Linux 4.20 Performance Decimated by Spectre and Meltdown Mitigations

[Megalith]

Phoronix began benchmarking the latest development version of Linux this week and found that performance was clearly worse on certain Intel systems, such as the Core i9 7960X. After further testing, the culprit turned out to be “kernel-side bits for STIBP (Single Thread Indirect Branch Predictors) for cross-hyperthread Spectre Variant Two mitigation.” AMD CPUs “didn't appear impacted.”

This latest Linux 4.20 testing endeavor started out with seeing the Intel Core i9 performance pulling back in many synthetic and real-world tests. This ranged from Rodinia scientific OpenMP tests taking 30% longer to Java-based DaCapo tests taking up to ~50% more time to complete to code compilation tests taking measurably longer to lower PostgreSQL database server performance to longer Blender3D rendering times. That happened with a Core i9 7960X and Core i9 7980XE test systems while the AMD Threadripper 2990WX performance was unaffected by the Linux 4.20 upgrade.

 

[Balkroth]

So AMD win?

 

[M76]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

 

[MMitch]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

Can't you do that on Linux ? (Article is about Linux)

 

[Master_shake_]

all mitigations and no play makes intel a dull boy.

 

[cageymaru]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

While with time it's possible to better optimize the code to perhaps recover from some of the performance loss, with this being an intentional change, that's how things are looking for Linux 4.20 with no apparent improvement in sight. If disabling Spectre V2 mitigations for the Linux kernel, STIBP becomes disabled as a workaround for performance sensitive systems albeit potentially insecure.

I assume that means you can disable it. In my opinion that is the best way. Allow those who don't care to run the increased security a way to disable it. As for corporations that have sensitive data stored in the Cloud, and side channel attacks would allow data theft, add solutions that mitigate those risks directly into the kernel.

I would ship all systems with the protections set to "on." If the users want to disable it for more performance; then do so at their own risk.

 

[Spidey329]

Can't you do that on Linux ? (Article is about Linux)

You can disable them in Windows10 as well via the registry. There's a toolset out that will check if you're patched and enable/disable the various patches.

 

[Ultima99]

Are we sure this release isn't just stoned?

 

[whatevs]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

You've never used GNU/Linux.

 

[ole-m]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

These have to be put in place cause those banks running your bank account doesn't know how to selectively do this, so the vendor (Ms, Linux kernel etc) must by default.
also, you can disable it all if you want (which is from OS level) microcode I do not know about.

 

[whatevs]

I want to clarify that. No one runs bleeding edge kernels except a handful of distros and they require highly technical hand holding on an ongoing basis.

By the time 4.20 hits any LTS release that a professional would use, a simple Google search would provide answer on how to deal with any issue.

Plus, it has been possible to disable all this stuff trivially since the beginning... just like everything else with GNU/Linux. King of customization.

 

[Glock24]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

Under Linux you can disable some or most mitigations via kernel parameters at boot. For kernel 4.20 some mitigations are baked in and require a recompile to disable them, at least that's what I understood.

As for Windows, you can use this to disable mitigations:

https://www.grc.com/inspectre.htm

 

[Simmonz]

I can't decide what issue to blame here. Should I go with maybe they were too 420 friendly while working on 4.20, or I could mention how the new COC is to blame ir should I just blame Intel ? So many options.

 

[M76]

You've never used GNU/Linux.

If you're a psychic, then a terrible one at that

 

[M76]

These have to be put in place cause those banks running your bank account doesn't know how to selectively do this, so the vendor (Ms, Linux kernel etc) must by default.
also, you can disable it all if you want (which is from OS level) microcode I do not know about.

Banks damn well should have security experts, who know how to make things secure. Almost nothing comes as fully secure out of the box, so if they know how to set up their networking and services on linux to be secure, they might as well know about this.

It is insanity to think that a bank would assume something is secure out of the box and just roll with it without double or triple checking.

 

[MMitch]

If you're a psychic, then a terrible one at that

Why did you post your original comment then ? Did you forget /s ?

 

[M76]

Why did you post your original comment then ? Did you forget /s ?

Forget what? That you can opt out of the spectre / meltdown mitigations under linux? No, I didn't know that. How do you leap from there to "you've never used linux"?

 

[jojo69]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

that's all good until you want to access your private keys

a known secure environment is pretty important to some of us

 

[MMitch]

Forget what? That you can opt out of the spectre / meltdown mitigations under linux? No, I didn't know that. How do you leap from there to "you've never used linux"?

Good point. I just assumed that everyone thinks you can do whatever you want under linux... I'm far from been even an experienced linux user

 

[DogsofJune]

Phfff.... Processors these days. Good thing we keep moving forward with new tech......

 

[kllrnohj]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Let me decide if I want to opt in to these "mitigations". Because at this point it seems that the so called fixes are causing more problems than they solve. I know someone can theoretically siphon data from me, and I don't care! Someone can also break into my house and steal my entire computer, still I won't wall the windows in to mitigate that risk.

