Amazon, Apple, Google, and Microsoft are reporting that their compute performance has been largely unaffected by the patches for Meltdown and Spectre.
The news of the Meltdown and Spectre security vulnerabilities, which together affect almost all modern CPUs, has been sweeping the web since the start of the year. The fix for Meltdown, an OS-level method of mitigation called kernel page table isolation (KPTI), has now been implemented for major operating systems, including Linux, macOS, iOS, Android, and Windows. Mitigations for Spectre, which is actually two different vulnerabilities, are currently less understood, however. Fixes, so far, have involved program-level, OS-level, and hardware-level patching, but it seems there isn’t a single solution to both of the Spectre vulnerabilities.
Meltdown has a singular fix across all operating systems because the vulnerability results from an optimization present in specific CPUs, namely Intel’s and some of ARM’s. With no way to fix the CPUs, the only way is to apply a heavy-handed approach that nullifies the optimization within the OS--KPTI. It was known that KPTI would, in theory, have a real performance cost. The earliest tests on Linux with worst case scenarios showed performance drops of up to 30%.
Intel denied the performance drops, saying that there would be a negligible impact for home consumers. Initial testing from the web, including that done by Guru3D, TechSpot, and ComputerBase, seems to support this. However, the worry since the beginning was on enterprise workloads, such as virtual machines and databases. Now that the tech giants have all applied their patches, they’ve all issued their own statement on the performance impact.
Apple didn’t say anything about whether its back-end services suffered. Instead, its statement focused on macOS and iOS, which it claimed suffered “no measurable” impact in benchmarks due to the the Meltdown patch. Apple has patches for Spectre coming, which it claims have a measured 2.5% performance impact.
Microsoft issued a statement about the maintenance it did for its Azure cloud computing service saying that “the majority of Azure customers should not see a noticeable performance impact.” A caveat was given, though, for customers whose workloads are network heavy. Microsoft recommended turning on Azure Accelerated Networking to mitigate this, but that won’t help those who already had it on. Microsoft didn’t mention which of the vulnerabilities they patched or whether more patches would be coming.
Google said it deployed KTPI to patch Meltdown and its own software method, dubbed Retpoline, to fix one of the two Spectre vulnerabilities. Google said that most of its workloads, including cloud infrastructure, saw a “negligible impact on performance” and warned of the “exaggerated impacts” shown by microbenchmarks.
Amazon, the company many expected would be impacted the most by KPTI, issued a statement focusing on its EC2 virtual-machine compute farm. The company definitively stated that EC2 customers are protected against Meltdown and both Spectre vulnerabilities. We don’t know what makes Amazon’s case different as, according to Google, one of the Spectre vulnerabilities doesn’t have an effective fix. Amazon also said that it had “not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”
It’s still early days for the Meltdown/Spectre issue. Given how hot the topic currently is, it's understandable why the above companies rushed to give statements. Intel has used the statements to downplay the issue even though they admit that the impact of KPTI remains “highly workload-dependent.” We’re sure to hear more on the performance impact in the coming days.