Announcement

Collapse
No announcement yet.

The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • mrazster
    replied
    Originally posted by perpetually high View Post

    Yup
    FAANTASTIC....thnx, much appreciated.
    Thought I would have to wait for 5.2 to be released, for that switch to work.

    Leave a comment:


  • perpetually high
    replied
    Originally posted by mrazster View Post

    So instead of
    Code:
    pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier
    I just insert
    Code:
    mitigations=off
    Yup

    Leave a comment:


  • mrazster
    replied
    Originally posted by perpetually high View Post
    After updating GRUB, I can confirm that mitigations=off is the exact same as the long list we've been using (I used spectre_meltdown_checker.sh to double check).
    So instead of
    Code:
    pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier
    I just insert
    Code:
    mitigations=off
    ?

    Leave a comment:


  • Alex/AT
    replied
    Originally posted by Bsdisbetter View Post
    Likewise storing passwords in a browser is just plain dumb. Storing passwords anywhere other than a wallet not on the system in question is dumb. You can't mitigate stupidity, it seems.
    Indeed you can't, it seems. You may store them anywhere, you still enter them into the system, and they can be stolen exactly this very moment. After entering them, you get session keys that may be stored and reused as well. Etc.

    Leave a comment:


  • perpetually high
    replied
    Originally posted by xfcemint View Post

    Nice. Will it be backported to older LTS kernels? I hope so. Some or all?
    I just double checked some changelogs and they were all backported!

    5.1.2 and newer have it
    5.0.16 and newer have it
    4.19.43 and newer have it
    4.14.119 and newer have it
    4.9.176 and newer have it
    4.4.180 and newer have it

    Leave a comment:


  • perpetually high
    replied
    Nice, I didn't realize mitigations=off made it into kernel 5.1 (confirmed on my end using 5.1.3, and it appears to have been introduced in 5.1.2 after checking changelog)

    Code:
    mitigations=
            [X86,PPC,S390] Control optional mitigations for CPU
            vulnerabilities.  This is a set of curated,
            arch-independent options, each of which is an
            aggregation of existing arch-specific options.
    
            off
                Disable all optional CPU mitigations.  This
                improves system performance, but it may also
                expose users to several CPU vulnerabilities.
                Equivalent to:
                           nopti [X86,PPC]
                           nospectre_v1 [PPC]
                           nobp=0 [S390]
                           nospectre_v2 [X86,PPC,S390]
                           spectre_v2_user=off [X86]
                           spec_store_bypass_disable=off [X86,PPC]
                           l1tf=off [X86]
                           mds=off [X86]
    
            auto (default)
                Mitigate all CPU vulnerabilities, but leave SMT
                enabled, even if it's vulnerable.  This is for
                users who don't want to be surprised by SMT
                getting disabled across kernel upgrades, or who
                have other ways of avoiding SMT-based attacks.
                Equivalent to: (default behavior)
    
            auto,nosmt
                Mitigate all CPU vulnerabilities, disabling SMT
                if needed.  This is for users who always want to
                be fully mitigated, even if it means losing SMT.
                Equivalent to:
                           l1tf=flush,nosmt [X86]
                           mds=full,nosmt [X86]
    After updating GRUB, I can confirm that mitigations=off is the exact same as the long list we've been using (I used spectre_meltdown_checker.sh to double check).

    Leave a comment:


  • GreenReaper
    replied
    There are hardware mitigations, and indeed they are already available in some CPUs:
    https://www.intel.com/content/www/us...ology/mds.html

    Regrettably, knowing a CPU is an i9-9900K is not enough to know whether it has them all, as stepping 13 does while stepping 12 does not:
    ​​​​https://www.intel.com/content/www/us...-hardware.html

    It'd be nice to think that CPUs currently in the sales channel are safe; but really, who knows?

    Also unfortunate: the bigger the CPU's store buffers, the more data must be written to clear them. This is generally worse the newer the CPU (although Atom/Silvermont chips appear to have very small buffers, which is one reason they're comparatively slow to start with). For Broadwell, it's 1.5KB. For Skylake and above, it's 6KB, as described near the end of Intel's Deep Dive (ominous):
    https://software.intel.com/security-...-data-sampling

    The same document goes into the thread synchronization and quiescing required for Hyper-Threading, which has this fun nugget:

    "If the thread in kernel state needs to access protected data, the OS should transition from state 6a or 6b [where one thread is in kernel mode, the other in user mode] to state 4 [where both are in kernel mode]. The thread in kernel state should use an interprocessor interrupt (IPI) to rendezvous the two threads in kernel state in order to transition the core to state 4."

