Linux 4.20 is Running Slower Than 4.19 On Intel CPUs

Freshly Exhumed writes: An intentional kernel change in Linux kernel 4.20 for enhanced Spectre mitigation is unfortunately causing Intel Linux performance to be much slower than with 4.19. That change is 'STIBP' (Single Thread Indirect Branch Predictors), which allows for preventing cross-hyperthread control of decisions that are made by indirect branch predictors. It affects Intel systems that have up-to-date microcode and CPU Hyper Threading enabled. Phoronix gives the evidence.

Re:Opps

[saloomy]

No. 4.19 was insecure, but faster. 4.20 is more secure, but slower. So? If I store my passwords in plain-text it's faster. Faster still if I don't have to do a DB lookup and just hard code some that I need.

4.20 is better. The performance penalty is the cost of better security in almost all computer operations (often negligible due to faster and faster chips). Because of hardware advancements though, it's most of the time a very worthwhile tradeoff. If your application suffers that much, size up the gear.

Re:

[Tough Love]

Most of the responses to this article are "AMD" so I don't need to say it. But I will anyway. AMD.

Re: Opps

[Tough Love]

Ryzenfall and related vulnerabilities still haven't been fixed

Ryzenfall is a PR exploit [wikipedia.org] not a serious vulnerability, it requires physical access.

Investigators uncovered an article by Viceroy Research condemning AMD on the exploit and noted how the article was published less than half an hour after the exploits were revealed. Given the polish of the article which appears to be written many days in advance, and wording of the article which suggests that it is financially motivated, many were quick to accuse the exploit as a smear campaign engineered by Viceroy to short-sell AMD's stocks.

Meanwhile, Intel still has major issues with Meltdown, which is much more serious than Spectre because Meltdown breaks the veil between user and kernel, while Spectre is a process/process leak, much easier to address at the OS level. With fresh new Meltdown exploits demonstrated, Intel is still very much in the hot seat and AMD is the more secure processor.

Re:

[Tough Love]

And possibly other situations, not in the cloud.

Re: Opps

[Anonymous Coward]

It's only worthwhile in some situations.
I manage around 15,000 hypervisors which have VMs that don't ever run untrusted or arbitrary code, they aren't internet connected, etc. A 10% performance hit means millions of dollars of additional compute and network infrastructure.
And don't tell me to use AMD either, the price vs. Performance ends up being more costly at the scale and density we require.... and that's pretending we could swap existing servers out for no cost.

Re: Opps

[Anonymous Coward]

Newer Intel chips don't even come with hyperthreads anymore due to Spectre. If you disable HT on your servers you won't take the performance hit.

Re:

[Bert64]

HT is itself a feature designed to improve performance... If you disable it, then you lose any performance benefits it provided.
Wether it provides a performance benefit depends on your workload, it allows the processor to work on another thread if your code stalls the pipeline, but if your code is properly optimized for the processor then it wont stall the pipeline...

Re:

[Anonymous Coward]

"(often negligible due to faster and faster chips)"

I can tell you don't program. Most code is so bloated now days that what once would've only needed an 8088 to run now at minimum needs a 233MHz Pentium II to do the same thing.

YOUR FUCIKING CODE SUCKS, PROGRAMMERS. Get back to making it SMALL so these security bugs are far less prevalent.

Re:

[Bengie]

20-30% performance gain for something like 5% more transistors is nothing to sneeze at, but holy crap is it a finicky jittery fragile 20% gain that is rife with corner cases. Assuming the work load even benefits. Plenty that do not.

Give it a break

[medv4380]

It's just high.

Four Twenty?

[Esion Modnar]

There's a joke here somewhere. If I weren't so stoned...

Re: Four Twenty?

[Anonymous Coward]

Funding secured.

Re:

[Aighearach]

Funding secured.

A spectre of a deal!

Re:Disableable?

[F.Ultra]

You can disable it with a boot flag "spectre_v2=off nopti"

Linux 4.20 man!

[Spencer Williams]

Wooohooo!