You run untrusted code all the time in the form of Javascript. It'd be unreasonable for anything to default to not having these mitigations when a javascript page could instantly own your entire system.

These fixes are not causing any problems at all. The performance loss is not so severe as to suddenly turn a system from perfectly usable to basically a brick.

If you want to manually opt-out go for it, but the default needs to be what it is. And Intel should fix their broken ass shit, or buy AMD which isn't affected to nearly the same degree.

 

[dgz]

OK, that's it, I've had enough! How can I put this in no uncertain terms?

I'm not running a cloud server, I'm not a bank, neither do I handle sensitive client data, STOP RUINING MY PERFORMANCE!

Get a Ryzen. You know I am right

 

[kandrey89]

By 2020 Intel will have just 15% market share of desktop and server market, while AMD will have 60%, ARM and IBM will hold the remainder (25%).

 

[Red Falcon]

By 2020 Intel will have just 15% market share of desktop and server market, while AMD will have 60%, ARM and IBM will hold the remainder (25%).

Oh I so cannot wait.
Maybe by being on the bottom, Intel will finally attempt to be competitive (price/performance) again.

We don't want them to disappear all together, though, as AMD will turn into exactly what Intel is now - I remember 2006 when AMD was on top and its then-new FX-60 dual-core CPU was $1200.00, and then a few months later dropped to nearly half that due to Intel's Core and later Core 2 CPUs.
Moral of the story: competition is good.

 

[DejaWiz]

For anyone wondering what it's like to have a multi-core PIII Coppermine...

 

[M76]

Get a Ryzen. You know I am right

My cpu is not affected that much by this, marginal losses at worst. But at work many of the computers are pre-haswell that are hit badly.

 

[dgz]

My cpu is not affected that much by this, marginal losses at worst. But at work many of the computers are pre-haswell that are hit badly.

What do you do on them?

 

[NoOther]

Not sure how this matters for most, but likely one of the reasons I am seriously considering moving to AMD with my next build. Of course it would still require a significant upgrade in performance compared to my now 8 year old 2600k which is still plodding along just fine even with mitigations in place.

You run untrusted code all the time in the form of Javascript. It'd be unreasonable for anything to default to not having these mitigations when a javascript page could instantly own your entire system.

These fixes are not causing any problems at all. The performance loss is not so severe as to suddenly turn a system from perfectly usable to basically a brick.

First, care to share what Javascript is out there instantly owning systems without these mitigations?

Even if someone were to pull off the near miraculous and use one of the variants to get to his system. They aren't "owning" the system. The best they could do is get some random information from the system. Even to do that would require them to bypass other security measures which are usually in place. And after all that, the information would have to be something vital to be worthwhile. If you don't contain any sensitive information on the system, what is the point? For instance I could give 2 shits if someone uses one of these variants to steal information on my gaming system. What information are they going to steal? I don't keep anything vital on it, it is a gaming system.

Second, performance is performance. For some there is no reason to put in mitigations that aren't really going to affect them. Why should I hamper the performance on my gaming rig even a little bit if there is no reason for it?

 

[M76]

What do you do on them?

Data processing with lots of io.

 

[SLee]

So AMD win?

Even with the performance loss, the Intel systems still end up with comparable or better performance in the Java tests, GCC compilation, and PostgresSQL. It could be argued that the AMD systems already had their performance-loss built-in.

 

[naib]

I can't decide what issue to blame here. Should I go with maybe they were too 420 friendly while working on 4.20, or I could mention how the new COC is to blame ir should I just blame Intel ? So many options.

CoC for this, hands down. The CoC has made raising objections a hazzard as the SJW can jump on people for raising concerns. Sure Intel dropped the bomb the damn ... this code should have been reviewed and I don't believe in coincidences ...

https://www.phoronix.com/scan.php?page=news_item&px=Linux-Torvalds-STIBP-Comment

This was marked for stable, and honestly, nowhere in the discussion did I see any mention of just *how* bad the performance impact of this was.

When performance goes down by 50% on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway.

So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?

I think we should use the same logic as for L1TF: we default to something that doesn't kill performance. Warn once about it, and let the crazy people say "I'd rather take a 50% performance hit than worry about a theoretical issue".

Linus

 

[dgz]

Data processing with lots of io.

What would be the perfect CPU for your loads, and why exacty?

 

[Aireoth]

Can I disable this shit on Windows? All someone will get from my personal PC is some of my porn habits, pics of my family, and Granny's pickling recipes.

 

[M76]

What would be the perfect CPU for your loads, and why exacty?

I have no idea what would be the perfect cpu, I wish I could try them all. There are definitely no benchmarks available for this, apart from the tests I do. And currently we are cpu limited, I wish I could try a 2990 but if it doesn't bring any significant advantages it's my ass.