Google engineers and others have been talking about Address Space Isolation “ASI” for the Linux kernel to better deal with speculative execution attacks and other CPU vulnerabilities. Last summer there were some new “request for comments” patches working on Linux Address Space Isolation and today a second iteration of those RFC patches were published. They are now out for review but they are unlikely to see much use: the I/O throughput as measured by FIO takes a 70% hit.
Brendan Jackman of Google sent out the Linux ASI v2 RFC patches a few minutes ago as the latest effort for mitigating a variety of CPU vulnerabilities by unmapping sensitive data from the kernel address space. By unmapping as much of the sensitive kernel data as possible, some classes of exploits cannot leak the data and in turn “skip expensive mitigation actions.” But the ASI patches at least in current form can be expensive itself.
With these v2 RFC patches for Linux ASI, there’s now some performance details where Jackman mentions:
“Although this implementation of ASI is pretty generous in what it considers “nonsensitive”, there remain unnecessary performance costs that need to be addressed. For example:
– The entire page cache is removed from the direct map. Traditional file operations will hit an asi_exit(), paying a pointless cost to protect data from a process that obviously has the right to read that data.
– Anything that accesses guest or user memory via the direct map instead of the user address space will hit an asi_exit().
– Pages being zeroed in the page allocatorMost of these issues existed in v1 too, but now that ASI sandboxes userspace processes, the page-cache issue becomes very significant. For FIO 4k read (I suppose this workload is maximally sensitive to this issue) I saw a 70% degradation in throughput, with a Sapphire Rapids machine hard-coded to perform IBPB and RSB-stuffing on asi_exit().
Given a result like that I haven’t gone into more detailed analysis. Note also that I ran with an unrealistic mitigation policy, results would be much different if ran with platform-appropriate flushes, but it would presumably lead to the same conclusion.”
While an extreme case most prone to the impact of ASI, a 70% degradation to I/O throughput measured by the widely-used FIO is a big deal.
There is also a host of other issues to still resolve around Linux kernel ASI as well as user-space support if this is all to pan out. Those wanting to learn more about the Linux Address Space Isolation support can see this RFC v2 patch series for all the details.
