The Performance Cost of Security Mitigation on Linux 4.19

Discussion in 'HardForum Tech News' started by cageymaru, Aug 30, 2018.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,245
    Joined:
    Apr 10, 2003
    Michael Larabel from Phoronix has run three Intel Xeon and two AMD EPYC systems through a battery of testing including a virtual machine to determine the performance cost that security mitigation patches such as Spectre, Meltdown, and Foreshadow have had on the platforms under Linux. The Linux 4.19-rc1 kernel was used in the testing, but they didn't disable Hyper-Threading / SMT support on the Intel chips as some public cloud providers adjust their scheduler to block threads from going across users. Doing so would lower performance even more. An overview chart and more information gleaned from the article can be found here. Thanks TurboGLH !

    After testing all of the configurations on the stock Linux 4.19-rc1 kernel, tests were repeated after using the various run-time switches for disabling mitigations. All of the systems were tested with Ubuntu 18.04.1 LTS x86_64 with the Linux 4.19-rc1 kernel via the Ubuntu Mainline Kernel PPA, up-to-date microcodes/BIOS, GCC 7.3, and the EXT4 file-system.
     
    AceGoober, ChadD and DedEmbryonicCe11 like this.
  2. viper1152012

    viper1152012 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Jun 20, 2012
    Mitigations help close the gap.... Thanks intel
     
  3. lollerwaffle

    lollerwaffle Gawd

    Messages:
    666
    Joined:
    Feb 3, 2008
    That's my reason for not going with the 9900K. A beautiful chip on paper, and it'll perform great. But I don't want to keep messing with updates to make sure I DO NOT get patches I don't need, that lower performance and fix things I will not run into as a private user on one machine. AMD has a leg up here and I think Zen-2 will be my next step, I think it'll just make sense at the time.
     
    Baenwort and clockdogg like this.
  4. ChadD

    ChadD 2[H]4U

    Messages:
    3,688
    Joined:
    Feb 8, 2016
    Not that I would defend Intel all that hard.

    Having said that... as this article is about Linux.

    These grub paramaters will stop the kernel from loading all the performance killing mitigations if you wanna fly without underwear.
    pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

    Edit /etc/default/grub
    find
    GRUB_CMDLINE_LINUX_DEFAULT=" " (likely quite and splash will be in the "" for most desktop distros)

    GRUB_CMDLINE_LINUX_DEFAULT= "pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier quite splash"

    Save and update grub with.
    update-grub

    There ya go... Linux with no mitigations on whatever kernel you want. If you want to boot at any time protected... just hit e on your grub screen remove the flags and boot.

    If you ever want to check if you have your mitigations on or off;
    grep . /sys/devices/system/cpu/vulnerabilities/*
     
  5. RealBeast

    RealBeast Gawd

    Messages:
    648
    Joined:
    Aug 4, 2010
    Intel marketing needs to get with the program, these are security "features" not mitigations. And it's to Intel's credit that the "features" are available for Linux. :rolleyes:
     
    thebufenator likes this.
  6. naib

    naib [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 26, 2013
    Nah not enough marketing bling
    "We at Intel aim to provide the fastest chips out there but we are also responsible. As a result we are launching the forYou(TM) initative. The end user can choose what they want to mitigate.

    Those in the data centres may want the highest isolation and thus would want to enable all security features.
    Those after pure processing power can opt for the turbo option.

    Finally those in the market moving data between processes can opt to use the blazingly fast inter process data access feature"
     
  7. jardows

    jardows [H]ard|Gawd

    Messages:
    1,477
    Joined:
    Jun 10, 2015
    I know - make a hardware switch to make the grub changes, and boom! Return of the turbo button!
     
    ZeqOBpf6 and ChadD like this.
  8. Inacurate

    Inacurate Limp Gawd

    Messages:
    477
    Joined:
    Aug 25, 2004
    With Wi-Fi, and Google Home/Amazon Alexa support?
    How's an attacker suppose to know when your system is vulnerable if they can't flip the switch.
     
  9. ChadD

    ChadD 2[H]4U

    Messages:
    3,688
    Joined:
    Feb 8, 2016
    Alexa engage Intel turbo mode.
     
  10. Rockenrooster

    Rockenrooster Limp Gawd

    Messages:
    184
    Joined:
    Apr 11, 2017
    Wow. And if I read correctly, this doesn't even include the latest Forshadow vulnerability fix.
    EPYC 2 is gonna put the hurting on Intel even more.
     
  11. pingjockey

    pingjockey Limp Gawd

    Messages:
    154
    Joined:
    Nov 14, 2006
    It's issues like these that are going to drive me moving to migrating my vmware environment from intel to amd hardware. Hell I am even considering ripping out my 8700k at this point over this stuff.