Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes

Written by Michael Larabel in Software on 2 January 2018 at 06:35 PM EST. Page 1 of 2. Add A Comment.

Over the past day you've likely heard lots of hysteria about a yet-to-be-fully-disclosed vulnerability that appears to affect at least several generations of Intel CPUs and affects not only Linux but also Windows and macOS. The Intel CPU issue comes down to leaking information about the kernel memory to user-space, but the full scope isn't public yet until the bug's embargo, but it's expected to be a doozy in the data center / cloud deployments. Due to the amount of interest in this issue, here are benchmarks of a patched kernel showing the performance impact of the page table isolation patches.

The software fix for this Intel CPU problem for Linux/Windows/macOS is expected to introduce a performance penalty and reports are anywhere from 5% to 30%. I've been running some benchmarks and will have some more extensive tests soon, but given all the emails today about the issue, here are my initial benchmark numbers on two systems. The x86 PTI patches are mainline for this past weekend's release of Linux 4.15-rc6.

Performance penalties from single to double digits are expected on patched kernels. The penalty depends upon how much interaction the application/workload deals with the kernel if there's a lot of context switching and other activity. If it's a simple user-space application not doing much, the x86 PTI additions shouldn't cause much of an impact. Newer Intel CPUs with PCID should also help in ensuring less of a performance impact.

These x86 PTI patches are being back-ported to all supported Linux kernel series right now. But with lots of the Linux kernel PCID "Process Context Identifiers" support being merged just in 2017, the older LTS kernel back-ports are expected to be slower with not having PCID support for avoiding TLB flushes on context switches. As of now, this vulnerability doesn't appear to affect AMD CPUs but is currently still marked insecure.

With the latest kernel code, all Intel CPUs are currently marked as insecure. For some initial benchmarks of the performance impact of these changes, I ran tests on a Core i7 8700K "Coffee Lake" system as well as an older Core i7 6800K "Broadwell E" system, the newer system on Ubuntu 16.04.3 LTS and the older on Ubuntu 17.10 and all of the hardware components intentionally quite different... More tests on a wider-range of hardware is coming up soon while waiting to learn more concrete information on this vulnerability, etc. Stay tuned.


Related Articles