Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique (theverge.com)

Posted by BeauHD on from the good-news-for-chipmakers dept.

In a post on Google's Online Security Blog, two engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. "The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique," reports The Verge. "If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted." From the report: "There has been speculation that the deployment of KPTI causes significant performance slowdowns," the post reads, referring to the company's "Kernel Page Table Isolation" technique. "Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance." "Of course, Google recommends thorough testing in your environment before deployment," the post continues. "We cannot guarantee any particular performance or operational impact."

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it's the variant that is arguably the most difficult to address. The other two vulnerabilities -- "bounds check bypass" and "rogue data cache load" -- would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns.

7 of 120 comments (clear)

  1. Re: Or just Buy AMD & get no slow down with mo by Anonymous Coward · · Score: 0, Insightful

    This probably offers a false sense of security. It's very possible that there are bugs lurking in AMD hardware that are just as severe. Just because AMD processors aren't susceptible to Meltdown doesn't mean there aren't other vulnerabilities unique to AMD processors.

  2. Re:You can't "patch" hardware by 110010001000 · · Score: 3, Insightful

    Again: there are no Intel firmware fixes for Meldown. It cannot be fixed without replacing the processor. There are only mitigation workarounds.

  3. Re:Idiotic Moderation by 110010001000 · · Score: 5, Insightful

    Because it doesn't make sense: Intel has a KNOWN UNFIXABLE FLAW in Meltdown. It cannot be fixed. You are saying "don't switch to AMD because they might have a major flaw too at some point". Meltdown is a much larger problem than Spectre is.

  4. Google is connected to Intel at the hip by bongey · · Score: 4, Insightful

    Google is dependant on Intel CPUs at the moment and has a vested interest in not saying well our cloud just got 5-30% percent slower.

  5. Re:Google's technique requires patching binaries/c by PhrostyMcByte · · Score: 5, Insightful

    Google's technique ... has a small performance hit but much smaller than KPTI.

    Keep in mind Google's technique (retpoline) is not an alternative to KPTI. Retpoline addresses Variant 2. KPTI addresses Variant 3. Both are required.

  6. Re: Or just Buy AMD & get no slow down with mo by Anonymous Coward · · Score: 2, Insightful

    This probably offers a false sense of security. It's very possible that there are bugs lurking in AMD hardware that are just as severe. Just because AMD processors aren't susceptible to Meltdown doesn't mean there aren't other vulnerabilities unique to AMD processors.

    And sticking with Intel even after this patch probably offers a false sense of security. It's very possible that there are more bugs lurking in Intel hardware that are just as severe. Just because Intel processors have been patched for Meltdown doesn't mean there aren't other vulnerabilities unique to Intel processors.

  7. Re: Idiotic Moderation by jezwel · · Score: 4, Insightful

    Is there a compelling reason to believe that AMD processors are less likely to be vulnerable in the future than Intel processors?

    Right now only Intel is massively exposed on one security issue where other manufacturers are not. So yes - this makes it appear that AMD design philosophy values security over performance. Whether that is proved out remains to be seen.

    If one manufacturer is cutting corners with the engineering and the other isn't, then there's a logical reason.

    Intel seems to be the one cutting corners - for decades. You do remember the FDIV and FOOF bugs in early Pentiums? I don't recall other manufacturers having such severe problems (sure, mainly PR with FDIV) that a recall was required.

    Otherwise, there isn't a logical basis for using that as a reason to change your behaviour in the future.

    Intel cannot provide CPUs to retail without this flaw for another 18 months or so. That should most certainly influence short-term future behaviour IF the fix causes significant performance issues with your workload.

    It's also entirely possible that, faced with backlash and distrust, the manufacturer might take additional steps to ensure that no such similar issues occur in the future. If there was demonstrable evidence of this, it might be a good reason not to switch.

    Sounds strange to not switch to a vendor that doesn't suffer from this vulnerability, in the hope that Intel will fix it's processes to ensure this doesn't happen again. Right now though, there's no good reason to specify Intel for your CPUs.

    The important question is whether there is any reason to believe Intel processors will be more vulnerable in the future.

    Why is that important? All manufacturers will have problems. You make plans with known data today. Intel messed up big time, and until the problem is fixed they should absolutely have this issue in the 'known problems' pile when consideration of CPU choice is done.