This is intels problem

[Shaitan]

Linux kernel doesn't let your insecure and sloppy design do things that compromise the security of the OS. Sounds like a feature to me.

Re:

[Chris Mattern]

No, it's just that linux sucks.

To an extent, I'm willing to grant that. So, what sucks less than Linux?

Re:

[Chris Mattern]

MenuetOS.

Uhhhh....

Non-POSIX, apparently not compatible with anything else, almost no documentation I could find, no evidence of usable apps (if there is an office suite, web browser or email client for it there was no mention of them that I could find), development environment centered around assembly language...

Pass.

Re:

[should_be_linear]

There is room for two versions of microcode / kernel: default (slow) and root (fast) mode. In root mode there can be only one (root) user, but everything runs much faster. There is lot of offline computers (like supercomputers) which would benefit from this, even 20% of performance, it seems.

Re:

[Chris Mattern]

There is room for two versions of microcode / kernel: default (slow) and root (fast) mode. In root mode there can be only one (root) user, but everything runs much faster.

Let's see here. We'll give people a choice between an immediate, measurable advantage and an advantage they won't see until the failure hits. Gee, I wonder which one everyone will choose, and then get hacked for.

Re:

[Shaitan]

It wouldn't be fast and slow mode, it would be not intentionally left insecure and swiss cheese mode.

Intel?

[110010001000]

Who still runs Linux on Intel CPUs?

Re:

[StormReaver]

Remember how Jeff Bezos just recently said that once Amazon stopped focusing on customers, it was going to be the beginning of the end of Amazon? Intel stopped focusing on customers the moment it knowingly sacrificed security to maintain its near-monopoly on CPU's. While AMD has some issues with its chips, those issues pale in comparison to the wholesale don't-give-a-shit practiced by Intel.

I hope Intel has a huge, massively expensive decline.

Re:

[NicknameUnavailable]

Your comparison is more accurate than you know. In actuality Intel stopped focusing on customers in favor of government snooping. Amazon is now doing the same, Bezos is just trying to appeal to the masses without breaking NDAs so he doesn't have to lose the consumer market for the government contracts.

Re:

[Kjella]

Remember how Jeff Bezos just recently said that once Amazon stopped focusing on customers, it was going to be the beginning of the end of Amazon? Intel stopped focusing on customers the moment it knowingly sacrificed security to maintain its near-monopoly on CPU's. While AMD has some issues with its chips, those issues pale in comparison to the wholesale don't-give-a-shit practiced by Intel.

And by "knowingly" you mean Intel did this on purpose? They can be dirty as hell doing damage control, but creating Meltdown/Spectre wasn't a conscious plan or at least then I'd really like to see your documentation that security was intentionally sacrificed. And as far as I know they're not making any significant revenue on anything other than selling CPUs, they're not in the data mining business nor to they take a cut of all applications running on an Intel nor are they selling your data to third parties.

Re:

[drinkypoo]

I'd really like to see your documentation that security was intentionally sacrificed.

I submit the design as documentation. They do the security check after the memory access. That can only have been a deliberate decision.

Re:

[Tough Love]

I hope Intel has a huge, massively expensive decline.

I hope that Intel becomes a better company with better products and that when the dust settles they will share the x86 market roughly equally with AMD. No dirty tricks now, Intel.

Re:Intel?

[110010001000]

Whats a Windows?

Re:Intel?

[F.Ultra]

They usually call from India and want you to install some software on your computer since it has reported that it's being hacked. At least that is what they always say on the phone "Hello I'm calling from Windows" so that must be it.

Re:

[dryeo]

When you start a program under X, it runs in a Window. You can have multiple Windows on your desktop, each with a different program running independently of each other.
It's even possible to do it in a console, with text mode programs. It's how I was first introduced to Windows on an Apple II.

Re:

[Tough Love]

Got a couple of laptops still running Intel. My next laptop will for sure be AMD. [videocardz.com]

Re:

[Aighearach]

Who still runs Linux on Intel CPUs?

Thinkpad owners.

OTOH, CentOS is on 3.x kernels still anyways.

Re:

[Highdude702]

Who the hell would run CENTOS on a laptop?? And why??!?!?

