The Combined Performance Penalty of Intel CPU bugs Zombieload, Meltdown, Spectre and L1TF
'Zombieload is just the latest of a torrent of security holes in Intel CPUs found the last year. Each has required mitigations both at the firmware and kernel level and the sum of these is adding up. Some workloads are barely affected, others have a very real, measurable and noticeable slowdown.
The following rather large data-set comparing the Intel Core i7 6800K and the Intel Core i7 8700K on Linux 5.0 from openbenchmarking with CPU bug mitigation off, on and on with SMT disabled shows that the cumulative impact is high. Turning SMT/HyperThreading off to be safe from L1TF and Zombieload has the biggest impact but the performance-penalty is high even if you leave SMT on.
Compiling the kernel is something most Linux do sooner or later. Some do it regularly. The difference in compilation workloads is there when comparing standard mitigations vs no mitigations but it is only 3-4 seconds on a task that takes one and a half minute. Turning SMT off, which is required to stay safe from Zombieload-attacks, does have a huge impact. It is noticeable when a task which used to take one and a half minute takes more than two minutes.
Like kernel compilation file compression is not noticeable affected by all the kernel mitigation code required to work around Intel's CPU bugs. The performance impact is barely measurable. However, disabling SMT does have a huge and very real impact. 10 seconds more on a task that takes 40 is a big deal.
4K Video encoding with dav1d
Video encoding is another use-case where SMT makes a noticeable difference. The impact of the kernel mitigation code alone is barely measurable.
Purely synthetic measurements
The Hackbench is a stress test for the Linux kernel scheduler. The impact when measuring 32 processes and time how long it takes for each pair to send data back and forth is huge when just looking at the standard mitigation code and it is enormous when turning SMT off.
Web Server Performance
Running a web-server is a real-world use-case where there is a lot of context switching. The performance-impact of the mitigation code alone is huge and very noticeable. The difference between standard kernel mitigations on and off is larger than the difference between SMT on and off. The total performance hit by mitigation code and disabling SMT is huge on this workload.
The sum of all the kernel mitigation code alone has a measurable but not gigantic impact on typical desktop tasks and workloads like video encoding, file compression and compilation. This changes when Hyper-Threading/SMT is turned off. Intel marketed Hyper-Threading as the differentiating feature between their i5 and more expensive i7 CPUs for years and years. Having to turn that more expensive i7 into a i5 to be safe from CPU security bugs is not a good thing. The performance impact is very apparent. This is probably why some companies, like Apple, recommend turning it off while others recommend leaving it on. RedHat and SuSE have gone with the "up-to-you" approach, their Linux distributions installers will soon briefly inform you what the implications are and ask you what you prefer.
The mitigation code's impact on server workloads is huge and the total when disabling SMT on top of that is gigantic. Home desktop users can take the risk and turn the mitigation code off and leave SMT to get the performance Intel CPUs were advertised to have. This is simply not an option for corporations running mission-critical services. Many will simply have to upgrade to newer CPUs or add more servers; the difference is such that a task which previously required 20 servers now require 30 to handle the same load.
last edited 2019-05-19
Latest news headlines
- New Stable Kernel Series Releases 4.4.182, 4.9.182, 4.14.127, 4.19.52 and 5.1.11 Fixes Serious TCP Networking Vulnerabilities
- New Kernels: 5.2-rc5, 5.1.10, 4.19.51 and 4.14.126 released
- KDEs GSOC students are making Good Progress towards Many Exciting Improvements
- The Linux Kernel can Kill Your PC-Speaker
- Xfce Screensaver 0.1.5 Now Available
- Snek version 1.0 Announced for Python-Like programming on Tiny Embedded Systems
- GIMP 2.10.12 now available
- VLC 3.0.7 released with a long list of Security Issues Fixed
- Mesa 19.1.0 is now available
See the more archive for news headlines