The Ongoing CPU Security Mitigation Impact On The Core i9 10900K Comet Lake

Written by Michael Larabel in Computers on 30 May 2020. Page 1 of 6. 15 Comments

At least for the workloads tested this round, when booting the new Intel Core i9 10900K "Comet Lake" processor with the software-controlled CPU security mitigations disabled, the overall performance was elevated by about 6% depending upon the workload. Here is a look at the out-of-the-box security mitigations for this new Intel desktop CPU against foregoing the default CPU security mitigations and running an unprotected configuration to see what the pre-Spectre performance looks like.

With the recently launched Intel Core i9 10900K while it is a sizable upgrade over the Core i9 9900K, there is still a performance penalty to the CPU security mitigations even with much of it being baked into the hardware. This round of benchmarking has the 10-core / 20-thread CPU that turbo boosts up to 5.3GHz running in its default/out-of-the-box configuration and then again when booting the same Linux kernel build with "mitigations=off" for disabling the software-toggleable mitigations. This is looking solely at those mitigations by default and not any maximum mitigations, like disabling SMT/HT.

The default state of the security mitigations for the Core i9 10900K are:

itlb_multihit: KVM - Mitigation of Split huge pages
l1tf: Not affected
mds: Not affected
meltdown: Not affected
spec_store_bypass: Mitigation of SSB disabled via prctl and seccomp
spectre_v1: Mitigation of usercopy/swapgs barriers and __user pointer sanitization
spectre_v2: Mitigation of Enhanced IBRS IBPB: conditional RSB filling
tsx_async_abort: Not affected

When booting the system with the "mitigations=off" kernel option, for the purposes of this comparison is basically disabling of the Spectre mitigations for allowing better performance but at the risk of making the system vulnerable to exploit.

This testing was with the Core i9 10900K running Ubuntu 20.04 LTS with the latest Linux 5.7 Git kernel for the latest mitigation coverage. The only changes made during testing were testing the system out-of-the-box and then again with the "mitigations=off" configuration.

Related Articles