paging. I believe such a claim can be made, but it simply wasn't yet.
You're litigating a different claim than I am. The claim I'm refuting is:
"barely has correct page protection' is just a way of saying 'has correct page protection, but I want to be really snotty about it
I don't have to demonstrate systemic flaws in x86 paging to refute that.
I don't think paging system security is a good basis on which to choose processor architectures. I do sort of agree with Theo's point about virtualization, which really is a petri dish for terrible vulnerabilities. But either way: my point is just that Theo isn't just making things up here.
