Musing #48: Impact of Spectre/Meltdown patch (With Intel's March Microcode Update)


Spectre and Meltdown have been all over the news in the past few days. While the seriousness of the bug cannot be understated, the speculation on the performance impact of the patch, especially on older processors, has been particularly worrisome. Google and Intel have put forth some assurances, but the end result is yet to be seen.

As my desktop is equipped with the generations-old i5-3470, I have to brace for whatever performance degradation comes with the patch. Unfortunately, with ASRock having released the last BIOS update for my motherboard in 2013, one can only hope to receive an official update. For the time being, the only option is to rely on Microsoft's Windows 10 patch which only partially mitigates this issue.

Even then, it offers a first glimpse at the performance that has to be scarified in lieu of security. Intel has stated that the impact will vary based on the task and hence there is no easy way to determine the impact of the patch. I went with Cinebench R15 and CrystalDiskMark to quickly capture the impact on some everyday tasks.

As can be seen in the screenshot below, the performance impact seems to be quite significant with the post-patch score being nearly 7% lower. This is by all means a huge impact and cannot be disregarded.



The CrystalDiskMark benchmarks were a little difficult to decipher. For the most part, it seemed that the impact was negligible. However, the few metrics that stand out are:
  • 4KiB 8T8 write speed is now over 20% lower
  • 4KiB Q32T1 read speed is nearly 25% lower
  • On the flip side, 4KiB Q32T1 write speed is over 10% higher

Intel's statement of covering 90% of processor products introduced within past 5 years by the end of next week gives an indication that an update is imminent. While it would be best to have a BIOS update, it is possible to update the microcode at a software level from the OS which should at least address the issue at hand. However, how much more this would impact the performance, remains to be seen.

(Original article published on Jan 6, 2018)

Update #1 (Jan 7, 2018): I ran the same battery of tests  under the same conditions on my Windows tablet powered by a Core M 5Y10 with a Transcend MTS600 SSD. The Broadwell architecture is two generations newer than my Ivy Bridge 3470 but at the same time, the 5Y10 is quite slower, so the tests should be a bit more interesting.

The post-patch Cinebench score is actually fractionally higher but is the same for all intents and purposes. So, it seems the ultimate CPU performance isn't hampered.

As for the SSD test, the only statistically significant difference can be found in the 4KiB Q32T1 tests, both for read and write. The performance degradation is in the range of 17-34% which is immense. It is consistent with the drop in read speeds for the Samsung 840 Evo with the i5-3470 but the drop in write speeds is simply horrific.


At least the Dell tablet is likely to get a proper BIOS update considering it has been well supported so far, so the post-BIOS update results should be quite interesting.

Update #2 (Jan 14, 2018): Intel released its first microcode update to address the Spectre and Meltdown bugs and it was disappointing to see my Ivy Bridge processor not being included. However, Dell released a BIOS update (A14) for my Dell Venue 7140 with the Core M 5Y10 processor, containing the latest microcode from Intel and I decided to flash it without further ado.

The results were frankly horrific. Immediately after rebooting, the system became immensely sluggish. The start menu failed to respond to my clicks, the icons on the desktop failed to refresh and Dropbox was unable to sync. I had no option then but to risk reverting to the previous BIOS (A13), but not before I ran the benchmarks to validate my experience.

While the Windows 10 patch didn't much impact Cinebench, the BIOS update brought the performance down by over 6%.


However, worse was to follow when I ran CrystalDiskMark. The update has completely obliterated the single-thread read/write speeds for 4KiB block sizes with speeds falling by more than half. This made the tablet unusable more than anything else. For now, I have to stick with only the Windows 10 patch and hope Intel gets its act together further down the line.


Update #3 (Jan 21, 2018): I finally bit the bullet and updated my iPhone 7 to iOS 11.2.2. Curiously, this update addresses the two Spectre variants but not Meltdown. Even then, it is simply a mitigation and not a patch. It seems to be more akin to the update released for Windows (even though it addressed Meltdown and one variant of Spectre) rather than the one by Intel. So, I wasn't expecting the performance to drop substantially. That turned out to be true for the most part with most variances being in the region of 2-3%.

However, we might have not seen the end of it and subsequent updates might have more of an impact. We shall have to wait and see, but for now I leave you with the benchmark results, to be your own judge.

Test11.2.111.2.2Difference
Geekbench CPU Single-Core342134992.3%
Geekbench CPU Multi-Core583359942.8%
Geekbench GPU1299512865-1.0%
Antutu 3D44326452922.2%
Antutu UX4876643700-10.4%
Antutu CPU4423342762-3.3%
Antutu RAM1259712550-0.4%

Update #4 (Mar 18, 2018): In the past week, Intel released microcode updates for Core processors going back to the 2nd generation (Sandy Bridge) which is commendable. With the support for the motherboard being long abandoned, I had no hesitance in flashing the latest microcode from Intel for my i5-3470.

