How Do Spectre/Meltdown Fixes Affect The Linux Kernel?

"Using the newly minted Linux 4.19 feature code, fresh benchmarks were carried out looking at the performance cost of Spectre/Meltdown/Foreshadow mitigations on Intel Xeon v. AMD EPYC CPUs," writes an anonymous Slashdot reader: Workloads affected by these CPU vulnerabilities mainly deal with I/O and frequent kernel calls while CPU bound tests are still found to be minimally impacted. When toggling these mitigations on Linux 4.19, Intel Xeon CPUs were found to be 10~15% slower with the default kernel while AMD EPYC CPUs dropped to about 5% slower.

As expected

It is not a slowdown, it is removing an undue [broken/illegal/dangerous] speedup ;-)

You can, of course, disable the mitigation. Just don't do it on anything processing external network packets, etc.

Re:As expected

[gweihir]

Indeed. And this partially explained why Intel was ahead of AMD speed-wise. They played fast and loose and f*** the customer.

EPYC problem

The only problem with AMD processors is they don't implement transactional memory operations. When they do, I will switch.

Re:EPYC problem

[Tough+Love]

The only problem with AMD processors is they don't implement transactional memory operations.

I can understand your concern if you need this for research, but as an optimization, transactional memory has so far proved pretty underwhelming.

Re:EPYC problem

[dmpot]

The only problem with AMD processors is they don't implement transactional memory operations.

Aside some very specific use cases, transactional memory does not offer much in terms of performance. Moreover, transactional memory helps a lot with Timing Side Channel Attacks against the kernel. For example: https://www.blackhat.com/docs/...

Re:EPYC problem

[gweihir]

On the plus-side, they have far better CPU-CPU interconnect than Intel and always had.

Re:EPYC problem

AMD doesn't even make true multi core CPUs. It's just a bunch of half cores glued together with a hackneyed bus to connect them. I will stick with Intel because they have true multi core CPUs where the cores are all full cores and directly tied together as one CPU.

Re:EPYC problem

Well, good luck with that.

It's all about the yields and Intel will be forced to go the same route. That or they will fall even further behind in performance and with an economy which is completely infeasible.

Haven't noticed much

I have not noticed any slowdowns myself. I have seen examples of obvious slow down's in testing. But they probably are not significant enough to be noticed by a user. I know people who have opted not to install firmware and even some who have opted out of OS updates. I guess you take your chances and hope for the best or play it safe and maybe have a bit slower PC. For myself, I don't really have any tasks that has ever required every bit of performance. So for myself a 10 to 15% reduction is not a big deal.

Re: Haven't noticed much

This sounds like a shill for Intel. No consumer would be okay with a processor that performs 10-15% under what he selected.

Re: Haven't noticed much

[Tough+Love]

Basically, this completely erases Intel's single thread advantage over AMD. I am sure that Intel will fix their speculative execution blunders in some future processor generation, I suspect it can be fixed without any slowdown, just re-engineering and maybe a bunch more transistors in the cache and dispatch logic. But by the time Intel does fix it AMD will already be shipping 7nm processors. So I don't see Intel getting back into the high end processor lead any time soon.

It's a one-two-three whammy for Intel. Almost starting to feel sorry for them. Almost.

Re: Haven't noticed much

What makes you think it can be fixed without any slowdowns?

The entire purpose for creating these gaping holes - especially Meltdown - was to eke out more performance at the cost of security. It was a deliberate trade-off. And now you're claiming this can be fixed without paying the cost? Do you believe in magic?

Re:Haven't noticed much

[Zontar+The+Mindless]

Try compiling a few editions of a popular database server every day. You'll notice.

Re: Haven't noticed much

[thegarbz]

What are you talking about. The CPU still performs exactly what they selected. The user chooses to run expensive code that mitigates security vulnerabilities that don't affect most use cases.

Personally I don't have any Spectre / Meltdown mitigations enabled. The security tradeoff isn't worthwhile. Plus if I really wanted security I would print off my packets on the printer, carry them to the computer on the other end of the internet and scan them in again. But ... lag.

Re: Haven't noticed much

[thegarbz]

So I don't see Intel getting back into the high end processor lead any time soon.

Why are you implying they aren't in the lead? Users can chose optimised code paths at the expense of security. We do this all the time and the trade off is in terms of risk vs reward. Just like when you log into your online bank instead of walking to the branch and manually doing your banking you make the same trade-off.

Users don't need to run Spectre / Meltdown mitigations, not only from a choice point of view, but also because the risk profile is so incredibly low for the vast majority of use cases it doesn't actually make any sense for a typical user. End result: Speed.

If my workloads weren't often multi-threaded then Intel would still be the performance king, but lets face it... my next CPU will be a Ryzen.

