Announcement

Collapse
No announcement yet.

The Disappointing Direction Of Linux Performance From 4.16 To 5.4 Kernels

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Danny3 View Post
    Awful... just awful.
    I hate when developers care only about security and do the changes no matter the costs.
    I bet none of them used Phoronix Test Suite or other benchmarking tool before pushing these changes into the Linux kernel.
    This is really disappointing!
    Well everyone with some mental sanity prefers security over speed when the security breach is that massive, remember this are hardware issues that will allow attackers to go insanely deep inside your whole system not you run of the mill crappy pointer leaking and a brutally dumb patch afterwards.

    If you don't give a rat ass about security on your system just pass mitigations=off at boot and you are golden but don't expect everyone to follow that short sighted idea of yours of let half the planet earth exposed to something this massive because your benchmarks look ugly.

    Comment


    • #12
      Originally posted by perpetually high View Post
      Big yikes. Thanks for ringing the alarm.

      The other day I was curious on the ctx_clock test and ran it without mitigations=off on my i5-4670K, and it was 997!!! With mitigations=off, it was back down to 142. I'm so grateful we can turn that sh*t off on our notebooks/desktops.
      Security trumps performance. Its an essential tradeoff.

      Its better to have it run more slowly than it have it untrustworthy. The additional security is as important on desktops and notebooks as well and you do not want to disable the security.

      I would recommend against disabling it. Its not worth the risk.

      Also the AMD CPUs do not suffer from much of a performance degradation which is due to AMD not playing fast and loose like Intel did. AMD was the one that did not cut corners in design, AMD is underappreciated, I think.

      The best fix for the problem will come with hardware level fixes in a new generation of CPU.

      Comment


      • #13
        I wonder if the same tests/results apply when ran on a Ryzen 3k series CPU, since it's supposed to be less prone to mitigations...

        Comment


        • #14
          Disable all mitigations on kernel, disable all unnecessary bullshit you will never use, apply the GCC patch to compile the kernel using the "march=native", apply some clear Linux patches on kernel and compile.

          Comment


          • #15
            Originally posted by jrch2k8 View Post

            Well everyone with some mental sanity prefers security over speed when the security breach is that massive, remember this are hardware issues that will allow attackers to go insanely deep inside your whole system not you run of the mill crappy pointer leaking and a brutally dumb patch afterwards.

            If you don't give a rat ass about security on your system just pass mitigations=off at boot and you are golden but don't expect everyone to follow that short sighted idea of yours of let half the planet earth exposed to something this massive because your benchmarks look ugly.
            Originally posted by Neraxa View Post

            Security trumps performance. Its an essential tradeoff.

            Its better to have it run more slowly than it have it untrustworthy. The additional security is as important on desktops and notebooks as well and you do not want to disable the security.

            I would recommend against disabling it. Its not worth the risk.
            (Popular) unpopular opinion but these mitigations are not meant for you and I, they are for Linux servers that the entire world relies on, as they have to be secured and can't afford to cut any corners. Let them pay the price on the performance hit and/or go out and buy new hardware to mitigate it.

            I'd like some links of real attacks currently in the wild. And not just "but javascript is an attack vector and you use the Web right?" but real attacks that we are vulnerable to.

            I don't download just any program off the net and ./run_it, and I have a good network firewall to prevent the outside from getting in so I don't see a reason to have them on and cripple my machine but you're right I shouldn't go to grandma's house and tack on mitigations=off on her machine.

            Comment


            • #16
              Originally posted by perpetually high View Post
              I'd like some links of real attacks currently in the wild. And not just "but javascript is an attack vector and you use the Web right?" but real attacks that we are vulnerable to.
              The reason why there are not real attacks currently in the wild is that said vulnerabilities are getting mitigated.
              I do not consider it to be an acceptable risk to completely trust all websites you browse to not ever get compromised.

              Comment


              • #17
                Sad but required security improvements.

                interestingly my Ryzen based laptop has been feeling faster with each kernel release. I guess that is the advantage of bleeding edge hardware as drivers and such improve you don’t notice the other slowdowns.

                It will be interesting to see the AMD results when Micheal runs them. I suspect though that AMD is suffering a bit here even if it doesn’t suffer from some of the same bugs Intel suffers from.

                Comment


                • #18
                  Clickbait much?

                  Because anyone in the know will be well aware of the fact that these are mostly up to Spectre/Meltdown mitigation efforts and the heaviest impact will be on Intel CPUs as they were the ones who cut the most corners in relation to speculative execution. This would have been much more insightful had they been contrasted against equivalent AMD parts or, better yet, the same Intel CPU with the mitigation efforts turned off. That way you'd get some good data on the actual performance cost of the mitigation efforts and how much of the performance loss is up to genuine regressions.

                  Comment


                  • #19
                    I bet AMD results will be more equal across all versions due to their better and more secure architecture.

                    Comment


                    • #20
                      Originally posted by perpetually high View Post



                      (Popular) unpopular opinion but these mitigations are not meant for you and I, they are for Linux servers that the entire world relies on, as they have to be secured and can't afford to cut any corners. Let them pay the price on the performance hit and/or go out and buy new hardware to mitigate it.

                      I'd like some links of real attacks currently in the wild. And not just "but javascript is an attack vector and you use the Web right?" but real attacks that we are vulnerable to.

                      I don't download just any program off the net and ./run_it, and I have a good network firewall to prevent the outside from getting in so I don't see a reason to have them on and cripple my machine but you're right I shouldn't go to grandma's house and tack on mitigations=off on her machine.
                      The problem with this attacks is that it is in fact very hard to find some wild running example because they are very hard to detect in the first place and remember this vulnerabilities exist up to some point on ARM and other architectures as well, so don't expect your regular huge binary dump that you have to blindly run as root.

                      Many of those attacks are hard to detect mainly because they can run with more priority than the OS or HyperVisors which make it very hard to see with regular tools(the attack process is basically invisible to the OS, HyperVisor, AV, etc. regular tools)

                      Also depending on your firewall hardware(specially ARM based ones) those vector are exposed as well which with specially crafted packets could exploit other systems as well, also depending on the hardware some of those attack can even compromise the CPU at microcode level or worse.

                      This flaws are nasty(you can find some researcher papers on the internet about how deep this could go on X hardware) and simply having a "firewall" and only open "good websites" is not nearly enough, that is why everyone panics every time one is discovered.

                      Fun side note, the CPU of some network cards can actually be compromised with some of this flaws on unmitigated firmware, same goes to IPMI, routers, WiFi routers, broadband routers, satellite links, etc. since even dishwasher this days have a good chance of using an affected micro controller at the very least.

                      Comment

                      Working...
                      X