VMware Is Exploring Reducing Meltdown/PTI Overhead With Deferred Flushes

VMware engineer Nadav Amit who previously pursued "Optpolines" and other possible performance optimizations in light of Spectre / Meltdown vulnerabilities is now proposing patches for deferring PTI flushes to help with addressing the performance overhead caused by Meltdown.

Kernel page table isolation (PTI) for mitigating Meltdown caused a sizable hit in affected workloads while now Nadav is hoping that improving the behavior around flushes could help in offsetting some of that slowdown. He explained in a new kernel patch series:

INVPCID is considerably slower than INVLPG of a single PTE, but it is currently used to flush PTEs in the user page-table when PTI is used.

Instead, it is possible to defer TLB flushes until after the user page-tables are loaded. Preventing speculation over the TLB flushes should keep the whole thing safe. In some cases, deferring TLB flushes in such a way can result in more full TLB flushes, but arguably this behavior is oftentimes beneficial.

These patches are based and evaluated on top of the concurrent TLB-flushes v4 patch-set.

His patches did help with the flush performance, but he doesn't appear confident yet over any possible affects on security or performance. No other kernel developers have commented on this ~200 line change, so we'll need to wait and see where this possible PTI/Meltdown optimization leads.