After the horrors of the initial updates released in January, I am glad to announce that Intel has done a very good job this time around. As you can see in the image below, the performance with the latest microcode combined with the latest Windows patch is much better when compared to the scenario earlier this year and is very close to the unpatched performance. As a result, I would recommend everyone to flash the latest microcode without further adieu.

Update #5 (Mar 22, 2018): As an helpful anonymous commenter pointed out, the VMware method of updating the microcode doesn't work as it is loaded too late in to the boot process. I wouldn't have risked modding the BIOS of my H77 Pro4/MVP but thankfully, an helpful soul has already done the needful. To confirm, following is the result of  the Get-SpeculationControlSettings PowerShell script.


Unfortunately, the impact on performance is quite significant when compared to the original unpatched state. However, I guess I have to live with it for now as there is no other alternative and hope Intel has few optimisations lined up that will recover a bit more performance.


Update #6 (Mar 25, 2018): The performance of the 5Y10-powered Dell Venue 11 Pro 7140 has been sluggish since I updated to the latest BIOS (A15) a few days back. I finally got around to benchmarking it along with the recalled BIOS (A14) as well as the unpatched one (A13). The tests were carried out back-to-back under identical conditions, following the same procedure with the only variant being the BIOS. Hence, this is the best comparison yet of the performance impact of the microcode update.

As has been already pointed out in the comments with reference to this article, the Ivy Bridge processor (i5-3470) was especially impacted as it didn't support INVPCID (invalidate PCID). Hence, there was some hope that the Broadwell 5Y10 would fare better. Unfortunately, that doesn't quite seem to be the case. In percentage terms, the impact on the 5Y10 is much worse than i5-3470. Since this is a Y-series processor with a 4.5W TDP, the performance impact is much more visible in daily usage. Guess the time has come for this tablet to don a more sedentary role.



8 comments:

Anonymous said...

Hate to break your bubble on I5-3470, but...do you know the method at http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/ doesn't work? The microcode is loaded too late in booting stage. As the result, windows kernel protection is not activated if you use VMware CPU Microcode Update Driver.


Oh...don't trust InSpectre result. It is inaccurate. If you use VMware CPU Microcode Update Driver, InSpectre will report microcode or patch is "On" etc, but the fact is....it isn't. Checking via Get-SpeculationControlSettings will prove it.

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Notice the later two reported false status?

BIOS/UEFI--->Boot loader phase--->Kernel--->Session Manager
--->Driver ----> Application
See what I mean? VMWare microcode loader is loaded way too late for windows kernel to detect IBRS and IBPB command MSR (These two only available from Intel latest microcode)

Now, for WIN10 and Sky,Kaby and Coffee case, Microsoft provides microcode update that is ACTUALLY LOADED right before the kernel phase start.

Sa Ma said...

Hey, I really appreciate the bursting of my bubble. Considering ASRock abandoned support for my motherboard in 2013, I have been using the VMWare Microcode update option for a long time. However, I was not following the topic judiciously and was certainly under the assumption that the Windows kernel picks up the latest microcode at boot, rather than it being applied so late in the booting process. Get-SpeculationControlSettings indicates Windows support for the mitigation but it is disabled due to the late load.

Modding the BIOS is too risky so I guess the only option now is to wait for the Windows update to come through. As for my 5Y10, Dell has officially released an updated BIOS and it has crippled that low powered device to a good extent, so now I am not too optimistic about the performance impact on Ivy Bridge.

Anonymous said...

It ain't risky at all with our mainboards having dual BIOS. I successfully modded my I5-3570K Z77-G41 mainboard BIOS with UBU tool as well as for I3-4330 with Asrock B85M

https://i.imgur.com/yxuliTU.png

You can get UBU tool at https://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html

Direct link to ubu developer cloud account = https://cloud.mail.ru/public/9SSs/YJbsWyC2V

Get UBU_v1_69_16.7z

Then get patched MMTool 5.02 from here https://forums.mydigitallife.net/threads/bios-tools.529/page-37

Direct link http://www.mediafire.com/file/406suaf0vsb4x17/MMTool+5.02_patched.zip

Now, extract UBU to a folder and put MMTool.exe into that folder.

Next stage, go to Asrock website and download the last BIOS available for your mainboard. Get the "Instant Flash" version and extract it out.

