You are not logged in.

#1 2018-11-18 16:10:48

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,238

Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

…because of new spectre/meltdown-class vulnerability mitigations.

Via: https://www.phoronix.com/scan.php?page= … -420-stibp, https://www.reddit.com/r/programming/co … _on_linux/, https://news.ycombinator.com/item?id=18476562.

I'm running my laptop with all mitigations disabled (that can be disabled without recompiling the kernel). The performance reductions on Intel CPUs are getting ridiculous.


Im grünen Wald, dort wo die Drossel singt…

Offline

#2 2018-11-18 18:48:41

beaker
Member
Registered: 2016-03-06
Posts: 84

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

twoion wrote:

ridiculous.

^that

Offline

#3 2018-11-18 18:51:28

cloverskull
Member
Registered: 2015-10-01
Posts: 301

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

Oh boy. I can’t wait to see how AWS handles this one...

Offline

#4 2018-11-18 20:47:25

stevep
MX Linux Developer
Registered: 2016-08-08
Posts: 327

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

The same mitigations have also been backported to 4.19.2.

If they also get backported to 4.9, odds are that they'll appear in an update of the stock Debian Stretch/BL kernel...

Cue:  Human sacrifice, dogs and cats living together... mass hysteria!

Last edited by stevep (2018-11-18 20:49:19)

Offline

#5 2018-11-18 23:31:34

glittersloth
...always giving it to you straight
Registered: 2015-09-30
Posts: 658

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

At the rate this is going, pre Spectre/Meltdown generation (I'm guessing 2005 and earlier) Intels will be popping up at Sotheby's or Philips autions, commanding higher bids than old Porsches and Pateks.  lol

Offline

#6 2018-11-19 13:44:55

earlybird
ほやほや
Registered: 2015-12-16
Posts: 608
Website

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

glittersloth wrote:

At the rate this is going, pre Spectre/Meltdown generation (I'm guessing 2005 and earlier) Intels will be popping up at Sotheby's or Philips autions, commanding higher bids than old Porsches and Pateks.  lol

This way or another way, if you care about CPU security on  current Intel you are slowly but surely getting set back to the CPU technology of the early 2000s.

May the day come when our oldest modern family PC (after a Pentium I @ 100Mhz from 1995 with 24M RAM on Windows 98 First Edition and a C64 from the 1980s), which is a Pentium 4 HT @ 2.66Ghz will be equivalent to a crippled gen9 Core processor built in 2018....

cloverskull wrote:

Oh boy. I can’t wait to see how AWS handles this one...

If I understood correctly, spectre/meltdown-type vulnerabilities apply to tasks/CPU threads executing on the same CPU core. So they should be able to solve at least some of their issues by pinning each VM to a dedicated core or even a CPU. I'm sure that messes up their revenue calculation from sharing CPU cores between low-spec VMs quite a bit but seeing as their product still adds a lot of value by way of cloud platform APIs, they are largely going to be fine. Just build a few more DCs  and done. Then they can phase out their hardware for AMD x86 or ARM, whatever they prefer, as part of the normal machine life cycle.

Offline

#7 2018-11-19 14:21:07

glittersloth
...always giving it to you straight
Registered: 2015-09-30
Posts: 658

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

earlybird wrote:

If I understood correctly, spectre/meltdown-type vulnerabilities apply to tasks/CPU threads executing on the same CPU core. So they should be able to solve at least some of their issues by pinning each VM to a dedicated core or even a CPU.

So would I be right to assume it would be the smaller players (eg: those found on lowendbox.com, or more specifically; any OpenVZ based VPS provider) who will be hit hardest by this?

Offline

#8 2018-11-19 14:33:11

bigbenaugust
Member
From: unc.edu / the 919 / KIGX
Registered: 2017-05-20
Posts: 99

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

I'm actually curious to try the patch-affected kernels on actual hardware. When is 4.19 hitting backports?


