
PCID is now a critical performance/security feature on x86 - pedro84
http://archive.is/ma8Iw
======
brendangregg
+1 yes, pcid makes a big improvement (I've been testing the KPTI patches with
and without pcid).

------
snaky
> I did manage to pull out an old Lenovo ThinkPad W510 with an Intel Core i7
> 720QM Clarksfield that is from 2009 and lacks PCID but is affected by this
> cpu_insecure issue.

> On that old Clarksfield-era ThinkPad I wasn't going to be surprised if the
> performance was disastrous, but it wound up being better than I had
> anticipated given all the ongoing drama... In general purpose workloads
> there was no reportable performance difference in our frequent benchmark
> test cases. Under I/O, the PTI-using kernel did yield some slower results
> but not by the margins seen on the newer systems with faster storage. The
> laptop consumer-grade HDD in this laptop appeared to be the main bottleneck
> and kernel inefficiencies weren't causing as dramatic slowdowns.

> To some surprise, when carrying out network benchmarks with netperf/iperf3,
> in at least those contexts PTI didn't have a noticeable impact on the
> network throughput performance.

[https://www.phoronix.com/scan.php?page=article&item=linux-
mo...](https://www.phoronix.com/scan.php?page=article&item=linux-
more-x86pti&num=1)

------
hannob
Can anyone confirm that the way to identify if a linux system has pcid support
is to check /proc/cpuinfo? Or is that merely to identify if the hw supports
it, independent of the kernel support?

I checked two ubuntu servers, one 14.04, the other 16.04, both have it. Which
seems odd given the claim that it's only been added recently to the kernel.

Also I see nothing showing up in dmesg, no config option and no proc interface
on any system.

~~~
ajross
Indeed /proc/cpuinfo is telling you only the capabilities of the hardware,
that's what it's for.

------
MBCook
I saw a post in the last few days that said that most Macintoshes have this
feature and Apple has been using it. Can anyone confirm that?

~~~
raattgift
Yes to the latter, kinda to the former.

In reverse order:

This file goes back several OS versions:

[https://github.com/apple/darwin-
xnu/blob/master/osfmk/x86_64...](https://github.com/apple/darwin-
xnu/blob/master/osfmk/x86_64/pmap_pcid.c)

    
    
       sysctl machdep.cpu.features | grep PCID 
    

(cf. xnu/osfmk/i386/cpuid.[hc], ibid.)

------
the8472
It seems to be a double win for bare metal machines. They always have PCID and
they're less at risk in the first place since they don't share the hardware.

Virtualbox seems to lack PCID too.

~~~
MBCook
The machine may have PCID but that doesn’t mean the OS was using it.

~~~
loeg
Can you name a mainstream OS (for any definition of "mainstream" you like,
really) that doesn't use PCID?

~~~
LinuxBender
Someone please correct me if I am incorrect, but that would be any mainstream
linux not using the 4.14 kernel. Redhat, CentOS, Suse at least. Looks like
CoreOS that is on 4.14 is on a minor release just prior to the PCID patch.

It looks like Ubuntu 18 Bionic Beaver may have it. (4.15) I suppose some folks
use Ubuntu in a datacenter, but more likely the LTS releases and 18 is not
likely in many production datacenters.

Can you confirm that Redhat backported that newer PCID code into the 3.10
kernel branch? If so, people should not be seeing a performance hit on the
KPTI patch.

~~~
loeg
Ah, I didn't realize Linux was so behind in supporting PCID here. Thanks! For
what it's worth, Fedora Linux is on kernel 4.14.11 already.

Curiously enough, FreeBSD has had PCID support since 2013 (r255060). We found
it improved performance in microbenchmarks:

> In the microbenchmarks, using the PCID decreased latency of the context
> switches by ~30% on SandyBridge class desktop CPUs, measured with the
> lat_ctx program from lmbench.

> If available, use INVPCID instruction when a TLB entry in non-current
> address space needs to be invalidated. The instruction is typically
> available on the Haswell.

~~~
LinuxBender
You're welcome! We were trying to unravel that post about PCID as well.

It appears the first PCID code was merged in 4.14.12 so you will probably have
that in the coming days / weeks. CoreOS is also 4.14.11.

For those on LTS releases, we may have to venture into uncharted waters. The
first that came to mind was elrepo.org, as they apply some of the same build
options that Redhat uses against the latest upstream. Their kernel packages
are meant to provide support for newer laptop hardware...

------
tveita
This will be good to keep in mind when looking at performance reports.

The main performance numbers I've seen so far are from two kinds of sources:

1\. Local benchmarks like the Phoronix benchmarks, which I think are all on
physical hardware with PCID.

2\. Reports from cloud customers like
[https://forums.aws.amazon.com/thread.jspa?threadID=269858](https://forums.aws.amazon.com/thread.jspa?threadID=269858)
and
[https://twitter.com/chanian/status/949457156071288833](https://twitter.com/chanian/status/949457156071288833).
These are with a patched host, but with an unpatched guest OS. The best case
scenario here seems to be that it doesn't degrade much further when the guest
OS is patched.

I don't think I've seen any numbers yet for AWS with a patched guest OS - this
would be interesting to see on instances with and without PCID support.

------
bogomipz
I had a question, the author states:

>"The PCID (Processor-Context ID) feature on x86-64 works much like the more
generic ASID (Address Space IDs)"

Is ASID the RISC instruction that accomplishes the same thing that PCID does
on x86 then?

