Qualcomm 8cx Gen 3: Too dangerous to deploy

Slow, expensive, and malware in hardware

Qualcomm Snapdragon logoQualcomm’s PC efforts have gone from being noncompetitive to too dangerous to deploy. How bad is it? SemiAccurate asked basic questions and Qualcomm deflected them and then lied to us.

History:

You might recall in 2018 when Qualcomm debuted their compute efforts with the 8cx SoC, a Windows laptop chip that was both woefully underpowered and vastly overpriced. It was locked to 32-bit code with 64-bit promised really soon. 3+ years later we aren’t sure if it has fully arrived but honestly no one cares at this point. Windows on ARM RT/WART/ARM laptops were a really bad idea to start off with and have gotten worse since.

When the 8cx debuted it was met with cautious optimism by the press. We all thought that even with the crippling disadvantages like emulating a faster CPU with a slower one, it might have been a good ‘bathroom PC’ or something you give to the grandparents. Basically a consumption device with a keyboard not on the screen, a tablet competitor. Given the specs of the first device we all figured it would cost in the $2-300 range, basically about the same as a slightly better equipped x86 PC.

Our first clue that something was off was when the OEMs, HP and Asus from memory, would not give out pricing. Then people ran benchmarks when no one was looking, we were officially forbidden to do so. Clue #2 and when people broke the rules, it became clear why they didn’t want numbers out. The next day when the prices were revealed, from memory the low spec was $799 and the high spec was $1199, there were collective gasps from the press. We honestly thought they were joking. The low end one cost significantly more than a vastly faster and better equipped PC.

Then Qualcomm showed us how their ARM PCs comprehensively beat an x86 Windows PC. Unfortunately it was a multi-year old, bottom of the barrel PC that was technically still on sale. Significantly faster PCs that had far more storage and cost half as much as the WARTbooks were somehow ignored for these comparisons. Did we forget to mention that once Windows and Office was installed there wasn’t really enough space left to do anything useful on the low end device? And that it was Windows SE so basically useless. That said the SE only mandate was quickly backpedaled but the storage space problem got worse with every patch. By this point the press had written it off and would laugh at the PR promises, we weren’t hiding our thoughts.

By the next year Qualcomm had seen the error of their ways and fixed everything with the 8cx Gen 2. Just kidding the second gen was the exact same chip bar some minor updates. What was woefully underpowered and woefully overpriced was now even further behind the curve and no cheaper. For some reason what might have had a place as a “WalMart special” at $199 was being offered around the $999 mark against PCs with significantly faster x86 CPUs, way better graphics, no compatibility issues, the ability to *GASP* run 64-bit code, multiples larger storage, and more. At this point we wrote the category off for cause.

Even with that in mind SemiAccurate tried multiple times to get Qualcomm to give or loan us one of these PCs so we could try it. The vain hope was that there was something magical that we missed that would change our minds. For some reason the few times that Qualcomm PR responded to our requests, they were usually just blackholed, they said no. Any guesses why?

Today:

That brings us to today with the vastly ‘better’ 8cx Gen 3. Why the quotes? Because this is all based on an infographic. When Qualcomm pre-briefed the press we asked them what the CPU cores were on this part. We were told directly that they wouldn’t answer now but there would be a full briefing on compute before the Hawaii ‘Tech’ Summit. Last Friday we inquired about the brief as time as running out. Qualcomm PR didn’t bother to answer our email much less have the courtesy to say no.

As it turns out they outright lied to SemiAccurate and all the press at the brief, there was no brief, they just didn’t want to answer the question. So we asked about the cores in the 8cx Gen 3 via email and the response made things clear, “We are not disclosing for compute or gaming platforms.”. If you had any hope that the Qualcomm compute efforts would shed their status as a running joke, this should end any such folly. Apple is clearly showing what can and should be done for an ARM based PC, Qualcomm is doing the exact opposite.

Luckily there is the future and that future is Nuvia cores. A few weeks ago at their investor day, Qualcomm executives went out of their way to praise the Nuvia cores and point out that they are the future. The hype was so great that we had to double check our notes to see if they were talking about the same cores SemiAccurate had been researching for a few months now. They were but somehow their opinions on the state of that effort are diametrically opposed to the data we found. More on that in a separate article but if you are expecting the Nuvia cores to fix the Qualcomm compute efforts, you are in for a rude awakening.

Then there is the competition. As you may have heard, Qualcomm has an effective monopoly on WARTbooks with only Microsoft’s internal CPUs as competition. That is going to end soon and the offerings from the competition that SemiAccurate is aware of should make the Qualcomm efforts seem like the toys they are. Qualcomm had a golden opportunity with the 8cx and botched it, didn’t update anything for three years, and now is about to lose the market they created. Luckily this tale of woe has a light at the end of the tunnel with the aforementioned 8cx Gen 3.

The ‘Tech’:

Snapdragon Tech Summit 2021 8cx Gen 3 infographic

The laughable briefs continue

Yup, technical briefs reduced to infographics and outright lies once again. What you see above is the entirety of the 8cx Gen 3 ‘technical’ pre-brief. They were overjoyed at how much faster it was against, well they wouldn’t say what they compared the part to. Nor what was in it. Or anything else really, they just lied to deflect questions.

