Linus Torvalds: After big Linux performance hit, Spectre v2 patch needs curbs

Patch is causing as much as a 50 percent drop in performance in some Linux workloads.
Written by Liam Tung, Contributing Writer

Major slowdowns caused by the new Linux 4.20 kernel have been traced to a mitigation for Spectre variant 2 that Linux founder Linus Torvalds now wants restricted.

As noted by Linux news site Phoronix, the sudden slowdowns have been caused by a newly implemented mitigation called Single Thread Indirect Branch Predictors (STIBP), which is on by default in the Linux 4.20 kernel for Intel systems with up-to-date microcode.

STIBP is one of three possible mitigations Intel added to its firmware updates in response to the Spectre v2 attacks. Others included Indirect Branch Restricted Speculation (IBRS), and Indirect Branch Predictor Barrier (IBPB), which could be enabled by operating-system makers.

STIBP specifically addresses attacks against Intel CPUs that have enabled Hyper Threading, its version of Simultaneous Multithreading (SMT)

Phoronix's benchmarks comparing Linux 4.20 with STIPB enabled show that the mitigation on some application workloads has a severe impact on performance.

With STIBP enabled, Phoronix's high-end Xeon Gold server also goes from being the fastest server to slower than AMD's previously lower-performing EPYC-based server.

Because of these slowdowns Torvalds' on Sunday posted a message demanding STIBP no longer be enabled by default in the kernel, especially since an existing option is to disable SMT.

SEE: 20 quick tips to make Linux networking easier (free PDF)

"When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway," wrote Torvalds.

"So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?"

Researchers earlier this month made the same argument against SMT after revealing the PortSmash side-channel vulnerability, which affects all Intel CPUs that support Hyper-Threading.

The researchers noted that "security and SMT are mutually exclusive concepts" and encouraged users to avoid chips that feature SMT. An earlier attack called TLBleed prompted the OpenBSD project to disable support for Intel Hyper-threading.

Torvalds said the code didn't need to be fully reverted, but the behavior that STIPB needs to be "unconditionally" enabled does need to be reverted.

"Because it was clearly way more expensive than people were told," noted Torvalds.


Linux kernel founder Linus Torvalds: "When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it."

Image: Aalto University/YouTube

Previous and related coverage

Researchers discover seven new Meltdown and Spectre attacks

Experiments showed that processors from AMD, ARM, and Intel are affected.

Windows 10 will banish Spectre slowdowns with Google's Retpoline patch

Google's Retpoline fix for the Spectre Variant 2 flaw helps minimize performance hit on Windows 10 machines

Intel ditches Linux patch benchmark 'gag', offers 'innocuous' new license

Intel's license for its microcode security fixes no longer prevents developers from publishing benchmark results.

Intel 'gags' Linux distros from revealing performance hit from Spectre patches

You can test performance after using our patches, but don't publish the results, say Intel's new license terms.

New Spectre variant 4: Our patches cause up to 8% performance hit, warns Intel

Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.

Linux performance before and after Meltdown and Spectre fixes

The patches, as expected, brought Linux's performance down, but their impact has not been as bad as feared.

Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses

Oracle has new fixes available for Spectre flaws affecting Linux systems on Intel and AMD chips.

Spectre chip security vulnerability strikes again; patches incoming

A Google developer discovered a new way that a 'Spectre'-style check can be used to attack any computer running any operating system.

Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?

Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.

Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets

A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks

AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.

Intel: We now won't ever patch Spectre variant 2 flaw in these chips

A handful of CPU families that Intel was due to patch will now forever remain vulnerable.

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic

Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.

Class-action suits over Intel Spectre, Meltdown flaws surge CNET

Since the beginning of 2018, the number of cases has risen from three to 32.

Editorial standards