What actions NTT Com took for CPU vulnerability(CVE-2017-5715 and CVE-2017-5753(Spectre) ) ?
NTT Com mitigates CPU vulnerability of hypervisor hosts for VMs in infrastructure level. Any impact on performance is not expected by this change. However, regarding patches for CPU vulnerability on Guest OS, Retpoline expects less performance impact than IBRS which restrict indirect branch prediction.
- Service infrastructure (host OS) support (NTT Com implementation)
It has been confirmed that there is almost no performance impact on Unixbench due to vulnerability countermeasures on the service infrastructure side under the following verification conditions. We have confirmed that the performance has improved in terms of throughput. However, the degree of impact depends on the customer's system environment.
[NOTE for applying patch on Guest OS]
Kernel of Red Hat Enterprise Linux 7.3 is kernel-3.10.0-514.44.1.el7.x86_64 or later. (https://access.redhat.com/errata/RHSA-2018:0399)
It can be effective when customer’s instance with kernel updated is stopped and launched after complete mitigation in infrastructure level.
<Remark for Unixbench Tests result>
- Each case is the following condition;
No patch applied on guest OS before platform version upgrade
Retpoline patch applied on guest OS before platform version upgrade
No patch applied on guest OS after platform version upgrade
Retpoline patch applied on guest OS after platform version upgrade
- This result is to test Unixbech on VM with default setting which created from Red Hat Enterprise Linux official image.
- All results of the above performance test shall not be guaranteed performance.
Reference： Announcement about CPU vulnerability（CVE-2017-5754（Meltdown）/CVE-2017-5715 and CVE-2017-5753(Spectre)）