More Meltdown fixes

If you’re on the bleeding edge of DragonFly and already updated for Meltdown fixes, there’s a few more commits you’ll want to get.

Matthew Dillon wrote a summary of the current status, noting there’s not much you can do for Spectre beyond new hardware.   There is an update to the “defensive browser setup” plan for DragonFly (using –site-per-process) that can help at least with Javascript versions of Spectre.

Update: step-by-step microcode fixes from Intel if you really want to trash your performance.

Meltdown and Spectre and DragonFly

By now you’ve probably heard of the Meltdown/Spectre attacks.  (background rumors, technical note)  Matthew Dillon’s put together a Meltdown mitigation in DragonFly, done in four commits.

It’s turned off and on by the sysctl machdep.isolated_user_pmap – and defaults to on for Intel CPUs.  Buildworld tests show about a 4-5% performance hit, but that’s only one form of activity, measured, so there will surely be other effects.

Note that Spectre is not mitigated by this commit series, and as I understand it, cannot be realistically fixed in software.

Update: Matthew Dillon posted a summary to users@.

Update 2: He told us so.

KVABIO and what it means

Matthew Dillon has added KVABIO, an API for avoiding the need to sync the TLB across all CPUs before continuing.  What’s this mean?  The more CPUs you are dealing with, the longer it takes to make sure all of them have the same cached view of the virtual memory.   There’s a tradeoff – caching that view speeds up memory access, but the time cost of the synchronization can erase those benefits.

This API is now supported for NVMe and swap, HAMMER2, and tmpfs.  Note that those last two links show a huge drop in IPI messaging.  In the real world, this showed about a 5% improvement in performance for CPU-intensive work like complete synth builds.  (Based on IRC conversations.)