Announcement

Collapse
No announcement yet.

DragonFlyBSD's Meltdown Fix Causing More Slowdowns Than Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • F.Ultra
    replied
    Originally posted by pal666 View Post
    i replied to "not all x86 processors support pcid". because amd x86 processors do not have to support pcid because they do not have bug to fix
    The PCID instruction is not there to fix a bug, what happened was that Intel proposed that utilizing PCID would increase performance of the fix. The PCID instruction have been in Westmere since 2010 and was thus not added to fix a bug found in late 2017.

    Leave a comment:


  • F.Ultra
    replied
    Originally posted by Almindor View Post

    I wonder if you'd say the same before the Snowden revelations if someone said NSA has tabs on pretty much everything...

    Also, 99% of the AMD/Intel engineers won't know what they're putting in there. The "chip on chip" is ARM and IIRC in case of AMD is not even "theirs". It's ludicrous really. Very easy to have backdoors forced in like this. Just piggy-bag it in and make sure the "right people" enforce it under some nice cover story e.g. "management engine". You only need to keep them quiet with a FISC court order and viola.
    How exactly do you enforce a FISC court order on non US companies such as ARM and all the Chinese/Korean/Japanse manufacturers? Regarding NSA and Snowden, yes not only would I say that but I did back in the day. What we didn't know was to which extent NSA actually went (like intercepting Cisco hardware in shipping to add hardware backdors, I mean there where always speculation that such things could be done [I mean we knew that it happened to Xerox machines sold to the Soviets] but few actually believed that they would do it for machines sold to the US and Western Europe.

    Further what we have gotten from the NSA and CIA leaks are that they actually do mid-shipment intercepts instead of i.e asking/telling Cisco to install said backdoors, probably because they know that they cannot trust such companies to keep silent. All tools that we have seen are also exploiting bought and discovered exploits and not sophisticated hidden backdoors.

    And the 99% of engineers does not compute, implementing something complex as Out-of-Order Execution and Speculative Execution is not a small team. From design to construction that design have been combed over with literally microscopes by thousands of engineers over multiple of years. Intel employs over 100k people for a reason.

    Leave a comment:


  • pal666
    replied
    Originally posted by eydee View Post
    It's not about AMD.
    i replied to "not all x86 processors support pcid". because amd x86 processors do not have to support pcid because they do not have bug to fix

    Leave a comment:


  • aht0
    replied
    I am afraid in 50 years you would be looking back today as "Golden Age of Privacy" regardless of what NSA, FSB/SVR or Chinese Intelligence Directorates are putting or not in their software and chips. Globalization, religious extremism (and terrorism it causes) and various other pressures are pretty much going to guarantee that situation with privacy goes relentlessly downhill. There is just no other way, actual risks brought by ever-quickening technical development are simply getting too big for allowing freedoms for the sake of freedoms themselves.

    Leave a comment:


  • Almindor
    replied
    Originally posted by F.Ultra View Post

    Well Snowden didn't keep silent now did he? And he is far from the single NSA whistleblower. Still keeping secrets within an organisation built for such (as the NSA) are orders of magnitude easier than keeping a lid on an entire chip industry (Intel, ARM, nVidia and so on) where even some like ARM are outside the US jurisdiction. Furher there where no leaks of tools or even hints at such tools existed to utilize these backdoors in processors in any of the documents leaked by Snowden and others.

    And that we have people in this very thread that apparently still believes that Kennedy was a conspiracy just shows that some people have a need to "believe".
    I wonder if you'd say the same before the Snowden revelations if someone said NSA has tabs on pretty much everything...

    Also, 99% of the AMD/Intel engineers won't know what they're putting in there. The "chip on chip" is ARM and IIRC in case of AMD is not even "theirs". It's ludicrous really. Very easy to have backdoors forced in like this. Just piggy-bag it in and make sure the "right people" enforce it under some nice cover story e.g. "management engine". You only need to keep them quiet with a FISC court order and viola.

    Leave a comment:


  • F.Ultra
    replied
    Originally posted by Almindor View Post

    Seriously? You didn't hear about Snowden? All the people at NSA save one knew what they were doing and kept their mouth shut. How is this even comparable as a moral dilemma? A "sanctioned/required" backdoor in CPUs is magnitudes lower on the moral radar.
    Well Snowden didn't keep silent now did he? And he is far from the single NSA whistleblower. Still keeping secrets within an organisation built for such (as the NSA) are orders of magnitude easier than keeping a lid on an entire chip industry (Intel, ARM, nVidia and so on) where even some like ARM are outside the US jurisdiction. Furher there where no leaks of tools or even hints at such tools existed to utilize these backdoors in processors in any of the documents leaked by Snowden and others.

