Benchmarking The Updated Intel CPU Microcode For SRBDS / CrossTalk Mitigation
Following yesterday's disclosure of CrossTalk / SRBDS after a nearly two year embargo period for this Special Register Buffer Data Sampling vulnerability, I have been running benchmarks on multiple systems for the past nearly 24 hours. Here are some preliminary data points for both synthetic and real-world workloads on various Intel CPUs before/after mitigating SRBDS with the updated Intel microcode.
With the embargo lift yesterday, Intel published new CPU microcode for affected CPUs from Haswell through Coffeelake/Whiskeylake and Skylake X. Intel has some data that Ivy Bridge is affected too, but there has not been any new Ivybridge microcode mitigations we have seen yet.
Intel Linux developers also published kernel patches in the process of appearing in the various stable kernel branches. These kernel patches simply report the presence of SRBDS mitigation via sysfs as well as offering a "srbds=off" kernel option for those wanting to disable this mitigation even when updating to the latest Intel CPU microcode. Similarly, the existing "mitigations=off" global flag will also now disable SRBDS on affected CPUs.
As outlined in yesterdays' article, the updated CPU microcode is designed to protect the RDRAND / RDSEED / EGETKEY instructions. Mitigating CrossTalk involves locking the entire memory bus before updating the staging buffer and unlocking it after the contents have been cleared. This locking and serialization now involved for those instructions but fortunately most workloads aren't heavy on those instructions overall. The security researchers who discovered this CrossTalk vulnerability did warn that other instructions like RDMSR that issue off-core requests could still be leaked, but at this time Intel isn't protecting those instructions due to the performance penalty. We'll see if in the future Intel determines other instructions need to face similar mitigations for Special Register Buffer Data Sampling.
One of the systems I have been testing with has been a Xeon E3-1275 v6 Kabylake...
And a Xeon E3-1245 v5 Skylake.
Intel has warned server workloads to be more likely impacted than desktops, but I also tested SRBDS mitigations with some desktop workloads too using a Core i5 8400 Coffeelake desktop.
With all the systems, the testing was done with the previous and new microcode images.