How to minimizing performance impact from Spectre and Meltdown fix
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to minimizing performance impact from Spectre and Meltdown fix
Hi Gentlemen,
I have installed Linux (RHEL variant) with Spectre and Meltdown fix and see ~15% performance drop when I enabled pti_enabled, ibpb_enabled and ibrs_enabled.
Then experimented one by one and found that PTI and IBPB has no impact but all 15% drop is coming from IBRS. This I see clearly when enable/disable IBRS.
I am doing it runtime “# echo 1 > /sys/kernel/debug/x86/ibrs_enabled”. Why only IBRS is dropping the performance but not other 2? i.e PTI and IBPB.
Also I saw in web some suggestion on how to reduce performance drop. We can reduce performance drop when we set “spectre_v2=retpoline,ibrs_user”and set
IBRS to 3, i.e "#echo 3 > /sys/kernel/debug/x86/ibrs_enabled".
I was able to set spectre_v2=retpoline,ibrs_user and rebooted the OS and I could see this reflected in /proc/cmdline. But RHEL is not allowing to set IBRS to 3 with
echo after rebooting. Can anyone suggest what could be the issue. I am using Kernal 3.10.0-693.17.1.el7.x86_64 with RHEL 7.4.
Want to enable Spectre and Meltdown correction. Any suggestions to drop any one of these settings (PTI, IBPB and IBRS) to minimize performance drop or any other
Recommendations/suggestions to minimize performance drop from 15%.
Hi Gentlemen,
I have installed Linux (RHEL variant) with Spectre and Meltdown fix and see ~15% performance drop when I enabled pti_enabled, ibpb_enabled and ibrs_enabled.
Then experimented one by one and found that PTI and IBPB has no impact but all 15% drop is coming from IBRS. This I see clearly when enable/disable IBRS.
I am doing it runtime “# echo 1 > /sys/kernel/debug/x86/ibrs_enabled”. Why only IBRS is dropping the performance but not other 2? i.e PTI and IBPB.
Also I saw in web some suggestion on how to reduce performance drop. We can reduce performance drop when we set “spectre_v2=retpoline,ibrs_user”and set
IBRS to 3, i.e "#echo 3 > /sys/kernel/debug/x86/ibrs_enabled".
I was able to set spectre_v2=retpoline,ibrs_user and rebooted the OS and I could see this reflected in /proc/cmdline. But RHEL is not allowing to set IBRS to 3 with
echo after rebooting. Can anyone suggest what could be the issue. I am using Kernal 3.10.0-693.17.1.el7.x86_64 with RHEL 7.4.
Want to enable Spectre and Meltdown correction. Any suggestions to drop any one of these settings (PTI, IBPB and IBRS) to minimize performance drop or any other
Recommendations/suggestions to minimize performance drop from 15%.
Since you're using RHEL, have you contacted Red Hat support??? Because not only do they have an application available to detect if your hardware has this flaw, but also patches for the kernel to mitigate it while limiting performance problems.
Give them a call, and they can direct you to those resources.
You can't have it both ways. To prevent pipeline exploitation you have to turn-off the pipelining and suffer the performance hit.
And, personally, I'm not sure that it's really worth it.
Thanks sundialsvcs.
Yes i do feel the same. I am trying to see what is the level of impact on system behavior and is it worth enabling this at the cost of heavy performance.
Since you're using RHEL, have you contacted Red Hat support??? Because not only do they have an application available to detect if your hardware has this flaw, but also patches for the kernel to mitigate it while limiting performance problems.
Give them a call, and they can direct you to those resources.
Yes i am in touch with RHEL and looking forward for some suggestions on benefits vs losses with with IBRS. I personally not very convinced to enable IBRS.
Finally i found it is possible to set IBRS to 3 with Kernal version 3.10.0-693.21.1.el7.x86_64. Sofar I am using Kernal version 3.10.0-693.17.1.el7.x86_64.
I will do more tests and investigation with new Kernal and post the result for the benefit of full Linux community.
Finally i found it is possible to set IBRS to 3 with Kernal version 3.10.0-693.21.1.el7.x86_64. Sofar I am using Kernal version 3.10.0-693.17.1.el7.x86_64. I will do more tests and investigation with new Kernal and post the result for the benefit of full Linux community.
And unless people pay for RHEL and apply the resources given, the steps aren't going to be of much benefit. Also, it is spelled "kernel".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.