Linux 4.19 Git Contains a lot of Performance Impacting Spectre Mitigation Updates

Another round of commits regarding anti-Spectre security have landed up in the Linux 4.19 kernel git tree, which may have possible performance impacts for the kernel.

While Spectre is still only a somewhat theoretical threat, as its entirely too slow to be used in a serious attack, many folks are taking its future potential quite seriously and arming up against it.

“The Speck [Spectre slang, not to be confused with the controversial NSA algo] brigade sadly provides yet another large set of patches destroying the performance which we carefully built and preserved,” writes kernel maintainer Thomas Gleixner in the latest x86/pti pull request.

This latest batch of x86/pit patches may contain some of the most extensive work to be seen yet in regards to Meltdown/Spectre security in recent months. Some of the targeted updates include things such as:

Enhanced IBRS (Indirect Branch Restricted Speculation) that will be available for future Intel based CPUs, as a simpler and more efficient approach to IBRS that we see in current Intel x86 processor chips. Enhanced IBRS will be enabled by default on the future Intel CPUs, and it will help lessen the performance hits seen in Spectre Variant Two mitigation, when compared to Retpolines or the current IBRS method. Gleixner commented, “Unfortunately we dont know the performance impact of this, but it’s expected to be less horrible than the IBRS hammering.

32-bit PAE hardware now has page table isolation (PTI/KPTI) support regarding Meltdown mitigation. The performance hit on x86 32-bit hardware could be really quite noticeable for anyone who upgrades to Linux kernel 4.19 in the future, unless this mitigation is disabled via the ‘nopti’ kernel boot parameter.

Fixes to global bit mechanics for CPUs that do not have PCID (Process Context Identifiers) were shown to be “exposing interesting memory needlessly”.

Initial SpectreRSB mitigation for mitigation against the Return Stack Buffer vulnerability found in the userspace-userspace variant of this attack vector.

In general there’s a lot of clean-ups and optimizations as this x86/pti cycle contains over a thousand lines of code.