VM Performance Showing Mixed Impact With Linux 4.15 KPTI Patches

Written by Michael Larabel in Software on 3 January 2018 at 08:04 PM EST. Page 1 of 4. 29 Comments.

Continuing on with our Linux Kernel Page Table Isolation (KPTI) performance testing are some benchmark results when running tests within a virtual machine on Xeon class hardware.

The initial benchmarks of these security patches published yesterday were focused on Intel desktop hardware following all the media attention around this "Intel CPU bug" now known as Meltdown and Spectre following the disclosure today by Google's Project Zero.

In those initial benchmarks most of the overhead from these page table isolation patches to improve the Linux kernel security were found to slowdown select I/O workloads. Our continued testing through today has found for desktop-type hardware to mostly be impacted on that front with no severe slowdowns in other common desktop workloads. I provided a summary this afternoon of further analyzing the performance on more systems.

Since then I've taken to VM testing to see how the performance may be impacted for virtual machines / cloud computing type scenarios. The results in this article are with using KVM virtualization. The Spectre Attack site ends up mentioning that Xen PV as virtualization is vulnerable without separate patches, but doesn't note KVM. This testing began prior to that site becoming public but regardless KVM Linux users are likely to find KPTI in their kernels soon considering it's going to end up being enabled by default on x86_64 kernel builds.

For now I tested from an Ubuntu virtual machine on two distinctly different systems: one more of a workstation-type system with an Intel Xeon E3-1280 v5 Skylake CPU:

With this system a lone VM was running on the system and was allowed to access all of the CPU cores/threads and 12GB of the system's 16GB of RAM and a virtual disk.

And the other a high-end Tyan 1U server built around Intel's Xeon Scalable line-up with two Xeon Gold 6138 CPUs and 96GB of RAM.

This KVM VM running alone on the system was configured with 16 virtual cores of the system's 40 physical cores and 32GB of the system's 96GB of RAM, a more realistic scenario than one VM accessing the entirety of the system's resources as is effectively done with the prior system. The bulk of our Xeon/server focused testing so far has been done from this platform.

Each VM was tested with Ubuntu 17.10 and tests were done with both the host/guest having a KPTI-enabled kernel and then without from Linux 4.15 Git.

Related Articles