L1TF: Disabling EPT / performance-impact

L1TF: Disabling EPT / performance-impact

[Rainer Fiebig]

Hi!

According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but
has a severe performance impact.

FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox
Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.

So to me it seems that the performance impact depends on the use case and in a desktop-setting
disabling EPT may offer a simple max-protection-option with the advantage of still enabled
hyperthreading.

I have tried this with 4.18.1 and 4.14.63.

Rainer Fiebig

***

1) https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html#mitigation-selection-guide

2) kvm-intel.ept=0

> tail /sys/devices/system/cpu/vulnerabilities/*
==> /sys/devices/system/cpu/vulnerabilities/l1tf <==
Mitigation: PTE Inversion; VMX: EPT disabled

==> /sys/devices/system/cpu/vulnerabilities/meltdown <==
Mitigation: PTI

==> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass <==
Mitigation: Speculative Store Bypass disabled via prctl and seccomp

==> /sys/devices/system/cpu/vulnerabilities/spectre_v1 <==
Mitigation: __user pointer sanitization

==> /sys/devices/system/cpu/vulnerabilities/spectre_v2 <==
Mitigation: Full generic retpoline, IBPB, IBRS_FW

Re: L1TF: Disabling EPT / performance-impact

[Greg KH]

On Thu, Aug 16, 2018 at 01:41:26PM +0200, Rainer Fiebig wrote:
> Hi!
> 
> According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but
> has a severe performance impact.
> 
> FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox
> Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.
> 
> So to me it seems that the performance impact depends on the use case and in a desktop-setting
> disabling EPT may offer a simple max-protection-option with the advantage of still enabled
> hyperthreading.
> 
> I have tried this with 4.18.1 and 4.14.63.

Why are you sending this to the stable@ list?  There's nothing we can do
here, sorry.

greg k-h

Re: L1TF: Disabling EPT / performance-impact

[Rainer Fiebig]

Greg KH schrieb:
> On Thu, Aug 16, 2018 at 01:41:26PM +0200, Rainer Fiebig wrote:
>> Hi!
>>
>> According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but
>> has a severe performance impact.
>>
>> FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox
>> Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.
>>
>> So to me it seems that the performance impact depends on the use case and in a desktop-setting
>> disabling EPT may offer a simple max-protection-option with the advantage of still enabled
>> hyperthreading.
>>
>> I have tried this with 4.18.1 and 4.14.63.
> 
> Why are you sending this to the stable@ list?  There's nothing we can do
> here, sorry.
> 
> greg k-h
> 

Sorry, wrong target-group then.
Have a good day!

Rainer Fiebig