Linux 4.20 is Running Slower Than 4.19 On Intel CPUs

Freshly Exhumed writes: An intentional kernel change in Linux kernel 4.20 for enhanced Spectre mitigation is unfortunately causing Intel Linux performance to be much slower than with 4.19. That change is 'STIBP' (Single Thread Indirect Branch Predictors), which allows for preventing cross-hyperthread control of decisions that are made by indirect branch predictors. It affects Intel systems that have up-to-date microcode and CPU Hyper Threading enabled. Phoronix gives the evidence.

Opps

Let the class action lawsuits begin?

Re:Opps

[saloomy]

No. 4.19 was insecure, but faster. 4.20 is more secure, but slower. So? If I store my passwords in plain-text it's faster. Faster still if I don't have to do a DB lookup and just hard code some that I need.

4.20 is better. The performance penalty is the cost of better security in almost all computer operations (often negligible due to faster and faster chips). Because of hardware advancements though, it's most of the time a very worthwhile tradeoff. If your application suffers that much, size up the gear.

Re:Opps

[Tough+Love]

Most of the responses to this article are "AMD" so I don't need to say it. But I will anyway. AMD.

Re: Opps

It's only worthwhile in some situations.
I manage around 15,000 hypervisors which have VMs that don't ever run untrusted or arbitrary code, they aren't internet connected, etc. A 10% performance hit means millions of dollars of additional compute and network infrastructure.
And don't tell me to use AMD either, the price vs. Performance ends up being more costly at the scale and density we require.... and that's pretending we could swap existing servers out for no cost.

Re: Opps

Newer Intel chips don't even come with hyperthreads anymore due to Spectre. If you disable HT on your servers you won't take the performance hit.

Re: Opps

[Tough+Love]

Ryzenfall and related vulnerabilities still haven't been fixed

Ryzenfall is a PR exploit not a serious vulnerability, it requires physical access.

Investigators uncovered an article by Viceroy Research condemning AMD on the exploit and noted how the article was published less than half an hour after the exploits were revealed. Given the polish of the article which appears to be written many days in advance, and wording of the article which suggests that it is financially motivated, many were quick to accuse the exploit as a smear campaign engineered by Viceroy to short-sell AMD's stocks.

Meanwhile, Intel still has major issues with Meltdown, which is much more serious than Spectre because Meltdown breaks the veil between user and kernel, while Spectre is a process/process leak, much easier to address at the OS level. With fresh new Meltdown exploits demonstrated, Intel is still very much in the hot seat and AMD is the more secure processor.

Re:Opps

4.19 wasn't insecure. Some hardware was, and 4.20 has a workaround.

Re: Opps

Thanks for that, anonymous Intel Shill.

Re:Opps

Because of hardware advancements though,.

Isn't that the the thing linux bobbleheads ragged on Windows about; shittier performance being fixed by faster hardware?

Re:Opps

"(often negligible due to faster and faster chips)"

I can tell you don't program. Most code is so bloated now days that what once would've only needed an 8088 to run now at minimum needs a 233MHz Pentium II to do the same thing.

YOUR FUCIKING CODE SUCKS, PROGRAMMERS. Get back to making it SMALL so these security bugs are far less prevalent.

Re: Opps

The vulnerability would matter in a cloud situation where more than one user had code running on the same processor.

Re: Opps

[Bert64]

HT is itself a feature designed to improve performance... If you disable it, then you lose any performance benefits it provided.
Wether it provides a performance benefit depends on your workload, it allows the processor to work on another thread if your code stalls the pipeline, but if your code is properly optimized for the processor then it wont stall the pipeline...

Re:Opps

By this logic then, we should drop HT altogether (which I wholeheartedly approve). It only improves threaded performance by some 20-30%. We're better off with fully isolated cores. If your application suffers that much, size up the gear.

Re: Opps

But....

The performance is still much slower that you may actually gain performance by turning hyperthreadong off!!

This may have actually killed hyperthreading.

