Linux Kernel Default Processor Security Mitigation Changes and VMware Performance

Recently, there were a few published articles about the performance impact due to mitigations in the Linux kernel to deal with a new attack for an existing vulnerability. This blog provides some additional context about the potential performance impact reported and links to additional resources.

Quick History

In 2018, vulnerabilities were demonstrated in some processors that made them susceptible to the attacks known as Spectre and Meltdown. This general category of vulnerabilities became known as Speculative Execution security issues. Processors that came out after this time do not have this same vulnerability, but systems from 2018 and before need software-based patches to mitigate these vulnerabilities. Researchers demonstrated that the Indirect Branch Restricted Speculation (IBRS) mitigation mechanism prevented successful attacks, but this mitigation came with a performance penalty. An additional mitigation technique called retpoline was found to provide protection, but with a much smaller impact on performance. Unfortunately, it was recently (2022) demonstrated that retpoline is not completely secure, and a new attack type can be successful. As a result, earlier this year, the Linux kernel default mitigation for processors was changed from retpoline to IBRS.

Microbenchmarks and the Linux Kernel Mailing List

The IBRS method is not vulnerable to the new attack but potentially causes a more significant impact on performance. As part of the open-source Linux community, VMware ran some microbenchmark tests to measure the potential impact of this change in the Linux kernel. The microbenchmark tests measure the performance of individual operations like thread creation or memory allocation and can be very sensitive. This is great for looking at the impact of a new patch or change because small effects on even lightly used operations can be seen.

VMware reported some microbenchmark results that showed the initial mitigation change in the Linux kernel showed some sizeable impacts on specific compute operations. This was reported so that Linux kernel developers could then work on improving the mitigation techniques and, in turn, reduce the performance impact of the new mitigation. Several patches have already been proposed for the 5.19 kernel that show great promise in reducing the performance impact of mitigations down significantly from what was reported to the Linux Kernel mailing list.

To illustrate the difference between microbenchmarks and full applications, VMware tested a PostgreSQL database running an OLTP-based workload that simulates an online store and found a performance impact of about 3 to 5 percent with the Linux 5.19 kernel and the new default IBRS mitigation.

It’s also important to note that newer processors are not vulnerable.  See Intel Software Security Guidance to learn which Intel processors are vulnerable.

Virtual vs Native

VMware engineers initially reported that Linux kernel update 5.19, while changing default mitigation to IBRS, showed performance impacts on microbenchmarks from testing done on a virtual machine. However, these performance impacts are not specific to VMware virtual machines. Testing has shown that the same performance impact is measured on Linux running natively as is found on Linux running in a virtual machine.

References and Links to Additional Resources


Leave a Reply

Your email address will not be published. Required fields are marked *