![]() HVM, PV, AND INSTANCE FAMILIES, OH MY!ĪWS’ original EC2 instances all ran on top of a hypervisor which provided paravirtualised (“PV”) interfaces to the guest operating systems, which hide some of the features of the underlying CPU, including the PCID capability. You see, the kernel maintains a Translation Lookaside Buffer (TLB), which is kind of like an index for the mappings between kernel and userland memory pages when a system call crosses that userland/kernel boundary, kernels running on processors without PCID support must throw away the TLB and start again, increasing the amount of time it takes to execute frequent operations.īut just because all modern CPUs and Linux kernels support this feature, doesn’t mean that you can use it on AWS. It turns out that PCIDis important in alleviating some of the performance impacts of the KPTI patches, and in preventing one application from killing system performance for all other applications. Starting with kernel 4.14, it’s been supported – though more from completeness for a minor capability improvement than as a critical feature. Intel CPUs since 2010 (codename “Westmere”) have supported a feature called PCID (process context ID) which, for the past 7 years has been fairly boring and unsupported by Linux kernels, because it didn’t really do anything much for performance or security. These performance impacts depend on exactly what kind of work an application does, based on how often these system calls need to be executed, but in general the performance penalty should be restricted to that application and not affect other processes on the same system. On Linux, patches against Meltdown implement a feature called “Kernel Page Table Isolation” (KPTI), which impose performance impacts whenever a user-land process executes a system call, transferring control from the application code into the kernel (for example, whenever data needs to be read from or written to a disk, or whenever network communication happens). Intel expects that performance impacts of around 6% will be imposed as a result of fixes for the vulnerabilities (see References) independent testing on Linux systems has measured 5-30% performance impacts (depending on the certain workload) Microsoft estimates performance impacts but is being cagey about actual numbers (see References). These patches will themselves apply potential performance impacts as well. Virtual machines running on top of the hypervisor still need to be patched in order to protect processes running within their operating systems from exploits. ![]() If a hypervisor is run on the CPU, it hosts other operating systems (like Linux and Windows).Īpplying patches to this first layer can protect against both Spectre and Meltdown attacks, with varying degrees of performance impact. There are generally two classes of system which run directly on a CPU: an operating system, like Linux or Windows or a hypervisor, like VMware ESXi, Xen, or Amazon’s KVM-based proprietary hypervisor. The CPU cannot be patched – it’s hardware – and so we must rely on fixes to the systems that run on top of those CPUs. This is due to flaws in the CPU itself, and has nothing to do with Windows, Linux, Mac OSX, or any other operating system. The bugs, which exist in all Intel CPUs manufactured since about 2013 (codenamed “Haswell” and later), allow malicious processes to steal information that whould normally be protected, such as passwords, credit card numbers, and so forth, while that data is being processed by the CPU. Run the latest Linux kernel you can to ensure you have PCID support. ![]() Update to more recent EC2 instance families.Patch your operating systems to make sure you have the Meltdown fixes applied.Run your EC2 instances using the most recent AMI that you can which uses the HVM virtualisation mode.If you want the TL DR from all this, here are a few general rules to follow: AWS’ Shared Responsibility Model means that you are responsible for patching the operating system running on your EC2 instances, and this is where things get … complicated. The recent announcement of the Meltdown and Spectre attacks against bugs in Intel (and other) CPUs has attracted rapid response from many vendors Amazon Web Services’ (AWS) response shows that they’ve already patched and protected their infrastructure but you still have work to do. An analysis of some corner-case performance issues with Meltdown patches MELTDOWN, SPECTRE AND LINUX ON AWS: SECURITY VS PERFORMANCE?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |