From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 24 Jan 2019 02:26:55 -0000 Received: from mga17.intel.com ([192.55.52.151]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gmUjD-0006nz-J6 for speck@linutronix.de; Thu, 24 Jan 2019 03:26:53 +0100 Date: Wed, 23 Jan 2019 18:26:48 -0800 From: Andi Kleen Subject: [MODERATED] Re: [PATCH v5 14/27] MDSv5 3 Message-ID: <20190124022648.GA6118@tassilo.jf.intel.com> References: <8b89fce6dd87638a00078082141d3ce5fe13d0ea.1547858934.git.ak@linux.intel.com> <20190123013525.GX6118@tassilo.jf.intel.com> <20190123160206.GZ6118@tassilo.jf.intel.com> <20190123224004.ekqtemmu44vnnuoh@treble> MIME-Version: 1.0 In-Reply-To: <20190123224004.ekqtemmu44vnnuoh@treble> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Wed, Jan 23, 2019 at 04:40:04PM -0600, speck for Josh Poimboeuf wrote: > On Wed, Jan 23, 2019 at 08:02:06AM -0800, speck for Andi Kleen wrote: > > > you just sprinkle random mitigation calls around. > > > > > > The point is that paranoid mitigation is simply 'always invoke VERW'. The > > > conditional modes and that's what we have done for the other > > > vulnerabilities as well are handling the most obvious issues and leave some > > > documented holes. Trying to catch everything in cond mode is just adding a > > > lot of pointless crap all over the code base and will still fail to plug > > > all holes unless you do a full audit of all kernel code. > > > > > > It would be interesting to see the following test results: > > > > You mean performance test results? That's in 0/0 > > > > The worse case slow down we've seen with the lazy flushing > > is ~2% (on a benchmark that pushes data over loopback > > in a tight loop). Most workloads see no change because > > the existing lazy scheme works fairly well. > > > > With full flushing the worst case seen is 8%, but again > > that was a workload that does syscalls in a tight loop, > > so more an outlier. > > We're actually seeing some very large slowdowns -- much worse than 8%. > > The early results are showing more like 130% slowdown in several cases > for mds=full. I'm talking about at least somewhat realistic workloads, not "empty system call in a tight loop" type micro benchmark scenarios. I don't think it's very interesting to discuss those cases. In our case the 8% was a loopback test with apache, which is likely already somewhat unrealistic. -Andi