Moving on....run UBU.bat and locate the extracted BIOS. Let the process continue, then 'press any key to continue'......and press 7 to View/Extract/Search/Update. Next, press 1 (Update CPU Microcode Haswell and/or Broadwell). Then enter 24 to select Version 24 Date 21-01-2018 (The version indicated by Intel Microcode Update Guidance March 2018 https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf)

You will get this https://i.imgur.com/O30glcW.png
Press any key to continue.
Press 0 to "exit to main menu"
Press 0 again to "exit"
Press 1 to Rename to mod_xxxxxxxxx.bios

You can find the modded bios inside the ubu folder.
Copy it into your flash drive.

Reboot your windows and enter the bios. Use Asrock instant flash to flash the modded bios.

Don't forget as with any bios update, all bios setting will reset.

Then, check Get-SpeculationControlSettings with powershell and ta-daa ;
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Anonymous said...

Oh, don't forget to 'uninstall' VMware CPU Microcode Update Driver.
Run uninstall.bat to do it. (it is in vmware cpu microcode update driver cpumcupdate2.1 folder)

VMware CPU Microcode Update Driver is pretty much useless.......well....truth hurts.......

I will be back checking around for 1 to 3 days in case you have question on UBU tool.

Anonymous said...

NOTE:

When selecting the microcode version, please refer to Intel microcode update guidance pdf

Sandy bridge = 2D
Ivy bridge = 1F
Haswell = 24

The guide I posted is for Haswell which is why I select 24. The only difference is, you must select Ivy Bridge microcode version which is 1F.

Anonymous said...

I just saw your updated post (weird, it wasn't there when I typed the instruction on bios modding)

The performance impact from microcode update isn't that severe. Probably only 1% or 2%. Rememeber, IBRS and IBPB command MSR available only from microcode update is mandatory to prevent Spectre variant 2.


Let me enlighten you on the actual reason on the severe slowdown.
It is caused by Meltdown fix that hammer down the performance due to dual page table usage. This is where PCID and INVPCID coming into play.
Read more here https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

An excerpt from arstechnica on Meltdown section
*As such, Windows will use PCID if the hardware supports INVPCID—that means Haswell or newer. If the hardware doesn't support INVPCID, then Windows won't fall back to using plain PCID; it just won't use the feature at all. In Linux, initial efforts were made to support PCID and INVPCID. The PCID-only changes were then removed due to their complexity and awkwardness.

This makes a difference. In a synthetic benchmark that tests only the cost of switching into the kernel and back again, an unpatched Linux system can switch about 5.2 million times a second. Dual page tables slashes that to 2.2 million a second; dual page tables with PCID gets it back up to 3 million."

This is why your 4kibQ32T1 read performance suffers. Ivy Bridge doesn't have the necessary PCID/INVPCID feature.

As for your 5Y10 (this one should be broadwell, no?)
As long as Win10 is installed on 5Y10 device, windows kernel will activate PCID optimization.......at least it won't slow down that much....

Note: Even if the cpu has PCID/INVPCID, the optimization ONLY AVAILABLE for WIN10. PCID optimization IS NOT AVAILABLE for WIN7.

Ivy/Sandy only has PCID. For the optimization to be enabled by windows kernel, it requires both PCID and INVPCID which is bad news for our Ivy CPU. T_T

Sa Ma said...

Thanks once again for your insights. Having a non-K processor, I had gone with the H77 board which to the best of my knowledge does not have dual BIOS. Hence, modding the BIOS is a very risky proposition, especially as it is impossible for me to get a replacement BIOS chip.

I had read the Ars Technica article back in the day and I was certainly hoping that my Broadwell 5Y10 would fare better. However, the performance as I use it now is much worse than the unpatched state. I am going to do a benchmark using various versions of the microcode under identical conditions, so the numbers should give a better idea.

Anonymous said...

I did heard some H77 board didn't have dual bios feature back in the day. Better don't take the risk flashing the bios. It is hard to get spare part for old board these days.


On the other hand.....Your broadwell result is unexpected indeed. I actually expect a lesser impact from Meltdown mitigation with PCID/INVPCID optimization.

Here an article from Microsoft on how Windows Meltdown Mitigation works which is published on 23 March 2018. Very informative.
https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

As for Spectre microcode slowdown, I believe I have to correct my initial view. IBRS and IBPB will cause a significant slowdown on storage performance (any type of operation that requires frequent kernel access) especially for pre-Skylake CPU. A test case was posted
http://lists.dragonflybsd.org/pipermail/users/2018-January/335643.html
Then again, we have no idea if Microsoft is using IBRS mode 1 or 2.....hmmm
From microsoft documentation on cve-2017-5715-and-hyper-v-vms , we knows windows kernel is using all three MSRs ; IBRS, STIBP, IBPB. STIBP is rarely or not used by linux kernel at all.

Since Broadwell is technically a shrink of Haswell....not much choice between performance vs security.