A Look At The Big Impact To AES-XTS Encryption Performance From Spectre Retpolines


With it lately being noticed that the Linux AES-NI XTS performance regressed huge time from the return trampolines “Retpolines” enacted simply about three years previously as a defense in opposition to Spectre, listed below are some benchmarks taking a discover on the performance fee enthusiastic to on the present time the exercise of Retpolines and the influence on the XTS encryption/decryption performance measured by cryptsetup that is used for constructing encrypted disks below Linux.

While patches are on the manner for improving the AES-NI kernel code so the Retpoline performance hit is addressed, here is a discover on the fresh performance penalty enthusiastic given that we hadn’t regarded at it previously nor apparently had kernel developers up except lately.

For the snappy checks this day I used loads of diversified Ubuntu systems and regarded on the performance reported by cryptsetup when running out-of-the-box/default (all linked mitigations in web grunt for every machine) and then when booting the kernel originate with mitigations=off for flee-time disabling of Retpolines (and the other CPU safety mitigations).

First up was a discover a the Core i7 8565U internal a Dell XPS laptop:

The AES-XTS performance in particular has been carefully hit from the default Retpolines conduct… Fortunately, AES-NI kernel driver enhancements must workaround that conduct shifting ahead. Or for these on more moderen Intel CPUs where Retpolines are now not essential by default the performance is greater as shown here with Tiger Lake:

For these with fresh Intel Tiger Lake systems as measured by a Core i7 1165G7, there might perhaps be now not always if truth be told a measurable performance hit. It be the older Intel CPUs desiring the pudgy Retpoline implementation for Spectre V2 while Tiger Lake, Comet Lake, and other more moderen generations enact now not exhaust Retpolines but make exercise of IBRS IBPB conditional RSB filling. Or here is yet every other locate at a Core i7 8550U relying on Retpolines and its influence:

It be factual now not Intel although relying on Retpolines with older CPUs, but AMD serene makes exercise of Retpolines. Right here is the locate on the performance with mitigations on/off the exercise of a Ryzen 5 4500U:

Or even with the fresh AMD Ryzen 9 5950X it’s miles serene relying on a pudgy Retpolines implementation as phase of its Spectre V2 safeguards:

Thus or now not it’s rather magnificent the AES-NI XTS performance regression below Retpolines took see you later to be spotted… Fortunately, there are patches pending to enhance the issue that can confidently be landing in the shut to future for serving to these making exercise of pudgy-disk encryption and other AES-NI XTS users.

0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x