The Performance Cost of Security Mitigation on Linux 4.19

[cageymaru]

Michael Larabel from Phoronix has run three Intel Xeon and two AMD EPYC systems through a battery of testing including a virtual machine to determine the performance cost that security mitigation patches such as Spectre, Meltdown, and Foreshadow have had on the platforms under Linux. The Linux 4.19-rc1 kernel was used in the testing, but they didn't disable Hyper-Threading / SMT support on the Intel chips as some public cloud providers adjust their scheduler to block threads from going across users. Doing so would lower performance even more. An overview chart and more information gleaned from the article can be found here. Thanks TurboGLH !

After testing all of the configurations on the stock Linux 4.19-rc1 kernel, tests were repeated after using the various run-time switches for disabling mitigations. All of the systems were tested with Ubuntu 18.04.1 LTS x86_64 with the Linux 4.19-rc1 kernel via the Ubuntu Mainline Kernel PPA, up-to-date microcodes/BIOS, GCC 7.3, and the EXT4 file-system.

 

[viper1152012]

Mitigations help close the gap.... Thanks intel

 

[lollerwaffle]

That's my reason for not going with the 9900K. A beautiful chip on paper, and it'll perform great. But I don't want to keep messing with updates to make sure I DO NOT get patches I don't need, that lower performance and fix things I will not run into as a private user on one machine. AMD has a leg up here and I think Zen-2 will be my next step, I think it'll just make sense at the time.

 

[ChadD]

That's my reason for not going with the 9900K. A beautiful chip on paper, and it'll perform great. But I don't want to keep messing with updates to make sure I DO NOT get patches I don't need, that lower performance and fix things I will not run into as a private user on one machine. AMD has a leg up here and I think Zen-2 will be my next step, I think it'll just make sense at the time.

Not that I would defend Intel all that hard.

Having said that... as this article is about Linux.

These grub paramaters will stop the kernel from loading all the performance killing mitigations if you wanna fly without underwear.
pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Edit /etc/default/grub
find
GRUB_CMDLINE_LINUX_DEFAULT=" " (likely quite and splash will be in the "" for most desktop distros)

GRUB_CMDLINE_LINUX_DEFAULT= "pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier quite splash"

Save and update grub with.
update-grub

There ya go... Linux with no mitigations on whatever kernel you want. If you want to boot at any time protected... just hit e on your grub screen remove the flags and boot.

If you ever want to check if you have your mitigations on or off;
grep . /sys/devices/system/cpu/vulnerabilities/*

 

[RealBeast]

Intel marketing needs to get with the program, these are security "features" not mitigations. And it's to Intel's credit that the "features" are available for Linux.

 

[naib]

Intel marketing needs to get with the program, these are security "features" not mitigations. And it's to Intel's credit that the "features" are available for Linux.

Nah not enough marketing bling
"We at Intel aim to provide the fastest chips out there but we are also responsible. As a result we are launching the forYou(TM) initative. The end user can choose what they want to mitigate.

Those in the data centres may want the highest isolation and thus would want to enable all security features.
Those after pure processing power can opt for the turbo option.

Finally those in the market moving data between processes can opt to use the blazingly fast inter process data access feature"

 

[jardows]

Nah not enough marketing bling
"We at Intel aim to provide the fastest chips out there but we are also responsible. As a result we are launching the forYou(TM) initative. The end user can choose what they want to mitigate.

Those in the data centres may want the highest isolation and thus would want to enable all security features.
Those after pure processing power can opt for the turbo option.

Finally those in the market moving data between processes can opt to use the blazingly fast inter process data access feature"

Not that I would defend Intel all that hard.

Having said that... as this article is about Linux.

These grub paramaters will stop the kernel from loading all the performance killing mitigations if you wanna fly without underwear.
pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Edit /etc/default/grub
find
GRUB_CMDLINE_LINUX_DEFAULT=" " (likely quite and splash will be in the "" for most desktop distros)

GRUB_CMDLINE_LINUX_DEFAULT= "pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier quite splash"

Save and update grub with.
update-grub

There ya go... Linux with no mitigations on whatever kernel you want. If you want to boot at any time protected... just hit e on your grub screen remove the flags and boot.

If you ever want to check if you have your mitigations on or off;
grep . /sys/devices/system/cpu/vulnerabilities/*

I know - make a hardware switch to make the grub changes, and boom! Return of the turbo button!

 

[Inacurate]

I know - make a hardware switch to make the grub changes, and boom! Return of the turbo button!

With Wi-Fi, and Google Home/Amazon Alexa support?
How's an attacker suppose to know when your system is vulnerable if they can't flip the switch.

 

[ChadD]

With Wi-Fi, and Google Home/Amazon Alexa support?
How's an attacker suppose to know when your system is vulnerable if they can't flip the switch.

Alexa engage Intel turbo mode.

 

[Rockenrooster]

Wow. And if I read correctly, this doesn't even include the latest Forshadow vulnerability fix.
EPYC 2 is gonna put the hurting on Intel even more.

 

[pingjockey]

It's issues like these that are going to drive me moving to migrating my vmware environment from intel to amd hardware. Hell I am even considering ripping out my 8700k at this point over this stuff.