Re: Opps

[Tough+Love]

And possibly other situations, not in the cloud.

Re:Opps

[Bengie]

20-30% performance gain for something like 5% more transistors is nothing to sneeze at, but holy crap is it a finicky jittery fragile 20% gain that is rife with corner cases. Assuming the work load even benefits. Plenty that do not.

Re: Opps

Why? You need the ability to flash the BIOS to trigger it. If you have that, everything is out the window anyway. Certainly no cloud providers let you replace the BIOS on their systems!

Give it a break

[medv4380]

It's just high.

Re:Give it a break

Maybe it's high, and it thinks it's running from the Nigerian prince.

Re:Give it a break

It's just high.

Someone is high, because...

Linux 4.20 is Running Slower Than 4.19 On Intel CPUs

Linux 4.20 isn't released yet. (4.20 rc2 is the latest available right now)

Four Twenty?

[Esion+Modnar]

There's a joke here somewhere. If I weren't so stoned...

Re: Four Twenty?

Funding secured.

Re: Four Twenty?

[Aighearach]

Funding secured.

A spectre of a deal!

Handi-capables strike again!

This is what Linux gets for pushing a CoC. Linus' kool aid drinking has finally proven his lack of judgement in a way BitKeeper, the scsi subsystems, and assigning Greg KH as stable maintainer haven't.

Re:Handi-capables strike again!

Linux has Corruption of Champions integrated into its distribution now?

Disableable?

Can this be disabled with modules or would it need a flag and a recompile of the kernel?

Re: Disableable?

Whatever it is you are worried about will just get worse if you merge another release build.

Re:Disableable?

[F.Ultra]

You can disable it with a boot flag "spectre_v2=off nopti"

Re:The PRICE We Pay For NICE Linus

BRING BACK MEAN LINUS

Yeah, and https is slower than http too. So?

You're still gonna do your banking over encrypted channels. And use fixed length arrays or at least bounds checks.

This headline seems to come from the mindset that we always act like Joe Sixpack has.
(In reality, the average person out there cares just as much about security and privacy. They just know less about it and have less of a choice with "simple" products anyway. Buut you'll get them there, if you keep pushing that meme. Just like Justin Bieber was made popular mostly by everyone hating him [including me].)

But go ahead, and keep using the old kernel. Don't be surprised if your IP block is suddenly blocked though, when your zombie computer starts spreading crap. Or if go to prison for child pornography when somebody finds out what it spread.

Linux 4.20 man!

[SpencerWilliams]

Wooohooo!

This is intels problem

[Shaitan]

Linux kernel doesn't let your insecure and sloppy design do things that compromise the security of the OS. Sounds like a feature to me.

Re:This is intels problem

I would rather have a little slower but certain and secure over super fast and sloppy. Go kernel devs!!

Re:This is intels problem

No, it's just that linux sucks.

Re:This is intels problem

[should_be_linear]

There is room for two versions of microcode / kernel: default (slow) and root (fast) mode. In root mode there can be only one (root) user, but everything runs much faster. There is lot of offline computers (like supercomputers) which would benefit from this, even 20% of performance, it seems.

Re:This is intels problem

No, we need to punish Intel.

Re:This is intels problem

[Chris+Mattern]

There is room for two versions of microcode / kernel: default (slow) and root (fast) mode. In root mode there can be only one (root) user, but everything runs much faster.

Let's see here. We'll give people a choice between an immediate, measurable advantage and an advantage they won't see until the failure hits. Gee, I wonder which one everyone will choose, and then get hacked for.

Re:This is intels problem

[Chris+Mattern]

No, it's just that linux sucks.

To an extent, I'm willing to grant that. So, what sucks less than Linux?

Re:This is intels problem

MenuetOS.

It's something that takes REAL talent, not the 'talents' of a bunch of fucking n00bs throwing packages and dependencies together, like in Linux.

Re:This is intels problem

[Shaitan]

It wouldn't be fast and slow mode, it would be not intentionally left insecure and swiss cheese mode.

