VMware engineers have tested a Linux kernel patch that addresses the Retbleed side-channel problem. The researchers came to the disappointing conclusion that this fix can affect performance, reducing it immediately by 70%.
Let me remind you that we also talked about Linus Torvalds Uses Linux on an Apple MacBook Air with an M2 Processor, and also that P2P Botnet Panchan Attacks Linux Servers.
Retbleed was discovered and described by experts from the ETH Zurich last summer. At the time, the bug was reported to affect Intel processors from 3 to 6 years old, as well as AMD processors from 1 to 11 years old. Experts immediately warned that fixing the bug could have a negative impact on performance.
Let me remind you that Retbleed consists of two vulnerabilities (CVE-2022-29900 for AMD and CVE-2022-29901 for Intel) and belongs to the Specter-BTI class of speculative attacks (variant 2). The name Retbleed refers to the Retpoline security solution, which was developed by Google in 2018 to combat the Meltdown and Specter processor vulnerabilities. It was in the work of the Retpoline protection that fresh problems were found.
As VMware engineers now report in the Linux Kernel mailing list, the Retbleed patches do cause a noticeable performance regression in the Linux 5.19 kernel. The company’s internal tests have shown that running Linux virtual machines with the ESXi hypervisor and Linux kernel version 5.19 results in a performance drop of up to 70% with a single vCPU, a 30% drop in network performance, and up to 13% in storage performance.
If VMware testers disabled patches for Retbleed in the 5.19 kernel, ESXi performance returned to normal levels, as in version 5.18. The tests were conducted on Intel Skylake processors released between 2015 and 2017.
Since speculative computing was generally designed to speed up data processing, it is not surprising that disabling it has a very negative impact on performance. However, a 70% performance drop is simply unacceptable for many business processes and is a big problem.
In fact, if the patches are not improved and revised, users are faced with a clear choice: use the 5.19 kernel and still lose performance, or stay on the previous version and take the possible risks, relying on the fact that the Retbleed problem is not so easy to exploit.