Re: Haven't noticed much

[Highdude702]

The slow downs are from klunky software fixes, as soon as they engineer new chip design to mitigate this, they can get the speed back if they're skilled.

Protect yourself with APK Hosts File Engine... apk

It's here! APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency/merge)

APK

P.S.=> Protects against Spectre & Meltdown + redirect poisoned or downed DNS/botnets/malware downloads/malcript/email malicious payloads... apk

Slashdot users LOVE the Win64 version... apk

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Provides full protection against Spectre & Meltdown flaws

APK

P.S.=> The long-awaited MacOS version is finally here & posts/celebration all Labor Day weekend on Slashdot! Linux version is also available!... apk

Re:Slashdot users LOVE the Win64 version... apk

I believe I am in love with Hosts files. I feel a bit of.. a bit of pee coming up, oh yes. A small amount, a droplet, of pee is now running down my legs. This is so invigorating! Bring me back to life, Hostfile engine! Another droplet from the fountain of life, no, many droplet. Verily a stream of urine is now soaking my pants. This is an amazing day.

Re: Protect yourself with APK Hosts File Engine...

I use os/2 you insensitive clod.

Oh yeah, that shit

The short of the current consensus is that everything about Intel's x86 now sucks, forever. Pointer-chasing has become expensive to the detriment of vast swathes of system code, and just about all of application code. System calls now cost the same as they would in 32-bit 4G/4G setups, i.e. as much as a context switch but also some trampoline overhead.

And don't get me fucking started on Spectre. You need a crack team of leethaxxers born for the job to even begin to test whether a given binary is vulnerable to a given sequence of Spectre gadgets and their primary invocation pathway (i.e. ROP or some such). There aren't enough of those to support compiler tuneups across the industry (starting from even GCC!), so the current magic bullets come at a steep cost and are gonna be broken for about a decade still.

Guess they should've given some thought to security back when they were taping out the Pentium Pro, eh.

Code Analysis

if (cpu == intel) {
                if (microcode_version != current) {
                                  crash_cpu();
                } else {
                }
                disable_l1_cache();
                disable_l2_cache();
                disable_l3_cache();
                disable_isntr_cache();
                disable_data_cache();
                disable_tlb_cache(); // this is why benchmarking is prohibited -- don't tell anyone
                if {ultra_secure_mode == 1 && num_cores > 1 && customer_has_paid_us_money(lookup_microcode) );
                for (i=1;i=core_count;i++) {
                              disable_core(i);
                disable_smm_mode();
                disable_secret_cpu_used_for_management_engine();
                disable_management_engine();
                }
}

it's "only" a 15% performance penalty, just those little caches are disabled, nothing to worry about, except if you go to "ultra_secure" mode, than the performance penalty jumps.

Re: Code Analysis

Your code can't compile - syntax error.

You compare against the magical value 1.

Rejected.

Re:Code Analysis

disable_secret_cpu_used_for_management_engine();
disable_management_engine();

Oh God, I need the source code (or even a compiled blob) of this so badly...

Re:Protect yourself with APK Hosts File Engine...

[Zontar+The+Mindless]

Where's the BeOS port you promised us in 1997?

Re:Protect yourself with APK Hosts File Engine...

You're out of luck. However, AFAIK, a Haiku port is upcoming.

I M P E R S O N A T I N G ME ? apk

Don't you have anything better to do than IMPERSONATE me?

APK

P.S.=> Seriously... apk

I am APK the LORD of HOSTS

I am APK the great "LORD of HOSTS", a.k.a. AlecStaar from ArsTechnica or Alexander Peter Kowalski.

See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).

I am the godlike creator of various GUI front-ends for other people's configuration files.

When presented with facts I rebut them with wild speculations, false support, and out of context quotes

All of my accomplishments revolve around me being proven to be an annoying spamming asshole

See me be proud of my inability to be a functional adult

Bask in my debilitating mental illness

Hear me tell stories about me living large drinking miller lite in my ramshackle duplex with a roommate at age 54.

You must be conspiring with the Jews and Soros if you disagree with me

Mistaking mockery and parody for impersonation is how I think people flatter me because I can't possibly understand that they detest me.

Watch as I claim I am world class and a winner but in reality I am a fucking loser.

Witness my descent into madness

APK

Talk to me about OpenSSH not the kernel

[Seven+Spirals]

Local exploits are a lot harder to pull off than remote exploits. The primary gatekeeper of the worlds IT device is Secure Shell. I just have one simple question: If this shit is so catastrophic and bad like we've been hearing, then where the fuck are the OpenSSH remote root exploits? Bullshit flag thrown. Now point me to the exploit code that returns a root prompt and I'll drink your security Chicken Little kool-aid. Until then *yawn*.