Linux Developers Evaluating New "DOITM" Security Mitigation For Latest Intel CPUs
With the proposed Linux kernel patch, the DODT/DOITM mitigation is applied by default for newer Intel processors with this flag. Disabling the mitigation can be done either with the global "mitigations=off" kernel option or the "doitm=off" kernel parameter as part of this week's patch.
I ran benchmarks of a patched Linux 6.2 kernel in the default mode with this mitigation added then after rebooting and using the doitm=off option to disable this new mitigation. Tests were done on an Intel Core i9 13900K "Raptor Lake" desktop processor as well as a dual socket Intel Xeon Platinum 8380 "Ice Lake" server. For both it's just been comparing the DOITM mitigation on/off for the patched kernel on both systems.
The good news is that at least for the variety of different system benchmarks run, this DOITM mitigation for the Linux kernel didn't impair the Raptor Lake performance all that much...
Overall was less than a 1% difference while only for a few tests like GIMP, Darktable, and an occasional web browser benchmark were there 2~5% performance hits on the 19-13900K. Those interested can see my quick benchmark runs here.
Over on the Xeon Platinum 8380 2P server, any performance hit from this DOITM mitigation was very minor. From cryptography tests to HPC benchmarks, database workloads like ClickHouse and PostgreSQL to AI workloads, kernel micro-benchmarks, and more, overall the DOITM mitigation impact was very light / barely measurable. Much less than I was anticipating given Intel's guidance and comments posted to the Linux kernel mailing list. Not nearly as scary as originally feared but it's also important to point out that Intel's published guidance has indicated this workaround may become more costly for future processors. This was also further reiterated on the kernel mailing list by an Intel Linux engineer, "It appears that it's fairly cheap now, but Intel is reserving the right to make it worse over time."
It is also worth mentioning that this DOITM patch does not address the related MXCSR Configuration Dependent Timing (MCDT) vulnerability noted by Intel's published DODT guidance. A separate patch is expected there and when that is published I'll see how that looks on the performance front. At least as of now and with current generation Intel CPUs this mitigation impact doesn't look like much of a big deal, but that's just been my testing over the past two days... I'll be running more benchmarks this weekend and also monitoring to see where the Linux kernel discussion leads over the proposed DOITM mitigation for enhancing the security of recent Intel CPUs.
Those wanting to keep up on the Linux kernel mailing list discussion can follow this LKML thread.
If you enjoyed this article consider joining Phoronix Premium to view this site ad-free, multi-page articles on a single page, and other benefits. PayPal or Stripe tips are also graciously accepted. Thanks for your support.