Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
A new set of Linux kernel patches were sent out on Friday for tweaking th Native BHI mitigation introduced earlier this month for Intel processors.
On this month's Patch Tuesday the Linux kernel was patched for the BHI vulnerability now that it's proven to be of relevance outside of (e)BPF exploits. Mitigating this Spectre Branch History Injection (BHI) vulnerability requires updated CPU microcode on newer CPU generations or a programmed software sequence with older Intel processors.
The BHI mitigation patches were quickly backported to the stable kernel series. In the following days various fixes were sent out and now a larger patch series is pending to further refine the BHI mitigation in the Linux kernel.
Most notably with the new patch series is working to reduce the scope of the system call hardening in order to improve the CPU performance. While the BHI mitigation didn't show much change for a Core i9 14900K Raptor Lake Refresh CPU, in the server space the current BHI mitigation can be a bit more impactful.
Red Hat's internal testing found that the BHI mitigation caused a database benchmark to slowdown by 12% on a recent Intel Xeon Scalable "Sapphire Rapids" server when the database was stressed with 80+ users to cause sufficient resource contention.
In addition to the 12% database performance hit reported by Red Hat, Intel's kernel test robot found some scalability/stress-ng benchmarks to show "significant regressions" for Intel Skylake processors with IBRS.
In order to workaround these performance hits, the system call hardening is being reduced to only use the system call direct branches when the indirect branches are considered to be "not okay". The patch explains:
That workaround is part of this new patch series. These latest BHI patches also add a "spectre_bhi=vmexit" kernel option if only wanting the software mitigation for applying to VM exit from virtual machines but still being vulnerable to system call attacks. This spectre_bhi=vmexit option may be useful for older Intel Xeon servers mostly hosting VMs/guests and wanting to bypass any system call performance overhead. These patches will likely go in as "fixes" to the Linux kernel once deemed ready and reviewed.
On this month's Patch Tuesday the Linux kernel was patched for the BHI vulnerability now that it's proven to be of relevance outside of (e)BPF exploits. Mitigating this Spectre Branch History Injection (BHI) vulnerability requires updated CPU microcode on newer CPU generations or a programmed software sequence with older Intel processors.
The BHI mitigation patches were quickly backported to the stable kernel series. In the following days various fixes were sent out and now a larger patch series is pending to further refine the BHI mitigation in the Linux kernel.
Most notably with the new patch series is working to reduce the scope of the system call hardening in order to improve the CPU performance. While the BHI mitigation didn't show much change for a Core i9 14900K Raptor Lake Refresh CPU, in the server space the current BHI mitigation can be a bit more impactful.
Red Hat's internal testing found that the BHI mitigation caused a database benchmark to slowdown by 12% on a recent Intel Xeon Scalable "Sapphire Rapids" server when the database was stressed with 80+ users to cause sufficient resource contention.
In addition to the 12% database performance hit reported by Red Hat, Intel's kernel test robot found some scalability/stress-ng benchmarks to show "significant regressions" for Intel Skylake processors with IBRS.
In order to workaround these performance hits, the system call hardening is being reduced to only use the system call direct branches when the indirect branches are considered to be "not okay". The patch explains:
Syscall hardening (converting the syscall indirect branch to a series of direct branches) has shown some performance regressions:
- Red Hat internal testing showed up to 12% slowdowns in database benchmark testing on Sapphire Rapids when the DB was stressed with 80+ users to cause contention.
- The kernel test robot's will-it-scale benchmarks showed significant regressions on Skylake with IBRS.
To fix those slowdowns, only use the syscall direct branches when indirect branches are considered to be "not OK": meaning Spectre v2+BHI isn't mitigated by HW and the user hasn't disabled mitigations.
That workaround is part of this new patch series. These latest BHI patches also add a "spectre_bhi=vmexit" kernel option if only wanting the software mitigation for applying to VM exit from virtual machines but still being vulnerable to system call attacks. This spectre_bhi=vmexit option may be useful for older Intel Xeon servers mostly hosting VMs/guests and wanting to bypass any system call performance overhead. These patches will likely go in as "fixes" to the Linux kernel once deemed ready and reviewed.
10 Comments