CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,629
    Messages:
    19,980
    Likes Received:
    24,806
    Trophy Points:
    931
    The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS
    by Michael Larabel in Software on 18 May 2019. 28 Comments
    https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=1

    "The past few days I've begun exploring the performance implications of the new Microarchitectural Data Sampling "MDS" vulnerabilities now known more commonly as Zombieload. As I shared in some initial results, there is a real performance hit to these mitigations. In this article are more MDS / Zombieload mitigation benchmarks on multiple systems as well as comparing the overall performance impact of the Meltdown / Spectre / Foreshadow / Zombieload mitigations on various Intel CPUs and also AMD CPUs where relevant.

    While disabling Hyper Threading now is recommended by multiple parties if running untrusted code on the system, even if keeping HT/SMT active, the MDS mitigations do provide a very noticeable performance hit in many real and synthetic workloads with the updated Linux kernel patches paired with the newest Intel CPU microcode. Like the other mitigations to this point, the workloads affected most are those with lots of context switches / high interactivity between kernel and user-space.

    Before getting to the benchmarks looking at the overall impact of the mitigations to date, first is looking at the MDS on/off costs on various systems while keeping Hyper Threading active. These tests were done on Ubuntu 19.04 using its newest stable release updates bringing a patched Linux 5.0 kernel and the new Intel CPU microcode images.

    I tested the MDS on/off tests with a few distinctly different systems for seeing the mitigation cost for Zombieload. Following this batch of tests is a larger set of tests looking at no mitigations for the CPU vulnerabilities, the default mitigations, and then the default mitigations with Hyper Threading disabled. All of these benchmarks were carried out using the Phoronix Test Suite."
    hcevhrhun0z21.png
    There are lots of graphs and supporting information (10 pages), please check out the results of his extensive testing at the URL above...

    "If looking at the geometric mean for the tests run today, the Intel systems all saw about 16% lower performance out-of-the-box now with these default mitigations and obviously even lower if disabling Hyper Threading for maximum security. The two AMD systems tested saw a 3% performance hit with the default mitigations. While there are minor differences between the systems to consider, the mitigation impact is enough to draw the Core i7 8700K much closer to the Ryzen 7 2700X and the Core i9 7980XE to the Threadripper 2990WX.

    More Linux mitigation benchmarks are coming up on Phoronix in the days ahead."

    28 Comments

    Gaming Performance Only Faintly Touched By MDS / Zombie Load Mitigations

    by Michael Larabel in Linux Gaming on 17 May 2019 at 01:31 PM EDT. 14 Comments
    https://www.phoronix.com/scan.php?page=news_item&px=Zombie-Load-Gaming-Impact

    "Yesterday I published some initial MDS/Zombieload mitigation impact benchmarks while coming out still later today is much more data looking at the CPU/system performance impact... But is the gaming performance impaired by this latest set of CPU side-channel vulnerabilities?

    With the Spectre/Meltdown mitigations, the gaming performance fortunately wasn't impaired by those mitigations. In fact, it was pretty much dead flat.

    With my testing thus far of the MDS/Zombieload mitigations on Linux, there does appear to be a slight difference in the rather CPU-bound scenarios compared to Spectre/Meltdown, but still it should be negligible for gamers. Well, that is at least with the higher-end hardware tested thus far, over the weekend I'll be running some gaming tests on some low-end processors/GPUs.

    From the tests ran so far with the high-end parts, having the MDS mitigations active only would cause a frame or few hit in the rather CPU-bound scenarios. In those cases already, the games tend to run well over one hundred frames per second so would likely not be noticeable at all to gamers.

    ...check out the website for results...

    So maybe a ~1% hit for some Linux games (if that in some configurations) as a result of the new default MDS mitigations and stopping short of disabling Hyper Threading, but even there most Linux games at least don't use more than a few cores/threads. But as said, will have some low-end Linux gaming hardware tests out in the days ahead.

    More of the CPU/system benchmarks that are much more interesting in the context of these mitigations will be out shortly where it seems to be commonly 4~5% but more significant in the context switching heavy workloads."