~~~
puzzle
ASID is not an instruction. It's basically an attribute in how MMU tables are
set up. Processes usually get different ASIDs from each other and all their
MMU pages are tagged with it.

~~~
bogomipz
Sorry I didn't mean instruction. It's the RISC equivalent attribute then?

~~~
puzzle
Yes. There is still variety, though. On PowerPC, for example, there is the
concept of segments.

On 32bit systems, the address space is divided into 16 segments of 256MB each.
Each of them has a privileged register that can be setup in different ways
(e.g. half could be per-process, half machine-wide). The 4 bits from the
segment ID eventually map to a 24 bit value (or trigger a protection violation
if e.g. the page is kernel-only), so that the original 32bit address becomes a
32 - 4 + 24 = 52 bit virtual address. The MMU, then will look up the higher
order bits in the address to convert from 52bit virtual addresses to actual
32bit physical addresses. The virtual address space is larger because in
theory you could have processes with completely disjoint addressing (up to 1
million of 4GB each, i.e. 4PB). In the end, you still only have 32 bits to
address memory chips, though. :-)

On 64 bit systems, there are many more segments, 2 __36\. Instead of having
(64 * billion) registers, there is a single register pointing to a hash table
in memory that the CPU will walk through. Addresses are translated from 64-
>80->64 bits in a similar way.

~~~
bogomipz
Thanks, is your explanation all PowePC specific then?

------
dannyw
Can PCID (like HyperThreading, full L3 cache, or extra PCI-e slots in the
latest i7s and i9s) be enabled with an update that blows those (e)fuses.

~~~
monocasa
I don't think it's a feature that's binned off. Intel used to bin off
virtualization support (which PCID is technically part off), but they added
PCID after they stopped binning on virtualization support.

------
earenndil
Desktop link: [https://archive.fo/KkmED](https://archive.fo/KkmED) /
[https://groups.google.com/forum/#!topic/mechanical-
sympathy/...](https://groups.google.com/forum/#!topic/mechanical-
sympathy/L9mHTbeQLNU)

------
Szpadel
I created script for detecting system status against Meltdown issue if anyone
is interested if system is patched:
[https://gist.github.com/Szpadel/003798ac7f4d98bc3583c2a5f306...](https://gist.github.com/Szpadel/003798ac7f4d98bc3583c2a5f3064cb3)

------
KerrickStaley
One thing I still don't understand about all this:

Why is there still a (smaller) performance hit from the KPTI patch when PCID
is used?

~~~
ploxiln
You still have to switch the page tables via the CR3 register. It costs.

And the code around there is more complicated now and has more conditionals
... as they say, it'll be opimized over time, this was the fastest reasonable
solution they could put in there (and it still took some time).

Also keep in mind that the reason PCID wasn't used by Linux until 4.14 is that
the most obvious way of using it incurred more overhead managing the IDs than
it saved by not flushing the TLB between different userland processes. This is
the land of fiddly details where theory and practice collide and theory often
loses in practice.

------
yuhong
One problem is cross-vendor migration, because AMD don't support PCID.

------
jimktrains2
I hate that you can't even view Google groups without an account. It also
requires us to do nothing but show text. To me groups and blogger has always
represented what a terrible web application is.

~~~
dmm
Google only asks you to login if it knows you have an account.

~~~
acdha
The problem is that they completely botched the user experience a decade ago
and since it's yet another orphaned product it's never been improved.

How it should work following a “build your first web app” tutorial:

1\. User opens page

2\. You detect an old login cookie and discretely ask if they want to login

3\. If they do so, you see the previous page with more UI (e.g. subscribe,
reply, etc.)

How it works now:

1\. Users opens page

2\. Instead of looking at the content they wanted to see, the user is
automatically redirected over to a login page with a mandatory full two-factor
check even if you've recently logged in to other Google properties

3\. After completing that process, you're dumped on the groups.google.com
homepage 4\. Since there were a bunch of redirects, you have to know how to
use your browser's history to go back 3-4 pages because simply hitting back
will just redirect you to the homepage again.

------
unitboolean
Many people said that if your processor support PCID, the performance will not
be reduced a lot by the new patches. However, after installing new updates for
windows and for my very new CPU 7600U everything becomes extremely slow. My
laptop is now literally unusable. Even the simplest tasks are very slow.
Before this update I was able to watch youtube videos in 4K, now I'm
struggling even to watch 480p... I will never buy Intel processors again. In
the last few months I only hear lies from Intel regarding Meltdown, Management
Engine and other "holes" in their products. Now I can throw my super expensive
laptop in garbage. Thank you Intel.

~~~
MBCook
Ah, memories of /.