Re:

[Anonymous Coward]

You *can* have both secure and faster... with AMD.

AMD for the WIN!! will apple move mac pro over?

[Joe_Dragon]

AMD for the WIN!! will apple move mac pro over?

Re:

[Kuruk]

Apple are making their own CPU now. The iPad has more power than the Apple laptops. Shots fired at intel.

420 running slower? Dude, WHO COULD HAVE KNOWN?

[outlander]

Yeah, it doesn't make sense at all. ;)

Solution is simple

[GerryGilmore]

You can easily disable this patch with a boot command-line argument. Unless you are running a heavily VM-ed data center with shit for security, why would you cripple your system over the most esoteric hacks known to man and that - Oh! By the way! - require that you are running malware on your system already? (And spare me the horseshit about JS - that can ONLY happen in a carefully crafted environment.)

Re:

[Anonymous Coward]

I see you cannot be bothered to share with us how to easily disable this patch with a command line argument. I'm going to bet it's because it's not as easy to disable as you make it seem.

But we wouldn't want to bother you with your amazing data center that has good security because you just paid to fix the problem with hardware. That's senior management thinking right there, Gerry!

Re:Solution is simple

[Mysticalfruit]

Add this to your kernel boot line:

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

Re:

[Espectr0]

why did the boot argument had to be so complicated? i would have named it disable_STIBP or even disable_spectre_fix

Re:

[ArchieBunker]

Just wait until boot arguments are considered obsolete like traceroute for example. This will get merged into systemd and you will have to issue the commands at shutdown instead of at boot time.

Abandon systemd?

[Artemis3]

So, abandon systemd? There is nearly a hundred distros NOT using it, what are you waiting for? http://without-systemd.org/ [without-systemd.org]

Re:

[Highdude702]

#Hashtags are for people that don't belong on this site.

Intel got that speed from _somewhere_

[gweihir]

There is now a price to pay. Not really a surprise.

Re:

[thegarbz]

It's surprising to know the world is full of trade-offs. I happily pay the price knowing that the speed is far more important than the incredibly low risk that this security issue could be exploited against me. There's a reason that pretty much every specter and meltdown mitigation has been optional.

Requires hyper threading.

[Fly Swatter]

So technically not ALL Intel cpus.. I finally dodged one of the many bullets, I should buy a lottery ticket.

Re:

[Tough Love]

Or you could disable HT in the bios. Still sucks.

Better title

[Anonymous Coward]

Intel CPUs performance suffers for its bug mitigation in linux kernel 4.20.

Re:

[Philotomy]

Mod parent up.

This isn't a "Linux 4.20" problem, this is Intel's fault.

But why?

[gmit]

Old, vulgar Linus would have never allowed that!

Google?

[JBMcB]

I thought Google had figured out a patch to circumvent this at the OS level that had negligible impact on performance?

Re:

[Anonymous Coward]

They did. The problem is that it only works for one of many vulnerabilities. And this week we've got 7 more for Intel.

FAIL

[sproketboy]

TempleOS FTW

spectre

[sad_]

further spectre mitigation code is causing these slow down issues.
it's discussed in a follow up phoronix article.

Re:The PRICE We Pay For NICE Linus

[Anonymous Coward]

BRING BACK MEAN LINUS

Re: The PRICE We Pay For NICE Linus

[Type44Q]

A-fucking-men.

Re:

[NicknameUnavailable]

#savelinus

Re:

[Aighearach]

pre-USADA Linus was the GOAT, like Ken Shamrock with faster fingers.

Re:

[magarity]

Seriously, you might think you're so cool by annoying the other users but I for one am concerned for your health. Do you need medication or some other kind of help? It isn't normal to paste that stuff into every article.

Re:

[Anonymous Coward]

apk is a mentally ill person. His posts ebb and flow according to what's going on with his condition. It's usually best just to ignore him.

Re: IMPERSONATING ME AGAIN? apk

[Anonymous Coward]

I've always kinda thought of him as "He who shall not be named" because as soon as you type the letters A...P...K.

See the comments below