Announcement

Collapse
No announcement yet.

A Look At The Relative Spectre/Meltdown Mitigation Costs On Windows vs. Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GreenReaper
    replied
    I thought the above was pretty clear, but if you'd like more detail on editing the kernel command line (which I can appreciate, if you've not done it before) try this guide: https://www.howtoforge.com/tutorial/...arameter-edit/

    Be aware that a few people have reported degraded performance with the feature compiled in, even if it is disabled, which is quite possible as it changes the resulting code.
    Last edited by GreenReaper; 05-10-2018, 02:23 PM.

    Leave a comment:


  • Royi
    replied
    Originally posted by GreenReaper View Post

    For Linux you can actually compile it without CONFIG_PAGE_TABLE_ISOLATION and CONFIG_RETPOLINE. Or pass 'nospectre_v2 nopti' in the kernel command line - usually settable in your bootloader configuration, e.g. GRUB_CMDLINE_LINUX in /etc/default/grub on Debian (and then run 'update-grub').

    For Windows look at this and search for "Disable this fix" - or possibly uninstall the relevant updates, but others may rely on them.
    Any proper, clear and simple guide on how to disable those?
    Preferably without compiling the kernel but on a given system (Linux Mint 18.3 for that matter).

    Leave a comment:


  • GreenReaper
    replied
    Originally posted by Royi View Post

    How did you get your system "Unpatched"?
    I'd like to know how to do so both on Windows and Linux Mint.

    Thank You.
    For Linux you can actually compile it without CONFIG_PAGE_TABLE_ISOLATION and CONFIG_RETPOLINE. Or pass 'nospectre_v2 nopti' in the kernel command line - usually settable in your bootloader configuration, e.g. GRUB_CMDLINE_LINUX in /etc/default/grub on Debian (and then run 'update-grub').

    For Windows look at this and search for "Disable this fix" - or possibly uninstall the relevant updates, but others may rely on them.

    Leave a comment:


  • darkbasic
    replied
    Originally posted by treba View Post

    No, they microcode updates only allow certain mechanisms like IBRS, IBPB and STIBP to be used. That is AFAIK only about spectre variant 2 and generally much slower than solutions like retpoline, while arguably being more save.

    So no, especially meltdown is not going to be fixed by microcode updates but only by new hardware. On AMD you don't need have meltdown, so the difference in performance should be much smaller.
    Retpoline is NOT safe for Skylake+ architectures: https://lkml.org/lkml/2018/1/22/598

    "Then there's Skylake, and that generation of CPU cores. For complicated
    reasons they actually end up being vulnerable not just on indirect
    branches, but also on a 'ret' in some circumstances (such as 16+ CALLs
    in a deep chain).

    The IBRS solution, ugly though it is, did address that. Retpoline
    doesn't."

    Leave a comment:


  • darkbasic
    replied
    Originally posted by Venemo View Post
    Are these mitigations still necessary? I thought Intel has released a microcode update to fix it.
    The microcode does nothing by itselt, it simply exposes certain functionalities necessary for the kernel to mitigate those bugs in certain architectures.

    Leave a comment:


  • Royi
    replied
    Originally posted by Etherman View Post
    Interesting. I personally choose the performance option.
    How did you get your system "Unpatched"?
    I'd like to know how to do so both on Windows and Linux Mint.

    Thank You.

    Leave a comment:


  • Kendji
    replied
    Interesting to se those SQL benches

    Leave a comment:


  • papajo
    replied
    Originally posted by tpruzina

    You writing for NY Times or something? Because almost everything you wrote was inaccurate to varying degree.
    well it obviously is inaccurate to a varying degree since I wrote a metaphor to convey what is happening.

    metaphors are obviously not 100% accurate lol.

    They are used though to convey an underlying fact.

    And last time I checked (e.g here https://www.kb.cert.org/vuls/id/584653) the underlying problem as a matter of fact is the branch prediction features of the CPUs mainly made by Intel which are there to increase performance.


    So if you want to get more technicall you can just read the link I assumed that the user I was responding to (as well as most of the world) would not be interested in that and would like a simple explanation hence the housekeeper metaphor as well as the other analogies I used.
    Last edited by papajo; 03-24-2018, 12:37 AM.

    Leave a comment:


  • papajo
    replied
    Originally posted by Venemo View Post
    Are these mitigations still necessary? I thought Intel has released a microcode update to fix it.
    Spectre and the derivative techniques based on it (e.g meltdown) exploits a feature of the CPU that predicts upcoming instructions and precomputes so that in case they are used no additional computing will be necessary in real time.

    Lets say if the CPU was a housemate and knew that tomorrow is Saturday it would dry-clean freshen up and iron your 3 most probable night club outfits so that if the time comes for you to go out and party at Saturday night, you would not need to wait for those things to happen because the housekeeper (cpu) has already taken care of them the day before.

    And it does that for more than 1 outfit (since the cpu/house keeper does not know what you will use it can only predict what is plausible for you to wear given previous instructions or in our example's case her/his memory about your routine and taste in clothes)

    Hackers can get advantage of this because those precomputations leave a footprint which if they give a bait calculation they can find its track and in that way learn some things on how to manipulated the memory on which those tracks exist within the CPU.

    So the only fix/mitigation is to disable that prediction feature.


    And the only performance draw back you gonna see is in software that takes advantage of this prediction feature and the impact will depend on how frequently it uses that feature...

    For example this is a reason why in video games where the memory changes depending on an unpredictable and non normalized input (user's movements etc) you see close to 0 difference because that feature of the CPU has little to no application in that situation.


    Or in other words if you know how an application works you know if you gonna get a performance hit by the "mitigation" aka by having that prediction feature of the CPU disabled.
    Last edited by papajo; 03-24-2018, 12:08 AM.

    Leave a comment:


  • dungeon
    replied
    Originally posted by tpruzina

    Yes it is, the situation was summed up fairly well on lkml here by David Woodhouse : https://lkml.org/lkml/2018/1/22/598
    He said "screw" 3 times (screw it, screw them, screw Skylake) i think one time is enough and has best performance

    It is broken hardware, things are best summed with just one or two words He prefer to screwing things around, i prefer to just say what really is - so it is broken hardware, these are hardware design flaws... ideally no one should need software fixes like these shitty mitigations, but it is what it is

    Last edited by dungeon; 03-23-2018, 11:42 PM.

    Leave a comment:

Working...
X