In Light Of Spectre BHI, The Performance Impact For Retpolines On Modern Intel CPUs
First up was an Intel Core i9 12900K "Alder Lake" desktop processor in seeing the performance impact if enabling the eIBRS + Retpoline option to better protect against Spectre BHI.
Indeed in workloads exposed to return trampolines overhead, there can be quite a noticeable performance hit. This includes various network and I/O benchmarks and does translate to performance penalties in such databases (e.g. KeyDB, RocksDB, SQLite, LevelDB) in particular. The WireGuard VPN software for Linux also saw a noticeable hit when the Alder Lake desktop was running with spectre_v2=eibrs,retpoline.
It ultimately comes down though to the software under test for the performance penalty from Retpolines on modern CPUs. Web browser benchmarks on Alder Lake were not impacted nor some of the other tested workloads besides the ones noted in the side-by-side comparison above for where there was a measurable difference.
Likewise, firing up some quick benchmarks on an Intel Core i9 1185G7 "Tiger Lake" laptop showed the same workloads seeing a measurable impact when booted with spectre_v2=eibrs,retpoline with WireGuard and the database tests being among the notable workloads tested that were affected when make use of Retpolines on newer processors. Gaming, web browser usage, and other conventional desktop tasks not heavy on I/O or networking didn't see any measurable hit with the "eibrs,retpoline" option. Intel Xeon processors are also vulnerable to Spectre BHI though in this initial article just the Core processors are under focus and will have more benchmarks soon. Benchmarks looking at AMD Linux performance with the AMD Retpolines versus now recommended generic retpolines are also being conducted by your's truly and should be out tomorrow.
To reiterate, it's certainly recommended to disable unprivileged eBPF support on your system(s) as that's the known conduit so far for exploiting Spectre BHI as shown in VUSec's proof of concept attack. Checking your system's unprivileged eBPF status can be done via sysctl kernel.unprivileged_bpf_disabled. Merged on Tuesday into Linux 5.17 Git and now being back-ported to the various stable kernel series are the Spectre BHI kernel patches, which includes allowing "spectre_v2=eibrs,retpoline" for enabling Retpoline on newer CPUs even with eIBRS active for the Spectre V2 hardware mitigations. VUSec researchers are recommending Retpolines even for newer CPUs with eIBRS but such a default change has yet to occur for the Linux kernel.
If you enjoyed this article consider joining Phoronix Premium to view this site ad-free, multi-page articles on a single page, and other benefits. PayPal or Stripe tips are also graciously accepted. Thanks for your support.