    And that we have people in this very thread that apparently still believes that Kennedy was a conspiracy just shows that some people have a need to "believe".

    Leave a comment:


  • dillon
    replied
    One other note, for DragonFly users, we have a Wiki page with instructions on how to run the Chrome browser securely (or as securely as its possible to run it) that we recommend users use. A lot of this is applicable to Linux and the other BSD's, too. Basically, two levels of segregation. The first is you segregate the browser from your main account by creating secondary user ids and home dirs that are ONLY used to run the browser (and use ssh to script the startup). The browser is still fast as one can still make a direct X11 connection (but if you want to forward the X11 over ssh, or disable /dev/dri/card* acceleration, that works too and is somewhat more secure). The second is that chrome itself has an experimental option called --site-per-process which honestly everyone needs to be using.



    -Matt

    Leave a comment:


  • dillon
    replied
    Thanks for running those benchmarks testing our Meltdown mitigation, Michael! The results are about what we expected. The more system-call-heavy an application is, the more it suffers from the ~150 to ~250nS of additional system call / interrupt / exception overhead. The less system-call-heavy, the less it suffers.

    Someone asked about PCID. DragonFlyBSD does not currently implement PCID so the results you are seeing are from two %cr3 loads without PCID in the system call path. I don't know what the difference would be... PCID didn't actually do a whole lot when we tested it a year or two ago, because it's only applicable for major process context switches and those are already well-managed by the scheduler. (Well, and virtualization too, but virtualization is not DragonFly's strong point). However, I will be looking at using PCID again to potentially reduce the impact of this mitigation, since Meltdown on Intel requires the MMU to be reloaded twice in these heavily used code paths.

    The linux guys are saying that Meltdown losses are roughly cut in half with PCID in these code paths. That makes sense. But its still bad.

    IBRS (one of the Intel Microcode mitigations) is even worse. If you enable IBRS at all times (that would be linux ibrs mode 2), performance is completely destroyed for just about everything. We're talking 30% or worse. For everything. IBRS has to be left on all the time to protect against two types of Spectre attacks --- same process (e.g. javascript -> client browser) attacks, and sibling hyper-thread attacks. I consider Intel's microcode fixes to be a non-starter, honestly. They are unusable. I'll put support in DragonFly anyway, soon, but I consider it worthless. Spectre will not be truly fixed without new silicon... probably 6 months to a 12 months away, or worse.

    With IBRS, system call overhead increases from 380ns to 780ns on the one machine I have been able to test it on so far (an older Haswell), and performance is lost across far more than just the system call boundary.

    The partial IBRS mitigations across the user->kernel boundary provided by Intel are... I'm still vomiting.

    -Matt

    Leave a comment:


  • droste
    replied
    Originally posted by Spooktra View Post
    You didn't put too much thought in your response, did you? Has the government revealed everything they know about the Kennedy assassination? Ever hear of FISA courts, secret warrants, national security letters, gag orders, etc?

    All they would need to do is issue a directive to Intel, who owns the rights to the x86 ISA that says all cpu's must have a secret back door that is undocumented and have Intel codify in their design policies that all processors have to be designed with the following "features" without disclosing to their engineers why they insist on using said designs.

    For proof look at OpenBSD:





    The backdoors existed for a decade until the NDA expired and the author of the backdoors revealed their existence.

    Why do you think the Chinese have decided to use Chinese developed RISC-V based processors for their new supercomputers?

    This all stinks to high heaven of a conspiracy.
    No need to attack me. I'm not saying it's impossible to keep a secret. I'm saying it's impossible if there are many people involved over a large period of time.

    You need way less people to kill someone than to develop a CPU. That's my point here. After the assassination you can just burn every paper trail and never talk about it again for example. If you're lucky you don't get caught. But the design of a CPU is worked on constantly by hundreds of engineers. It's waaaay harder to hide something malicious here on purpose. Especially for 25 years.

    Your articles also help my claim. If you heard or read about, it's not a secret anymore. And this came out 10 years (which is not even half of 25 years) after the alleged incident.
    Plus this quote from the article you linked:
    So, it appears the original allegations that developers working on OpenBSD networking code could have worked on backdoors but there is no proof and had opportunity to add them to OpenBSD but they probably didn't. And if they did, it was probably pulled out long ago anyway. The bugs previously mentioned were not found to backdoor code.
    No proof and probably didn't happen.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by gururise View Post
    The real slowdown comes after applying the Intel KPTI OS patch and the new Intel Microcode that goes along with it which makes the branch predictor in Intel CPU's significantly less aggressive. Techspot shows that the combination of the two has a more significant impact on system performance (gaming included): https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/

    Michael, the new Intel microcode should be available from Asus for their 370 MB as a BIOS update.
    hot damn, that's a large hit.

    Leave a comment:

Working...
X