cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,670
Michael Larabel from Phoronix has run three Intel Xeon and two AMD EPYC systems through a battery of testing including a virtual machine to determine the performance cost that security mitigation patches such as Spectre, Meltdown, and Foreshadow have had on the platforms under Linux. The Linux 4.19-rc1 kernel was used in the testing, but they didn't disable Hyper-Threading / SMT support on the Intel chips as some public cloud providers adjust their scheduler to block threads from going across users. Doing so would lower performance even more. An overview chart and more information gleaned from the article can be found here. Thanks TurboGLH !

After testing all of the configurations on the stock Linux 4.19-rc1 kernel, tests were repeated after using the various run-time switches for disabling mitigations. All of the systems were tested with Ubuntu 18.04.1 LTS x86_64 with the Linux 4.19-rc1 kernel via the Ubuntu Mainline Kernel PPA, up-to-date microcodes/BIOS, GCC 7.3, and the EXT4 file-system.
 
Joined
Feb 3, 2008
Messages
665
That's my reason for not going with the 9900K. A beautiful chip on paper, and it'll perform great. But I don't want to keep messing with updates to make sure I DO NOT get patches I don't need, that lower performance and fix things I will not run into as a private user on one machine. AMD has a leg up here and I think Zen-2 will be my next step, I think it'll just make sense at the time.
 

ChadD

Supreme [H]ardness
Joined
Feb 8, 2016
Messages
5,342
That's my reason for not going with the 9900K. A beautiful chip on paper, and it'll perform great. But I don't want to keep messing with updates to make sure I DO NOT get patches I don't need, that lower performance and fix things I will not run into as a private user on one machine. AMD has a leg up here and I think Zen-2 will be my next step, I think it'll just make sense at the time.

Not that I would defend Intel all that hard.

Having said that... as this article is about Linux.

These grub paramaters will stop the kernel from loading all the performance killing mitigations if you wanna fly without underwear.
pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Edit /etc/default/grub
find
GRUB_CMDLINE_LINUX_DEFAULT=" " (likely quite and splash will be in the "" for most desktop distros)

GRUB_CMDLINE_LINUX_DEFAULT= "pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier quite splash"

Save and update grub with.
update-grub

There ya go... Linux with no mitigations on whatever kernel you want. If you want to boot at any time protected... just hit e on your grub screen remove the flags and boot.

If you ever want to check if you have your mitigations on or off;
grep . /sys/devices/system/cpu/vulnerabilities/*
 

RealBeast

Gawd
Joined
Aug 4, 2010
Messages
648
Intel marketing needs to get with the program, these are security "features" not mitigations. And it's to Intel's credit that the "features" are available for Linux. :rolleyes:
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
Intel marketing needs to get with the program, these are security "features" not mitigations. And it's to Intel's credit that the "features" are available for Linux. :rolleyes:
Nah not enough marketing bling
"We at Intel aim to provide the fastest chips out there but we are also responsible. As a result we are launching the forYou(TM) initative. The end user can choose what they want to mitigate.

Those in the data centres may want the highest isolation and thus would want to enable all security features.
Those after pure processing power can opt for the turbo option.

Finally those in the market moving data between processes can opt to use the blazingly fast inter process data access feature"
 

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,071
Nah not enough marketing bling
"We at Intel aim to provide the fastest chips out there but we are also responsible. As a result we are launching the forYou(TM) initative. The end user can choose what they want to mitigate.

Those in the data centres may want the highest isolation and thus would want to enable all security features.
Those after pure processing power can opt for the turbo option.

Finally those in the market moving data between processes can opt to use the blazingly fast inter process data access feature"

Not that I would defend Intel all that hard.

Having said that... as this article is about Linux.

These grub paramaters will stop the kernel from loading all the performance killing mitigations if you wanna fly without underwear.
pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Edit /etc/default/grub
find
GRUB_CMDLINE_LINUX_DEFAULT=" " (likely quite and splash will be in the "" for most desktop distros)

GRUB_CMDLINE_LINUX_DEFAULT= "pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier quite splash"

Save and update grub with.
update-grub

There ya go... Linux with no mitigations on whatever kernel you want. If you want to boot at any time protected... just hit e on your grub screen remove the flags and boot.

If you ever want to check if you have your mitigations on or off;
grep . /sys/devices/system/cpu/vulnerabilities/*

I know - make a hardware switch to make the grub changes, and boom! Return of the turbo button!
 

Inacurate

Gawd
Joined
Aug 25, 2004
Messages
520
I know - make a hardware switch to make the grub changes, and boom! Return of the turbo button!

With Wi-Fi, and Google Home/Amazon Alexa support?
How's an attacker suppose to know when your system is vulnerable if they can't flip the switch.
 
Joined
Apr 11, 2017
Messages
878
Wow. And if I read correctly, this doesn't even include the latest Forshadow vulnerability fix.
EPYC 2 is gonna put the hurting on Intel even more.
 

pingjockey

Limp Gawd
Joined
Nov 14, 2006
Messages
169
It's issues like these that are going to drive me moving to migrating my vmware environment from intel to amd hardware. Hell I am even considering ripping out my 8700k at this point over this stuff.
 
Top