Re:This is intels problem

[Chris+Mattern]

MenuetOS.

Uhhhh....

Non-POSIX, apparently not compatible with anything else, almost no documentation I could find, no evidence of usable apps (if there is an office suite, web browser or email client for it there was no mention of them that I could find), development environment centered around assembly language...

Pass.

Intel?

[110010001000]

Who still runs Linux on Intel CPUs?

Re:Intel?

[StormReaver]

Remember how Jeff Bezos just recently said that once Amazon stopped focusing on customers, it was going to be the beginning of the end of Amazon? Intel stopped focusing on customers the moment it knowingly sacrificed security to maintain its near-monopoly on CPU's. While AMD has some issues with its chips, those issues pale in comparison to the wholesale don't-give-a-shit practiced by Intel.

I hope Intel has a huge, massively expensive decline.

Re:Intel?

Yo big black mama.

Re:Intel?

Well?

Are you gonna be *that* guy on Slashdot who recommends Windows then?

Re:Intel?

[110010001000]

Whats a Windows?

Re:Intel?

I do. Wanna fight?

Re:Intel?

[NicknameUnavailable]

Your comparison is more accurate than you know. In actuality Intel stopped focusing on customers in favor of government snooping. Amazon is now doing the same, Bezos is just trying to appeal to the masses without breaking NDAs so he doesn't have to lose the consumer market for the government contracts.

Re: Intel?

Mod parent up

Re:Intel?

[F.Ultra]

They usually call from India and want you to install some software on your computer since it has reported that it's being hacked. At least that is what they always say on the phone "Hello I'm calling from Windows" so that must be it.

Re:Intel?

[Kjella]

Remember how Jeff Bezos just recently said that once Amazon stopped focusing on customers, it was going to be the beginning of the end of Amazon? Intel stopped focusing on customers the moment it knowingly sacrificed security to maintain its near-monopoly on CPU's. While AMD has some issues with its chips, those issues pale in comparison to the wholesale don't-give-a-shit practiced by Intel.

And by "knowingly" you mean Intel did this on purpose? They can be dirty as hell doing damage control, but creating Meltdown/Spectre wasn't a conscious plan or at least then I'd really like to see your documentation that security was intentionally sacrificed. And as far as I know they're not making any significant revenue on anything other than selling CPUs, they're not in the data mining business nor to they take a cut of all applications running on an Intel nor are they selling your data to third parties. And no, Intel's management engine and AMD's TrustZone and Apple's T2 all pretty much do the same thing. They're far from saints, but on the evil scale they're not nearly at the top of my list.

Re:Intel?

[Tough+Love]

Got a couple of laptops still running Intel. My next laptop will for sure be AMD.

Re:Intel?

[Tough+Love]

I hope Intel has a huge, massively expensive decline.

I hope that Intel becomes a better company with better products and that when the dust settles they will share the x86 market roughly equally with AMD. No dirty tricks now, Intel.

Re:Intel?

Who still runs Linux on Intel CPUs?

Every data center ever.

Re:Intel?

Look at the pattern.

There are faaaar too many corners being "accidentally" cut in the name of performance for it to be a coincidence.. a whole bunch of them, actually. Intel knew what they were doing, and they did it anyway while hoping nobody would notice, ever. It's actually incredibly similar to the Diesel-gate that Volkswagen got itself into, if you think about it.

This is what happens when organisations get infested by people who doesn't care about their customers, doesn't care about their products, only their short term goals and what will personally be most beneficial for them. It's a massive failure in leadership.

Re:Intel?

[Aighearach]

Who still runs Linux on Intel CPUs?

Thinkpad owners.

OTOH, CentOS is on 3.x kernels still anyways.

Re:Intel?

He's a total cunt and off his rocker. Don't engage him further.

Re:Intel?

