add Spectre variant 2 mitigations

Darren Tucker dtucker at dtucker.net
Sun Feb 11 09:39:01 AEDT 2018


On 7 February 2018 at 12:01, Colin Watson <cjwatson at debian.org> wrote:
> However, my understanding is that on
> pre-Skylake Intel CPUs those techniques are significantly slower than
> retpoline.

OK so now I have some numbers.  TL;DR: mitigating OpenSSH alone within
the margin of error, with libcrypto 0.5% - 1% slower.  The flags are
now in and will be on by default if the compiler supports them.

They are from the cipher-speed regression test, chosen because it's
cpu bound and doesn't have to wait for anything.  The first is OpenSSH
and LibreSSL compiled with the mitigations, the second is just
OpenSSH.

Xeon X3210 @ 2.13GHz, gcc version 7.2.1 20171218 (prerelease)
baseline: 31.0748s (+0%)
-mfunction-return=thunk -mindirect-branch=thunk -z retpolineplt:
31.2674s (+0.6%)
-mfunction-return=thunk-inline -mindirect-branch=thunk-inline -z
retpolineplt:  31.2958s (+0.7%)
-mfunction-return=thunk -mindirect-branch-register -z retpolineplt:
31.3798s (+1%)

Atom C2750  @ 2.40GHz, clang version 6.0.0 (prerelease)
baseline:  15.0s
-mretpoline -z retpolineplt: 14.9s

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list