Trade security with performance

The recent CPU flaw caused quite a mess. Most recent linux kernels have the problems patched, but what if I am willing to trade security for performance? I’ll need to compile my own kernel and here is how to do that on Ubuntu 17.

apt install git build-essential kernel-package fakeroot libncurses5-dev libssl-dev ccache
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.xz
tar Jxvf linux-4.15.tar.xz
cd linux-4.15

First, we need to make oldconfig. Basically copy the kernel compile config from Ubuntu and decide whether new features should be enabled

cp /boot/config-4.13.0-32-generic .config
make oldconfig

Here I disabled the first feature related to spectre and meltdown

RETPOLINE=n

Next, in menuconfig, disable another feature which was already enabled in 4.13.0-32

Remove the kernel mapping in user mode (aka CONFIG_PAGE_TABLE_ISOLATION=n)

If like me you have no plan to debug kernel issues, disable the kernel debug package which can save a lot of time. Disable it from Kernel hacking > Compile-time checks…

Probably all the staging drivers can be skipped too. Uncheck them from Device Driver > Staging…

Disabling debug and staging drivers reduce the compilation time by almost 50%. On my machine, that is about 30 minutes.

We are now ready to compile the kernel and create deb packages.

make -j 8 deb-pkg LOCALVERSION=-pos

The above will provide deb packages in the parent directory. It takes about 50 minutes for all of the above on a c5.2xlarge. $0.34 plus storage and network transfer price. Kernel compilation is no longer an excuse to upgrade to faster CPUs!

linux-headers-4.15.0-pos_4.15.0-pos-1_amd64.deb
linux-image-4.15.0-pos_4.15.0-pos-1_amd64.deb

I installed the Performance Over Security (pos) kernel on my desktop. The performance gain is noticeable. Do it at your own risk though.

Update

It may be possible to turn off these CPU fixes without compiling your own kernel. Add the followings to kernel boot parameters. Reference https://www.linux.com/blog/intro-to-linux/2018/1/linux-kernel-415-unusual-release-cycle

spectre_v2=off pti=off

The new kernel comes with an interesting sysfs entry:

# ls -1 /sys/devices/system/cpu/vulnerabilities
meltdown
spectre_v1
spectre_v2

Meltdown and Spectre CVE-2017-5715

Numerous posts and announcements have been made available in past 48 hours[1]. I don’t want to embarrass myself trying to describe what they’re about. Here I want to measure the performance penalty for the kernel patch. Kernel update has been made available on CentOS 7 (3.10.0-693.11.6.el7), roughly 12 hours behind Redhat. Here is a quick test of mysql sysbench on a small instance on aliyun, AWS, and Azure. No impact I can see on Aliyun ecs, but there is around 10% impact on AWS ec2 and Azure vm.

Continue reading “Meltdown and Spectre CVE-2017-5715”