[dryeo]

When you start a program under X, it runs in a Window. You can have multiple Windows on your desktop, each with a different program running independently of each other.
It's even possible to do it in a console, with text mode programs. It's how I was first introduced to Windows on an Apple II.

Re:Intel?

https://www.techradar.com/news/amd-reveals-most-powerful-data-centre-chips-and-aws-partnership

Re:Intel?

[Highdude702]

Who the hell would run CENTOS on a laptop?? And why??!?!?

Re:Intel?

If you are developing software that runs RHEL in production, CENTOS is a great option. It works great on Thinkpads. Don't knock it if are clueless about what pros do.

Re:Intel?

[drinkypoo]

I'd really like to see your documentation that security was intentionally sacrificed.

I submit the design as documentation. They do the security check after the memory access. That can only have been a deliberate decision.

What is worse...

...running slower and secure or faster and compromised ?

If you think faster is better then you're a moron that should not have access to a computer!

Re:What is worse...

You *can* have both secure and faster... with AMD.

Re:What is worse...

If you think faster is better then you're a moron that should not have access to a computer!

My 500 node non-internet connected compute cluster would like to have a word about that.

Security isn't really a concern on this cluster, performance is. The small network it's on is not connected to other systems(we have our reasons for this). So yes, faster in this case is far better than secure at the CPU level. Physical security is good enough for us. Thankfully the spectre mitigations can be disabled for high performance computing purposes. This in no means a defense of Intel at all, its insane that these trade offs need to be made in the first place.

Also you really should reconsider not running off the mouth and calling people names when you don't know as much as you think you do about a subject. You are one of those people who just scream "security!" without really understanding what they are saying.

Re: What is worse...

There's a lot of self titled experts who have never ran anything more than a few dual or quad core home computers.
The are good reasons why AMD isn't a serious presence in data centers, but these people will never accept that fact because they have no idea what we deal with.

Re: What is worse...

Look guys, my e-peen is huuuuuuge!

AMD for the WIN!! will apple move mac pro over?

[Joe_Dragon]

AMD for the WIN!! will apple move mac pro over?

Re:AMD for the WIN!! will apple move mac pro over?

you demonstrate the kind of ignorance that apple caters to.

Re:AMD for the WIN!! will apple move mac pro over?

AMD for the WIN!! will apple move mac pro over?

No. AMD isn't gay enough.

Re:AMD for the WIN!! will apple move mac pro over?

[Kuruk]

Apple are making their own CPU now. The iPad has more power than the Apple laptops. Shots fired at intel.

420 running slower? Dude, WHO COULD HAVE KNOWN?

[outlander]

Yeah, it doesn't make sense at all. ;)

Solution is simple

[GerryGilmore]

You can easily disable this patch with a boot command-line argument. Unless you are running a heavily VM-ed data center with shit for security, why would you cripple your system over the most esoteric hacks known to man and that - Oh! By the way! - require that you are running malware on your system already? (And spare me the horseshit about JS - that can ONLY happen in a carefully crafted environment.)

Re:Solution is simple

I see you cannot be bothered to share with us how to easily disable this patch with a command line argument. I'm going to bet it's because it's not as easy to disable as you make it seem.

But we wouldn't want to bother you with your amazing data center that has good security because you just paid to fix the problem with hardware. That's senior management thinking right there, Gerry!

Re:Solution is simple

[Mysticalfruit]

Add this to your kernel boot line:

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Re:Solution is simple

[Espectr0]

why did the boot argument had to be so complicated? i would have named it disable_STIBP or even disable_spectre_fix

Re:Solution is simple

don't forget:

hardware_evil_bit=off nsa_backdoor=disabled fbi_backdoor=enabled:abc123 cia_backdoor=disabled

Re:Solution is simple

WHy not

fast_or_secure=fast

?

Re:Solution is simple

That's because the switches for mitigations are granular. You can disable some while leaving others enabled since most of them do not have performance penalties. The given cmdline is also using both styles of switches at the same time (pti=off is the same as nopti for example). Read the kernel docs to get the full list.

