* Nadav Amit <[email protected]> wrote:
> > Also, what's the end goal here? Run old 32-bit binaries better? You
> > want to weaken the security of the whole implementation to do that?
> > Sounds like a bad tradeoff to me.
>
> As Willy noted in this thread, I think that some users may be interested in
> running 32-bit Apache/Nginx/Redis to get the performance back without
> sacrificing security.
Note that it is a flawed assumption to think that this is possible, as they
might
in many cases not be getting their performance back: 32-bit binaries for the
same
general CPU bound computation can easily be 5% slower than 64-bit binaries (as
long as the larger cache footprint of 64-bit data doesn't fall out of key
caches),
but can be up to 30% slower for certain computations.
In fact, depending on how kernel heavy the web workload is (for example how
much
CGI processing versus IO it does, etc.), a 32-bit binary could be distinctly
_slower_ than even a PTI-enabled 64-bit binary.
So we are trading a 5-15% slowdown (PTI) for another 5-15% slowdown, plus we are
losing the soft-SMEP feature on older CPUs that PTI enables, which is a pretty
powerful mitigation technique.
Yes, I suspect in some (maybe many) cases it would be a speedup, but I really
don't like the underlying assumptions and tradeoffs here. (Not that I like any
of
this whole Meltdown debacle TBH.)
Thanks,
Ingo
