[afnog] Security Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Philip Paeps philip at trouble.is
Thu Jan 4 19:09:06 UTC 2018


On 2018-01-04 17:55:47 (+0100), Loganaden Velvindron wrote:
> On Thu, Jan 4, 2018 at 5:27 PM, Patrick Lufundisu 
> <patrickluf at gmail.com> wrote:
>> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>> https://security.googleblog.com/
>> https://meltdownattack.com/
>>
>> Happy new year 2018
>
> We've been looking into doing some benchmarks such as Linux kernel
> compilation with KPTI enabled. We are getting a 5% performance hit
> [0]:

Is that a relevant benchmark though?  Unless you're a kernel developer, 
chances are that compiling kernels doesn't come up much.

What's the performance hit like on your actual workloads: DNS, HTTP, 
SMTP, etc, etc...?

> We use VoidLinux to avoid relying on systemd :)

You could run FreeBSD (or another BSD) and avoid the many other nasty 
things in Linux too! ;-)  (But I don't need to tell you that).

> [I would suggest people run their benchmarks on development physical
> machines to quantify performance hit and how much they need to budget
> to compensate for the performance hit. You can check if it's enabled
> on your linux kernel using dmesg: sudo dmesg | grep -i isolation
> [    0.000000] Kernel/User page tables isolation: enabled] ]

But please run benchmarks that are relevant to your workload!  There is 
little reason to panic if compiling your kernel is 5% slower on your DNS 
server but serving DNS queries is only (hypothetically) 1.8% slower.  
Unless you don't have 1.8% headroom on your DNS server that is...

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information



More information about the afnog mailing list