    14 Comments

    xfcemint
    Junior Member Join Date: May 2019 Posts: 38
    #3 05-17-2019, 03:14 PM
    "I think the article should have made it more clear that this is with HT on.

    To really mitigate ZombieLoad, you need HT off.

    Although I speculate that for games, in most cases there will be little difference. But, for the sake of clarity and to provide non-confusing data, you always have to do a run with HT off, and to clearly note it in the article.

    Well, in fact, it is also going to depend on number of CPU cores. If a game needs more than 2 cores, and the CPU cannot provide them, there might be some performance hits."
     
    Last edited: May 19, 2019
    Vasudev and Kyle like this.
  2. Prema

    Prema Your Freedom, Your Choice

    Reputations:
    8,369
    Messages:
    6,129
    Likes Received:
    15,668
    Trophy Points:
    681
    Don't worry guys: I am still "fighting the good fight" as it is everyones duty.
    I have just stopped giving it more attention than it deserves.

    Sometimes catching a wave at the beach is simply so much more fulfilling...
     
    custom90gt, Vasudev, Papusan and 3 others like this.
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,629
    Messages:
    19,980
    Likes Received:
    24,806
    Trophy Points:
    931
    [Intel]
    Engineering New Protections Into Hardware

    https://www.intel.com/content/www/u...ngineering-new-protections-into-hardware.html

    Overview
    "In 2018, the class of speculative execution side channel vulnerabilities, commonly referred to as Spectre and Meltdown, presented a unique challenge to Intel and the entire industry.

    Intel provided microcode updates (MCU) supporting nearly 10 years of Intel® products, which were coupled with updates from our partners to help protect against these vulnerabilities.

    We have also taken steps to integrate these protections into our hardware.

    Side Channel Mitigation by Product CPU Model
    The table below provides details on how the protections are integrated into Intel® products:

    [The table is very short, but the data columns are too wide to see, snapshot, and replicate here, please follow the link above to view the list and see what your CPU / Stepping has.]
    Intel CPUs with stepping updates to incluide microcode patches for various vulnerabiltieis.JPG

    Frequently Asked Questions
    Q1. Are there any differences in the level of protection provided by software mitigated and hardware mitigated versions of these SKUs?


    A: No. We expect that the level of protection equivalent whether you have microcode update (MCU) based or hardware-based mitigations in place. The hardware-based mitigations are part of our ongoing commitment to advance security at the silicon level.

    Q2. Are there any differences in performance between software mitigated and hardware mitigated versions of these SKUs?

    A: For application based workloads, representative of typical usage, such as SYSmark* 2014 SE, PCMark10, WebXPRT 2015, and 3DMark Skydiver Physics the data confirms that the performance between steppings is the same within the normal run to run variation. For some synthetic I/O workloads, we have observed a performance difference between steppings. These synthetic I/O workloads are not representative of mainstream usage.

    Q3: How do I determine what I have and how side channel vulnerabilities are mitigated?

    A: From the Microsoft Windows Command prompt run “wmic cpu get caption”. Use the result to cross reference the table below.

    Q4. What does the “CPU Caption” tell me and how does it map to product SKU?

    A: The product caption gives information of what product model and silicon stepping you have. You can see for example on Model 142, as we moved from Stepping 11 to Stepping 12 we integrated hardware mitigations for Variant 2 and L1TF. To determine which products models and stepping maps to what SKU, see the table below.

    Another table to view on the site...
    Intel table 2.JPG AFAIK these new in hardware mitigations only include microcode patch updates burned onto the chip - a stepping change, no other architectural changes have been implemented.

    OS patches appropriate for the mitigations are still required, there is no advantage to having the [inactivated] microcode updated on the CPU without the matching OS patch(es).

    Intel has not done much in the way of hardware mitigations yet considering it's been going on 2 years since the vulnerabilities were first given to Intel. It's possible that if Intel began dusting off new architecture designs mothballed from before the 4 core ad infinitum dark age, Intel might be able to deliver new CPU architectural designs in the next 12-18 months. Practically speaking, one full generation of release cycle away.