    So when one thread on the core has to access something the other software running simultaneously can't be allowed access to, it fires off an IPI leading to an additional user-to-kernel and subsequent kernel-to-user transition on the other (unrelated) thread - and that transition itself may have bigger costs now thanks to prior mitigations. Plus the second thread is probably idling while the first does the work it needs to do and then clears the buffers.

    An inter-processor interrupt by itself can be expensive. Just sending it might cost 100 cycles, but if you are waiting for a response before you proceed, it could cost thousands. (This might be lessened by the fact that it's actually the same physical CPU core in this case.)

    PostgreSQL has made great strides in parallel queries and can do a lot of disk reading (particularly if you don't have everything its own memory pool) and writing (of WAL and individual pages), so it's no surprise they are impacted heavily by the latest mitigations.
    Last edited by GreenReaper; 18 May 2019, 09:10 PM.

    Leave a comment:


  • Bsdisbetter
    replied
    Originally posted by xfcemint View Post

    I believe it is a mix or utter irresponibility and incompetence. They (Intel) can (or could) afford it, as market leaders. The other CPU manufacurers also acted irresponsibly, but somewhat less than Intel.

    As someone wrote, at the end of the day Intel is gonna draw the line and look at their record high profits in the past few yers. And that's all that matters.



    They will remove them, but it takes two-three years to design and manufacture a new processor. In the mean time, it is software mitigations acommpanied by their PR bullshit to try to convince us everything is fine and smooth.

    And by the way, when they do design a new processor, the old bugs should be fixed but new ones will be incomming (hopefully, none as bad as Spectre class, but who knows...).
    Doesn't matter, most people buy computers based on design of the laptop chassis anyway. And, of course, the brand, <irony ON> it is important because some brands have only good computers, and others have only bad computers. A good brand is the same one that your friends bought, because your friends are not fools.



    Yeah, there's a new backup tech which can protect you from credit card number theft. If your credit card number is stolen, just restore it from the backup and you're fine. Same for logins and passwords, just use a time-reversing snapshot.

    Best to disable those mitigations so you can play Battlefield 2999 at 134 FPS instead of peasantly meager 121.
    Yeah, melodrama at its best
    If you store ANYTHING on your computer such as credit card info then you deserve to be burned when you visit that dodgy crack site to pay for stolen goods. Likewise storing passwords in a browser is just plain dumb. Storing passwords anywhere other than a wallet not on the system in question is dumb. You can't mitigate stupidity, it seems.

    Just realize that exploits of ssl have been around for a long time, but hey by all means dig up your old 386 and run dos on it, put your tin-foil hat on and don't use the web.

    ps the intel microcode is available.
    Last edited by Bsdisbetter; 18 May 2019, 09:12 PM.

    Leave a comment:


  • audir8
    replied
    Originally posted by Xaero_Vincent View Post
    Heavy context switching is a disaster for Intel chips now. Ugh.
    Context switching has always had a high cost in hardware and in software. I think meltdown is the majority of the 16% hit in the geometric mean tests extrapolating from earlier benchmarks. MDS seems like it is the worst for context switching, but people have been writing code to avoid context switching for as long as it has existed. It's ironic that people were going after additional forms of isolation like MPX, SGX when basic process isolation had holes in it and KPTI does something the hardware should've done.

    If any Intel engineers kept notes on potential pitfalls in the design, but then were overruled by superiors because of performance... would make for some nice diesel-gate-like evidence. Not that anything like that would ever come out of Intel, IBM or ARM for meltdown.

    Leave a comment:


  • Bsdisbetter
    replied
    Originally posted by loganj View Post
    ok. so there are more bugs now. the question that i have: does any of the manufactures removed any of them with the new processors? will they remove any of them? or they will continue to pretend that there is nothing wrong with them?
    Nope they'll continue to pretend software can mitigate all their mistakes and intentional performance hacks where they knew they were vulnerable - and that applies not just to intel, but amd etc. A lot of these current crop of vulnerabilities like spectre have been known a long time, it's just about producing a harmful exploit. Just read the wikipedia.

    Leave a comment:

Working...
X