So in the end if you want a Windows PC, you can choose an x86 part from AMD or Intel that is fast, cheap, and well equipped, or a Qualcomm based PC that is more expensive, has almost no storage, is slower, and has a lot of compatibility headaches. Could it get worse? Actually yes, the ‘security’ additions make the 8cx Gen 3 literally too dangerous to use. No that isn’t a joke, the 8cx is infected with a remotely accessible, but not by you, rootkit that you can’t block or remove.

Rootkits in Hardware:

What are we talking about? Microsoft Pluton, a remotely accessible TPM and platform security block that is not user accessible. The idea is that Microsoft can update your firmware, validate your platform, encrypt/decrypt anything, push or remove keys, and much more, all silently without your permission, knowledge, or ability to block. This block literally allows them to do anything they want to your PC remotely and there isn’t a damn thing you can do about it. You won’t even know they are doing something if they don’t decide to notify you. It is malware in hardware and is quite literally too dangerous to deploy. Think we are joking? Read this.

The Microsoft Pluton design technology incorporates all of the learnings from delivering hardware root-of-trust-enabled devices to hundreds of millions of PCs. The Pluton design was introduced as part of the integrated hardware and OS security capabilities in the Xbox One console released in 2013 by Microsoft in partnership with AMD and also within Azure Sphere. The introduction of Microsoft’s IP technology directly into the CPU silicon helped guard against physical attacks, prevent the discovery of keys, and provide the ability to recover from software bugs.

From the PR spin it is wonderful and will make the world a better place. Unless someone at Microsoft doesn’t like you, then they can shut you down or nuke your files remotely with no traces of wrongdoing. And any government can ‘request’ that Microsoft pull anything on your PC and give it to them, the TPM in Pluton holds the keys for disk and memory encryption so that becomes a moot point. Basically it blows away anything you can do to secure your data and system on Windows if you use a Pluton equipped machine.

SemiAccurate asked Qualcomm about this and we were told not to worry because Pluton only works with the OS. Other than the fact that this is actually one of our biggest worries it is provably not true. Pluton is touted as being able to recover a non-booting machine so if the OS isn’t active and Pluton can fix it, that means someone isn’t telling the truth. SemiAccurate tried to get answers from Qualcomm about this contradiction and how any sane person could deploy this malware but instead of the promised briefing we were lied to. Again any thoughts on why they would do this?

So if you deploy an 8cx Gen 3, be aware you are giving a third party remote rights to everything on your computer. When you agree to the EULA, you give up any recourse you have if they do something you don’t approve of. If a government wants your data, you won’t even know it has been taken. Luckily no third part will ever get the keys because Microsoft has rock solid, impenetrable security, just ask Solar Winds or any of the few hundred recent ransomware victims, they will tell you how good MS security is.

And then we get to key management. There are two ways to do this, have a single key for every chip, that would technically be called the ‘right’ way to do things, or to have a single key for all machines or at least a class of machines. Call us crazy but we are pretty sure Microsoft won’t take the unique key approach, a few hundred million keys is untenable. That means the leaking of a single key will mean attackers have full and silent control over a large group of machines and all of their data data, encryption will do nothing to stop them because Pluton holds all the keys. It is a nightmare.

Lastly we come to the small issue of non-US users. If you are in the US, there are a few paper thin laws and vague precedents about what can and can not be done to you and your data. For the most part you have some control about what data can be taken and by whom, at least pre-Pluton. If you are in any other country or are a non-US citizen, none of those ‘protections’ are likely to apply.

Consider this scenario, a non-US company deploys Snapdragon 8cx Gen 3 devices. If a US governmental agency wants some data on that machine, they can just go to Microsoft and ask nicely for the keys and voila, they have complete control of that machine remotely and the users/owners will never be the wiser. How anyone in the US can deploy any machine with the Pluton malware is beyond us, if anyone outside the US deploys it, well they have only themselves to blame. Pluton literally makes the Qualcomm 8cx Gen 3 devices too dangerous to deploy.

Summary – Run Like Hell:

So in the end we have a chip that should be avoided at all costs. It is slower than the competition, more expensive, feature free, and not just unsecurable, it is fatally compromised in hardware by design. There is nothing positive SemiAccurate can say about this SoC, there is literally no up side here and a lot of downsides. Rather than answer questions about the chip, Qualcomm lied to the press about it, but at least we understand why they took this route.S|A

The following two tabs change content below.

Charlie Demerjian

Roving engine of chaos and snide remarks at SemiAccurate
Charlie Demerjian is the founder of Stone Arch Networking Services and SemiAccurate.com. SemiAccurate.com is a technology news site; addressing hardware design, software selection, customization, securing and maintenance, with over one million views per month. He is a technologist and analyst specializing in semiconductors, system and network architecture. As head writer of SemiAccurate.com, he regularly advises writers, analysts, and industry executives on technical matters and long lead industry trends. Charlie is also available through Guidepoint and Mosaic. FullyAccurate