Linux KPTI Tests Using Linux 4.14 vs. 4.9 vs. 4.4

Written by Michael Larabel in Software on 4 January 2018. Page 1 of 3. 30 Comments

Yet another one of the avenues we have been exploring with our Linux Page Table Isolation (KPTI) testing has been looking at any impact of this security feature in the wake of the Meltdown vulnerability when testing with an older Linux Long Term Support (LTS) release. In particular, when using a kernel prior to the PCID (Process Context Identifier) support in the Linux kernel that is used to lessen the impact of KPTI.

While Intel CPUs going back to Westmere have supported PCID, only recently with Linux 4.14 did everything regarding PCID appear to settle down and is now nice and optimized. But given all the Linux distributions still relying upon older kernel series prior to these PCID additions, it's interesting to see if KPTI causes a more severe performance impact than the modern kernel releases.

For the testing today I compared the performance of using the latest Linux 4.4, 4.9 and 4.14 kernel branches to see if there is any difference when KPTI is on/off with each kernel release. The kernel code was obtained as of this morning using the linux-stable-rc.git with linux-4.14.y providing Linux 4.14.12-rc1 and linux-4.9.y having Linux 4.9.7-rc1 and linux-4.4.y having Linux 4.4.110-rc1.

These kernel builds have all of the latest KPTI/Kaiser patches, including now for easily reporting from dmesg when the functionality is enabled/disabled. And of course for marking Intel CPUs as "cpu_insecure" via /proc/cpuinfo. As well, the presence of PCID support by your processor also continues to be exposed via the "pcid" flag in /proc/cpuinfo.

These Linux 4.4 vs. 4.9 vs. Linux 4.14 kernel tests of KPTI on/off were done using an Intel Core i7 4790K "Haswell" system that is well supported by Linux for some time and thus no compatibility issues going back to 4.9 or further.

Related Articles