A Look At The Big Impact To AES-XTS Encryption Performance From Spectre Retpolines

With it recently being noticed that the Linux AES-NI XTS performance regressed big time from the return trampolines "Retpolines" enacted nearly three years ago as a defense against Spectre, here are some benchmarks looking at the performance cost involved to this day using Retpolines and the impact on the XTS encryption/decryption performance measured by cryptsetup that is used for setting up encrypted disks under Linux.

While patches are on the way for improving the AES-NI kernel code so the Retpoline performance hit is addressed, here is a look at the current performance penalty involved given that we hadn't looked at it previously nor seemingly had kernel developers up until recently.

For the quick tests today I used several different Ubuntu systems and looked at the performance reported by cryptsetup when running out-of-the-box/default (all relevant mitigations in place for each system) and then when booting the kernel build with mitigations=off for run-time disabling of Retpolines (and the other CPU security mitigations).

First up was a look a the Core i7 8565U within a Dell XPS laptop:










The AES-XTS performance in particular has been heavily hit from the default Retpolines behavior... Fortunately, AES-NI kernel driver improvements should workaround that behavior moving forward. Or for those on newer Intel CPUs where Retpolines aren't needed by default the performance is better as shown here with Tiger Lake:


For those with new Intel Tiger Lake systems as measured by a Core i7 1165G7, there isn't a measurable performance hit. It's the older Intel CPUs needing the full Retpoline implementation for Spectre V2 while Tiger Lake, Comet Lake, and other newer generations do not employ Retpolines but make use of IBRS IBPB conditional RSB filling. Or here is another look at a Core i7 8550U relying on Retpolines and its impact:




It's just not Intel though relying on Retpolines with older CPUs, but AMD still makes use of Retpolines. Here is the look at the performance with mitigations on/off using a Ryzen 5 4500U:




Or even with the new AMD Ryzen 9 5950X it is still relying on a full Retpolines implementation as part of its Spectre V2 safeguards:




Thus it's a bit surprising the AES-NI XTS performance regression under Retpolines took so long to be spotted... Fortunately, there are patches pending to improve the situation that will hopefully be landing in the near future for helping those making use of full-disk encryption and other AES-NI XTS users.