Re:Solution is simple

[ArchieBunker]

Just wait until boot arguments are considered obsolete like traceroute for example. This will get merged into systemd and you will have to issue the commands at shutdown instead of at boot time.

Re:Solution is simple

Add this to your kernel boot line:

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

#whatcouldpossiblygowrong

Re:Solution is simple

[Highdude702]

#Hashtags are for people that don't belong on this site.

Intel got that speed from _somewhere_

[gweihir]

There is now a price to pay. Not really a surprise.

Re:Intel got that speed from _somewhere_

[thegarbz]

It's surprising to know the world is full of trade-offs. I happily pay the price knowing that the speed is far more important than the incredibly low risk that this security issue could be exploited against me. There's a reason that pretty much every specter and meltdown mitigation has been optional.

Re:Intel got that speed from _somewhere_

Incredibly low risk? Spectre vulnerabilities can be activated with JavaScript.

Re:IMPERSONATING ME AGAIN? apk

[magarity]

Seriously, you might think you're so cool by annoying the other users but I for one am concerned for your health. Do you need medication or some other kind of help? It isn't normal to paste that stuff into every article.

Re: The PRICE We Pay For NICE Linus

[Type44Q]

A-fucking-men.

Requires hyper threading.

[Fly+Swatter]

So technically not ALL Intel cpus.. I finally dodged one of the many bullets, I should buy a lottery ticket.

Re:Requires hyper threading.

[Tough+Love]

Or you could disable HT in the bios. Still sucks.

Obligatory...

Fuck Intel.

Re:Zach Paterson/ZIP + c6gunner 'Greatest Hits'

Says the guy who has 99% of his posts modded to zero or less.

Re:The PRICE We Pay For NICE Linus

[NicknameUnavailable]

#savelinus

Better title

Intel CPUs performance suffers for its bug mitigation in linux kernel 4.20.

Re:Better title

[Philotomy]

Mod parent up.

This isn't a "Linux 4.20" problem, this is Intel's fault.

Re:IMPERSONATING ME AGAIN? apk

apk is a mentally ill person. His posts ebb and flow according to what's going on with his condition. It's usually best just to ignore him.

But why?

[gmit]

Old, vulgar Linus would have never allowed that!

Google?

[JBMcB]

I thought Google had figured out a patch to circumvent this at the OS level that had negligible impact on performance?

Re:Google?

They did. The problem is that it only works for one of many vulnerabilities. And this week we've got 7 more for Intel.

So you can benchmark slowing

I never pay that much attention to benchmark numbers. I don't max my PC out for much so incremental differences are hardly something noticeable. Yeah you can definitely argue a good 10 to 15% loss from everything added together with regards to Spectre/meltdown fixes.
Seems to me Google came up with Retpoline which some Linux OS run with minor performance hits. Even Windows 10 will implement this in Spring release. Wonder why all Linux desktop OS don't implement Retopline?

Re: So you can benchmark slowing

Well, if one is only running a PC to edit documents, then this doesnâ(TM)t matter, but if one is running simulations or video transcoding then it matters enormously.

Re: IMPERSONATING ME AGAIN? apk

I've always kinda thought of him as "He who shall not be named" because as soon as you type the letters A...P...K.

See the comments below

Oh dear

I've just discovered that my penis is leaking fondant. At least it's tasty.

Re:Oh dear

I've just discovered that my penis is leaking fondant. At least it's tasty.

Ok now I'm jealous. Mine only leaks pre-cum and regular cum. How did you do that? I've tried everything, including eating loads of asparagus and yogurt. I just can't make it happen. Please share your secret!

420 version?

Probably slower cuz it is stoned ...

FAIL

[sproketboy]

TempleOS FTW

Re:The PRICE We Pay For NICE Linus

[Aighearach]

pre-USADA Linus was the GOAT, like Ken Shamrock with faster fingers.

No. It can't be!

