Linux Developers Evaluating New "DOITM" Security Mitigation For Latest Intel CPUs

Written by Michael Larabel in Software on 27 January 2023 at 07:00 AM EST. Page 2 of 2. 34 Comments.

With the proposed Linux kernel patch, the DODT/DOITM mitigation is applied by default for newer Intel processors with this flag. Disabling the mitigation can be done either with the global "mitigations=off" kernel option or the "doitm=off" kernel parameter as part of this week's patch.

doitm=off to disable the security mitigation.

I ran benchmarks of a patched Linux 6.2 kernel in the default mode with this mitigation added then after rebooting and using the doitm=off option to disable this new mitigation. Tests were done on an Intel Core i9 13900K "Raptor Lake" desktop processor as well as a dual socket Intel Xeon Platinum 8380 "Ice Lake" server. For both it's just been comparing the DOITM mitigation on/off for the patched kernel on both systems.

Intel Raptor Lake DODT Benchmark

The good news is that at least for the variety of different system benchmarks run, this DOITM mitigation for the Linux kernel didn't impair the Raptor Lake performance all that much...

Intel Raptor Lake DODT Benchmark
Geometric Mean Of All Test Results benchmark with settings of Result Composite, Intel Raptor Lake DODT Benchmark. doitm=off was the fastest.
Intel Raptor Lake DODT Benchmark

Overall was less than a 1% difference while only for a few tests like GIMP, Darktable, and an occasional web browser benchmark were there 2~5% performance hits on the 19-13900K. Those interested can see my quick benchmark runs here.

Xeon Platinum 8380 DODT Mitigation Impact
Geometric Mean Of All Test Results benchmark with settings of Result Composite, Xeon Platinum 8380 DODT Mitigation Impact. doitm=off was the fastest.

Over on the Xeon Platinum 8380 2P server, any performance hit from this DOITM mitigation was very minor. From cryptography tests to HPC benchmarks, database workloads like ClickHouse and PostgreSQL to AI workloads, kernel micro-benchmarks, and more, overall the DOITM mitigation impact was very light / barely measurable. Much less than I was anticipating given Intel's guidance and comments posted to the Linux kernel mailing list. Not nearly as scary as originally feared but it's also important to point out that Intel's published guidance has indicated this workaround may become more costly for future processors. This was also further reiterated on the kernel mailing list by an Intel Linux engineer, "It appears that it's fairly cheap now, but Intel is reserving the right to make it worse over time."

It is also worth mentioning that this DOITM patch does not address the related MXCSR Configuration Dependent Timing (MCDT) vulnerability noted by Intel's published DODT guidance. A separate patch is expected there and when that is published I'll see how that looks on the performance front. At least as of now and with current generation Intel CPUs this mitigation impact doesn't look like much of a big deal, but that's just been my testing over the past two days... I'll be running more benchmarks this weekend and also monitoring to see where the Linux kernel discussion leads over the proposed DOITM mitigation for enhancing the security of recent Intel CPUs.

Those wanting to keep up on the Linux kernel mailing list discussion can follow this LKML thread.

If you enjoyed this article consider joining Phoronix Premium to view this site ad-free, multi-page articles on a single page, and other benefits. PayPal or Stripe tips are also graciously accepted. Thanks for your support.


Related Articles
Intel Core Ultra "Meteor Lake" Performance Improves With Linux 6.9
GCC 14 vs. LLVM Clang 18 Compiler Performance On Fedora 40
Intel Xeon Max Sees Some Performance Gains For OpenVINO & ONNX With Linux 6.9
Linux 6.9 Drives AMD 4th Gen EPYC Performance Even Higher For Some Workloads
Intel Core Ultra "Meteor Lake" Yields Faster Performance With Linux 6.9
Google Cloud's C3D Instances Provide Strong Performance Value For PingCAP's TiDB
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.