Oracle Proposing Change To Linux's KPTI Meltdown Mitigation
A proposal and set of patches have been sent out around the Linux kernel's Page Table Isolation (PTI/KPTI) implementation to defer switching from the user page-table to kernel page-table until later in the kernel entry sequence. There are possible performance benefits and code improvements that would stem from this change.
The proposal by kernel engineer Alexandre Chartre of Oracle is to defer making the page table isolation CR3 control register switch until hitting the kernel C code rather than the switch being early on within the Assembly entry code.
By waiting until hitting the C code rather than the early kernel entry code, the Assembly code could be simplified to make it more easy to understand. The change would also make it easier to integrate features like address space isolation or possibly allowing some syscalls / interrupt handlers to avoid KPTI and thereby avoiding the notorious KPTI page-table switching overhead. But in the initial patches no white-listing of any syscalls or the like are granted for avoiding the KPTI page-table switch.
The 24 patches for moving around the CR3 switch for KPTI from the Assembly code to C was sent out on Monday under a "request for comments" flag while waiting to see what other upstream kernel developers think of this proposal.
If running on a Meltdown-affected processor needing Kernel Page Table Isolation, another way to just outright disable the mitigation if wanting to recover some of the lost performance is by setting the nopti kernel option or even mitigations=off albeit potentially putting your system security at risk.
The proposal by kernel engineer Alexandre Chartre of Oracle is to defer making the page table isolation CR3 control register switch until hitting the kernel C code rather than the switch being early on within the Assembly entry code.
By waiting until hitting the C code rather than the early kernel entry code, the Assembly code could be simplified to make it more easy to understand. The change would also make it easier to integrate features like address space isolation or possibly allowing some syscalls / interrupt handlers to avoid KPTI and thereby avoiding the notorious KPTI page-table switching overhead. But in the initial patches no white-listing of any syscalls or the like are granted for avoiding the KPTI page-table switch.
The 24 patches for moving around the CR3 switch for KPTI from the Assembly code to C was sent out on Monday under a "request for comments" flag while waiting to see what other upstream kernel developers think of this proposal.
If running on a Meltdown-affected processor needing Kernel Page Table Isolation, another way to just outright disable the mitigation if wanting to recover some of the lost performance is by setting the nopti kernel option or even mitigations=off albeit potentially putting your system security at risk.
9 Comments