    A Look At The MDS Cost On Xeon, EPYC & Xeon Total Impact Of Affected CPU Vulnerabilities
    Written by Michael Larabel in Software on 20 May 2019.
    https://www.phoronix.com/scan.php?page=article&item=intel-mds-xeon&num=1

    "This weekend I posted a number of benchmarks looking at the performance impact of the new MDS/Zombieload vulnerabilities that also included a look at the overall cost of Spectre / Meltdown / L1TF / MDS on Intel desktop CPUs and AMD CPUs (Spectre).

    In this article are similar benchmarks but turning the attention now to Intel Xeon hardware and also comparing those total mitigation costs against AMD EPYC with its Spectre mitigations.

    This article offers a look at the MDS/Zombieload mitigations on a 1st Gen Skylake Xeon Scalable server as well as a Kabylake Xeon E3 server for reference. Following that is a look at the total CPU vulnerability mitigation costs for 1st Gen Xeon Scalable, 2nd Gen Xeon Scalable (Cascade Lake), and an AMD EPYC 2P server as well for its Spectre mitigations.

    As expected given Intel's guidance last week of their latest Xeon processors being mitigated for MDS, indeed, the dual Xeon Platinum 8280 Cascade Lake server reported it was not affected by the MDS mitigations and thus not enabled. So for the MDS tests up first it's just some reference results using a dual Xeon Gold 6138 Skylake server running Ubuntu 19.04 with the Linux 5.0 patched kernel and reference results side-by-side for a separate Xeon E3-1275 v6 server.

    All of these mitigation benchmarks were driven in a fully-automated and reproducible manner using the Phoronix Test Suite.

    [...lots of benchmark results, please see site at URL above...]

    If looking at the geometric mean of all the benchmarks carried out, the EPYC 7601 averages out to about a 1% hit with its Spectre mitigations.

    The dual Xeon Platinum 8280 Cascadelake setup with its mostly hardware-based mitigations was slower by 4% with the relevant mitigations enabled.

    (l1tf: Not affected + mds: Not affected + meltdown: Not affected + spec_store_bypass: Mitigation of SSB disabled via prctl and seccomp + spectre_v1: Mitigation of __user pointer sanitization + spectre_v2: Mitigation of Enhanced IBRS IBPB: conditional RSB filling).

    Meanwhile the dual Xeon Gold 6138 server that unfortunately doesn't have the hardware mitigations saw a 11% hit from the benchmarks run with these Spectre / Meltdown / L1TF / MDS mitigations or 15% if disabling Hyper Threading as an additional measure based on the benchmarks carried out today."

    Looking forward to a wider range of testing, as this doesn't seem representative of DC work in general. Reports of 20%-40% performance hits from what workloads? I guess we'll have to be patient to find out.

    Checkout J's video about disabling HT, J used the 8700k for testing but comes to the conclusion that HT isn't that important for gaming, and suggests saving $ and getting the 9xxxKF => CPU's without HT, when building new PC's.

    Now it makes sense why Intel came out with a whole line of HT-less CPU's, they are more secure without HT in current architecture. Might as well save the silicon real estate, power, thermals, (and $?) and get HT-less to start.

    Is Hyper-Threading Even Necessary? ZombieLoad Impact Testing (8700k)
    JayzTwoCents
    Published on May 20, 2019
    http://forum.notebookreview.com/thr...ke-z370-and-z390.809268/page-42#post-10913286
     
    Vasudev, Kyle and ajc9988 like this.
  4. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,360
    Messages:
    10,397
    Likes Received:
    7,665
    Trophy Points:
    931
    Did you notice degraded performance in your organization after patching?
     
    tilleroftheearth likes this.
  5. Zymphad

    Zymphad Zymphad

    Reputations:
    2,321
    Messages:
    4,165
    Likes Received:
    355
    Trophy Points:
    151
    What is interesting about all this...

