On 01/04/2018 02:33 PM, Peter Zijlstra wrote: > On Thu, Jan 04, 2018 at 09:56:44AM -0800, Tim Chen wrote: >> Set IBRS upon kernel entrance via syscall and interrupts. Clear it >> upon exit. > > So not only did we add a CR3 write, we're now adding an MSR write to the > entry/exit paths. Please tell me that these are 'fast' MSRs? Given > people are already reporting stupid numbers with just the existing > PTI/CR3, what kind of pain are we going to get from adding this?
This "dynamic IBRS" that does runtime switching will not be on by default and will be patched around by alternatives unless someone explicitly opts in. If you decide you want the additional protection that it provides, you can take the performance hit. How much is that? We've been saying that these new MSRs are roughly as expensive as the CR3 writes. How expensive are those? Don't take my word for it, a few folks were talking about it today: Google says[1]: "We see negligible impact on performance." Amazon says[2]: "We don’t expect meaningful performance impact." I chopped a few qualifiers out of there, but I think that roughly captures the sentiment. 1. https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html 2. http://www.businessinsider.com/google-amazon-performance-hit-meltdown-spectre-fixes-overblown-2018-1
