Linux 5.2 To Enable GCC 9's Live-Patching Option, Affecting Performance In Select Cases
The GCC 9 compiler is due to be released in the next few weeks and among the many new and improved features is an option designed to help generate binaries that are friendly for live-patching purposes. With the Linux 5.2 kernel, this option will be used by default when building a kernel with live-patching support and that has the potential for some slight slowdowns.
GCC 9 introduces the -flive-patching option that controls what optimizations are used in trying to ensure they don't mess up (or yield unsafe behavior) if the binary is to potentially see live-patching for the applying of security updates against the running kernel without the need for a reboot. This is relevant for the likes of kGraft, Ksplice, and Kpatch in helping to ensure the GCC compiler doesn't fudge their live-patching work.
With GCC 9.1.0 being released in late April or early May, the Linux 5.2 kernel will be enabling -flive-patching by default when it's built by a supported compiler and when CONFIG_LIVEPATCH is enabled - it's on by default for most Linux distribution kernels.
Miroslav Benes of SUSE who added the change, which is currently in the livepatching-next tree ahead of the Linux 5.2 merge window, does note that in select cases there can be performance hits as a result of this live-patching option controlling the compiler's optimization heuristics.
Miroslav noted, "Performance impact of the option was measured on three different Intel machines - two bigger NUMA boxes and one smaller UMA box. Kernel intensive (IO, scheduling, networking) benchmarks were selected, plus a set of HPC workloads from NAS Parallel Benchmark. The tests were done on upstream kernel 5.0-rc8 with openSUSE Leap 15.0 userspace. ..The majority of the tests is unaffected. The only significant exception is the scheduler section which suffers 1-3% degradation."
GCC 9 introduces the -flive-patching option that controls what optimizations are used in trying to ensure they don't mess up (or yield unsafe behavior) if the binary is to potentially see live-patching for the applying of security updates against the running kernel without the need for a reboot. This is relevant for the likes of kGraft, Ksplice, and Kpatch in helping to ensure the GCC compiler doesn't fudge their live-patching work.
With GCC 9.1.0 being released in late April or early May, the Linux 5.2 kernel will be enabling -flive-patching by default when it's built by a supported compiler and when CONFIG_LIVEPATCH is enabled - it's on by default for most Linux distribution kernels.
Miroslav Benes of SUSE who added the change, which is currently in the livepatching-next tree ahead of the Linux 5.2 merge window, does note that in select cases there can be performance hits as a result of this live-patching option controlling the compiler's optimization heuristics.
Miroslav noted, "Performance impact of the option was measured on three different Intel machines - two bigger NUMA boxes and one smaller UMA box. Kernel intensive (IO, scheduling, networking) benchmarks were selected, plus a set of HPC workloads from NAS Parallel Benchmark. The tests were done on upstream kernel 5.0-rc8 with openSUSE Leap 15.0 userspace. ..The majority of the tests is unaffected. The only significant exception is the scheduler section which suffers 1-3% degradation."
24 Comments