Linus broke userspace? The users that are impacted will need a lot of mustard to choke down this shit sandwich. Intel needs to get off of their ass and at least tell us something instead of sending us down huxter highway with their next bullshit broken part.

Re:IMPERSONATING ME AGAIN? apk

Fuck ignoring him, drive him insane until he fucking snaps and kills someone or himself.

The reasons why.

The slowdowns are part of a planned obsolence, sales are down and the industry lies and fakes almost everything to get a new sale.
That includes ruining existing hardware with so called security bugs that need fixing while on the backdoor-side more exploits are added.

The industry thinks everyone is stupid, like they are themselves. People thinking they are fooling others when they are not.

Intel made their name with this.

That's right, they made their name by knowingly using bugged technology. "See how fast our cpu are !! We are the fastest..."

When those bugs get patched, they are no longer the fastest with the highest IPC count ..and so on.

Who will punish them for those blatant lies ? Sue em and fine them till kingdom come.

Abandon systemd?

[Artemis3]

So, abandon systemd? There is nearly a hundred distros NOT using it, what are you waiting for? http://without-systemd.org/

Intel issues: U may be right/not portfilter

1st U FAIL a PORTFILTERING TEST https://yro.slashdot.org/comme... (IF hosts could DO it I'd implement it in my work & I STOP THAT ERROR - test for yourself & see using my program) & Hosts can stop portsmash (blocking downloads of it) "You basically have to already be able to run your own evil code on a machine in order to PortSmash it." from https://www.theregister.co.uk/...

* In fact, hosts MAY prevent the OTHER forms of Intel CPU weakness per ACADEMIC RESEARCH I read:

SPECTRE "As an attempted mitigation for our JavaScript-based attack" https://spectreattack.com/spec...

MELTDOWN "We presented Meltdown, a novel software-based attack" https://meltdownattack.com/mel...

APK

P.S.=> Like portsmash? Academics NEEDED TO RUN CODE LOCALLY like portsmash which hosts can prevent harm to you via Spectre/Meltdown - & the ONLY thing I question would be can something like RPC make them work (that MAY be considered 'remote')... apk

IMPERSONATING ME AGAIN? apk

Zach Paterson/ZIP + c6gunner 'Greatest Hits': "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)

BIG TALK - ZIP has no programs to show as proof.

I do https://news.slashdot.org/comm...

(From registered /.ers liking/using/praising my work + 100k users worldwide)

ZIP tried to take credit for what I solved before him https://tech.slashdot.org/comm...

He codes? He can't EVEN READ!

I show 2 ways to do it YOURSELF https://tech.slashdot.org/comm... - he can't.

Delphi/FreePascal/ObjectPascal HAS no null-term'd string bufferoverflows https://developers.slashdot.or... - C does, C++ can UNLESS you do what I said 1st.

He likes CODE SIGNING (it's been STOLEN & ABUSED) https://www.helpnetsecurity.co...

MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON) https://it.slashdot.org/commen...

ZIP says he has no /. acct "I don't have an account so I don't have mod points" https://news.slashdot.org/comm...

Yet ZIP says he downmods me (IMPOSSIBLE w/ no /. acct.): "I down-modded a few of your post" - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058)

APK

P.S.=> KEEP IMPERSONATING ME like https://science.slashdot.org/c... (I'd never say that OR bitch to do-NOTHING "ne'er-do-wells" like ZIP OR c6gunner https://linux.slashdot.org/com... (he 1st mocked me & impersonated me TWISTING /.ers words & after I FAIRLY challenged him to show HE DID BETTER & that was his response (weak))!

Above EXPOSES your BLOWHARD incompetence... apk

Re: The PRICE We Pay For NICE Linus

amyn to that! what a horrible excuse for a humyn. there should be laws myndating people be more polite to each other.

This is some funny shit...

... intel finally being punished... for their cheats... now their chips are truely junky/slowly...wieeeeee

spectre

[sad_]

further spectre mitigation code is causing these slow down issues.
it's discussed in a follow up phoronix article.