Intel CPUs are now known to contain a serious flaw that can compromise system security. It can’t be fixed by microcode or UEFI update, and the solution — a significant set of patches applied to Windows, macOS, and Linux systems — is expected to carry a significant performance penalty in at least some benchmarks. This story is still evolving, but Phoronix has put some benchmarks together, along with sources like Computerbase.de. Linux, unlike macOS or Windows, has already been publicly patched (Windows patches are available via Windows Insider).
Treat all early data as preliminary, take with a grain of salt, etc, etc. Phoronix’s tests — which deliberately mix some different system configurations and models with faster and slower SSDs — show sharply reduced synthetic throughput results when the new kernel table isolation patch is applied. A synthetic compiler benchmark also showed reduced throughput, as below (purple = pre-patch, green = post-patch):
More worrisome are the database tests, which definitely show a decline. Early data again suggest anywhere from a 7-20 percent hit may be normal; isolated results showing larger declines seem to be confined to synthetic tests, at least so far.
That’s a 14 percent performance hit on Coffee Lake, and a nearly 20 percent performance whack on Broadwell-E. Redis performance (not pictured) was down about 7 percent on both systems.
ComputerBase.de has some early benchmarks as well, mostly showing that the impact on user space applications (most consumer apps) is minimal. There may be a very small performance hit on the order of 2-5 percent in some games, but this is not an absolute.
Intel has released a statement on the issue. It reads, in part:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.
This is true — ARM also appears to be affected — but AMD, as of this writing, is not. Benchmarking a patched OS on an AMD system will produce a performance hit if the page table isolation capability is enabled in Linux, but AMD maintains it does not need this fix in the first place.
We reject Intel’s argument that “recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’… are incorrect.” It may be true that securing chips from this kind of attack wasn’t a concern before, but the fact that Apple, Microsoft, and Google are all believed to be working on patches for a variety of products indicates they believe this flaw represents a serious security risk. It may not be unique to Intel, but it’s absolutely a problem. And you can bet AMD will be quite interested to see which applications and scenarios take a perf hit with the fix in place. Epyc, AMD’s nascent server lineup, might pick up a few customer wins off this problem if the issue is widespread.
Published at Wed, 03 Jan 2018 22:02:17 +0000