--Ben
BL / MX / Raspbian... and a whole bunch of RHEL boxes. :)

Offline

#9 2018-11-19 15:29:14

S7.L
Member
Registered: 2018-09-16
Posts: 105

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

I just updated my artix/arch spin to Linux 19.2 - Im running an old 2009/10 toshiba laptop.

$ sudo ./spectre-meltdown-checker.sh --explain
Spectre and Meltdown mitigation detection tool v0.40

Checking for vulnerabilities on current system
Kernel is Linux 4.19.2-artix1-1-ARTIX #1 SMP PREEMPT Wed Nov 14 22:39:05 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7 CPU       Q 740  @ 1.73GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  YES 
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU supports Software Guard Extensions (SGX):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x1e family 0x6 stepping 0x5 ucode 0xa cpuid 0x106e5)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xa dated 2018/05/08 according to builtin MCExtractor DB v84 - 2018/09/27)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW, STIBP)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for kernel and firmware code)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: VMX: conditional cache flushes, SMT vulnerable
* This system is a host running an hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (this system is not running an hypervisor)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK

A false sense of security is worse than no security at all, see --disclaimer

Last edited by S7.L (2018-11-19 15:29:54)


"Voilà! In view, a humble vaudevillian veteran, cast vicariously as both victim and villain by the vicissitudes of Fate."...Voilà!

~ V

Offline

#10 2018-11-19 18:42:27

cloverskull
Member
Registered: 2015-10-01
Posts: 301

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

earlybird wrote:

If I understood correctly, spectre/meltdown-type vulnerabilities apply to tasks/CPU threads executing on the same CPU core. So they should be able to solve at least some of their issues by pinning each VM to a dedicated core or even a CPU. I'm sure that messes up their revenue calculation from sharing CPU cores between low-spec VMs quite a bit but seeing as their product still adds a lot of value by way of cloud platform APIs, they are largely going to be fine. Just build a few more DCs  and done. Then they can phase out their hardware for AMD x86 or ARM, whatever they prefer, as part of the normal machine life cycle.

My company leverages AWS for a lot of our product offerings and the last time they patched for Spectre/Meltdown, our product performance was abysmal. The only options we had were to upgrade our virtual hardware scale. Sad times ahead indeed...

Offline

#11 2018-11-19 20:28:55

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,238

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

cloverskull wrote:
earlybird wrote:

If I understood correctly, spectre/meltdown-type vulnerabilities apply to tasks/CPU threads executing on the same CPU core. So they should be able to solve at least some of their issues by pinning each VM to a dedicated core or even a CPU. I'm sure that messes up their revenue calculation from sharing CPU cores between low-spec VMs quite a bit but seeing as their product still adds a lot of value by way of cloud platform APIs, they are largely going to be fine. Just build a few more DCs  and done. Then they can phase out their hardware for AMD x86 or ARM, whatever they prefer, as part of the normal machine life cycle.

My company leverages AWS for a lot of our product offerings and the last time they patched for Spectre/Meltdown, our product performance was abysmal. The only options we had were to upgrade our virtual hardware scale. Sad times ahead indeed...

Hello extra 1000s of $ in hosting fee… I wouldn't expect any different from them than that, that is using primarily software mitigations to extract maximum HVM tenant counts from their hardware.


Im grünen Wald, dort wo die Drossel singt…

Offline

#12 2018-11-19 21:37:15

cog
Member
From: New Mexico, USA
Registered: 2015-10-27
Posts: 125

Re: Linux 4.20 likely to bring a performance reduction of 20-40% on Intel

https://www.phoronix.com/scan.php?page= … BP-Comment

Apparently disabling SMT is way more practical than STIBP by default.  Looks like the kernel devs are reconsidering their defaults.

Theo de’radt was right all along.

Last edited by cog (2018-11-19 21:44:11)


10% of The Fishermen Catch 90% of The Fish

Offline

Board footer

Powered by FluxBB