Linux Address Space Isolation Revived After Lowering 70% Performance Hit to 13%
9 months ago
- #Linux
- #Performance
- #Security
- Google engineers revived Linux Address Space Isolation (ASI) after reducing performance impact from 70% to 13%.
- ASI was initially proposed to mitigate CPU speculative execution attacks but faced setbacks due to high I/O performance overhead.
- The latest ASI prototype aims to boost confidence in its viability as a broad solution for CPU vulnerabilities.
- Current ASI implementation shows a 13% regression in random reads with FIO and a 6-7% increase in kernel compilation times.
- Google's deployment currently uses ASI only for KVM workloads, not bare-metal processes.
- Key performance issues include unnecessary ASI exits during context switches, zeroing sensitive pages, and copy-on-write for user pages.
- The Linux kernel community is evaluating whether ASI's improvements justify upstream integration.