The news of the Meltdown and Spectre security vulnerabilities, which together affect almost all modern CPUs, has been sweeping the web since the start of the year. The fix for Meltdown, an OS-level method of mitigation called kernel page table isolation (KPTI), has now been implemented for major operating systems, including Linux, macOS, iOS, Android, and Windows. Mitigations for Spectre, which is actually two different vulnerabilities, are currently less understood, however. Fixes, so far, have involved program-level, OS-level, and hardware-level patching, but it seems there isn’t a single solution to both of the Spectre vulnerabilities.
Meltdown has a singular fix across all operating systems because the vulnerability results from an optimization present in specific CPUs, namely Intel’s and some of ARM’s. With no way to fix the CPUs, the only way is to apply a heavy-handed approach that nullifies the optimization within the OS--KPTI. It was known that KPTI would, in theory, have a real performance cost. The earliest tests on Linux with worst case scenarios showed performance drops of up to 30%.
Intel denied the performance drops, saying that there would be a negligible impact for home consumers. Initial testing from the web, including that done by Guru3D, TechSpot, and ComputerBase, seems to support this. However, the worry since the beginning was on enterprise workloads, such as virtual machines and databases. Now that the tech giants have all applied their patches, they’ve all issued their own statement on the performance impact.
Apple didn’t say anything about whether its back-end services suffered. Instead, its statement focused on macOS and iOS, which it claimed suffered “no measurable” impact in benchmarks due to the the Meltdown patch. Apple has patches for Spectre coming, which it claims have a measured 2.5% performance impact.
Microsoft issued a statement about the maintenance it did for its Azure cloud computing service saying that “the majority of Azure customers should not see a noticeable performance impact.” A caveat was given, though, for customers whose workloads are network heavy. Microsoft recommended turning on Azure Accelerated Networking to mitigate this, but that won’t help those who already had it on. Microsoft didn’t mention which of the vulnerabilities they patched or whether more patches would be coming.
Google said it deployed KTPI to patch Meltdown and its own software method, dubbed Retpoline, to fix one of the two Spectre vulnerabilities. Google said that most of its workloads, including cloud infrastructure, saw a “negligible impact on performance” and warned of the “exaggerated impacts” shown by microbenchmarks.
Amazon, the company many expected would be impacted the most by KPTI, issued a statement focusing on its EC2 virtual-machine compute farm. The company definitively stated that EC2 customers are protected against Meltdown and both Spectre vulnerabilities. We don’t know what makes Amazon’s case different as, according to Google, one of the Spectre vulnerabilities doesn’t have an effective fix. Amazon also said that it had “not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”
It’s still early days for the Meltdown/Spectre issue. Given how hot the topic currently is, it's understandable why the above companies rushed to give statements. Intel has used the statements to downplay the issue even though they admit that the impact of KPTI remains “highly workload-dependent.” We’re sure to hear more on the performance impact in the coming days.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Linus Torvalds said you could expect a roughly 5% performance hit. If you're running a datacenter with thousands of computers, 5% can be a HUGE hit in terms of power and cooling costs. 5% of your costs just to work around an architecture blunder.Reply
So, 5-30% drop is cpu. That is not cool. To say not noticable, for the average user is disingenuous to the users that peruse Toms and Endadget. Most of the users are NOT average users. I will be very upset if I lose UP TO 30% of the CPU usage of my CPU!Reply
I am curious to see post-patch benchmarks of Intel chips vs. AMD chips. I have a suspicion that Intel's performance advantage may evaporate. This is especially true if AMD is actually immune to Meltdown and therefore does not need performance-impacting patches.Reply
20561246 said:I am curious to see post-patch benchmarks of Intel chips vs. AMD chips. I have a suspicion that Intel's performance advantage may evaporate. This is especially true if AMD is actually immune to Meltdown and therefore does not need performance-impacting patches.
From what we've seen so far, as far as the consumer is concerned, there will be no change in how Intel and AMD stack up against each other. Consumer applications like games and video encoding software seem to be pretty much unaffected. The only area where AMD might be able to get a performance lead over Intel out of this would be in the server market, where things like database programs are more likely to take a sizeable performance hit.
For time critical applications, 5% is massive though.Reply
Plus, come on, you think the big "we want you to move everything to our servers" people would say there's a big impact in their infrastructure due to this? That is why their claims come with big asterisks.
I mean, it's fine they come up front and say it wasn't as bad as it was made out to be, but context is everything.
I find myself losing a good item for the fact of hearing some operational term but not having it arise as a reference. Would be great value to have appended Glossary with links! UX, right?Reply
(Amazon) definitively stated that EC2 customers are protected against Meltdown and both Spectre vulnerabilities.Reply
We don’t know what makes Amazon’s case different as, according to Google, one of the Spectre vulnerabilities doesn’t have an effective fix.
Amazon also said that it had “not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”"
pretty weasel words?
So they admit they HAVE noticed a meaningful impact on some?
their support forum indicates many of their clients have been mucked around terribly by different performance levels, and they were given no notice by amazon.
ITS WORKLOAD DEPENDENT, but even a 50% hit is possible for some workloads,Reply
All the apologists are saying is that consumers dont have big enough workloads of the right type to notice for now.
If a farmer buys a 1000HP tractor & discovers its only a 700 HP tractor, just because he hasnt done any 1000hp jobs yet, doesn't mean he wasn't short changed.
It may be possible that cloud "service provides" are downplaying the impact as it would adversely impact their business, like Intel downplaying it.Reply
I believe plain OS provider (redhat) is more closer to actual impact.
Measureable: 8-19% OLTP database workloads is no good news (very noticeable in my opinion; I am a database administrator)
If you're rendering and doing video editing and have invested substantial money and effort to improve your system's performance any hit to performance is significant. Same is true of gamers. A class lawsuit is in order and I want the ability to say no to any performance hitting OS patches. I'll take my chances with the hackers using my firewall.Reply