    I haven't read of anyone actually being affected by these vulnerabilities and the way to exploit them are so convoluted. Anyone know of anyone that has actually been affected, consumer or enterprise?

    Also HT is not needed for most tasks and actually makes zero difference in performance. Only apps that support high thread are affected, and even then it's about 10% only.

    Again, I have yet to read anyone affected by this other than Apple making a big deal out of it. Hilarious considering Apple has far more to worry about than this vulnerability, like their devices appear to be designed by interns or intentionally designed to fail.
     
    Last edited by a moderator: May 22, 2019
    tilleroftheearth and Robbo99999 like this.
  6. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,571
    Likes Received:
    5,642
    Trophy Points:
    681
    That's right, I don't think I've read about any actual attacks that have been carried out in the wild. Thing is, if there's a vulnerability there then organisations are gonna want to patch them, and maybe some individuals might too. I'm thinking though that these kind of sophisticated attacks are mostly only likely to occur against high value targets, so for the average consumer I don't think these exploits and their patches are quite as significant. At the moment my thought process is that I will adopt the default protection offered by Windows and Intel, rather than doing things like disabling hyper threading - I do have Spectre & Meltdown activated, because it's quite a small performance hit and it's also the default position for Windows/Intel.
     
    Last edited: May 22, 2019
  7. Zymphad

    Zymphad Zymphad

    Reputations:
    2,321
    Messages:
    4,165
    Likes Received:
    355
    Trophy Points:
    151
    To go back to HT:

    I figure you bought Intel because gaming. In that case, HT makes no difference, 0% loss in performance in vast majority of new 2018/2019 games. Or if you use Adobe products, which seems to prioritize speed over MT, I haven't seen evidence disabling HT will make too much difference, and about the same performance of Ryzen still.

    If you care about multi-threading... Well in that case, I would assume you bought either Ryzen or Threadripper, cause Intel equivalents are so expensive right now.
     
  8. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,571
    Likes Received:
    5,642
    Trophy Points:
    681
    HT makes a big difference in performance in a lot of tasks. It's in the region of 30% performance improvement over non-HT, depending on what the work load is. HT is being used all the time on an HT enabled CPU - all logical cores exposed to the operating system are HT cores, each one of them...it's not like the operating system sees 4 real cores and then 4 HT cores, the operating system sees instead 8 HT cores.

    EDIT: and HT does help in some games. Worth leaving enabled for gaming. BF1 is just one game that springs to mind. But yeah, not really any difference in gaming performance between 9700K and 9900K, but that's because 9700K already has 8 cores (non hyperthreaded), which is plenty for all games. For 4 core and 6 core CPUs like 7700K and 8700K you're better off leaving HT enabled, and the 4 core CPUs definitely need it.
     
    Vasudev and tilleroftheearth like this.
  9. Zymphad

    Zymphad Zymphad

    Reputations:
    2,321
    Messages:
    4,165
    Likes Received:
    355
    Trophy Points:
    151
    I have not seen this myself. And it seems Intel agrees considering HT is disabled on 9600K and 9700K and they are still outperforming the 8700K w/ HT.

    For daily tasks, I'm sure I could disable HT on Ryzen and even disable half the cores and not notice difference.

    Either way, maybe I am wrong, but that's all I have read/watched so far.

    I would ignore most of this if I was still using Intel. I don't see why I would be vulnerable to any of this. Seems to me this is all way overblown.

    I just hope Intel does not ignore this and their 10nm chips eliminate these vulnerabilities.
     
    Vasudev and tilleroftheearth like this.
  10. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,520
    Messages:
    9,469
    Likes Received:
    4,888
    Trophy Points:
    431
    It is all overblown until someone gets hurt by it. No one worried about any of the attacks before they happened and of course took no action to patch or protect from them. As soon as things like Wana-Cry hit then it was a scramble to fix it. Sometimes you catch the thieve before they get in the door, other times you may wake up with them rambling through the house.
     
    ajc9988, Vasudev and tilleroftheearth like this.

Share This Page