Google says CPU patches cause ‘negligible impact on performance’ with new technique


Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

The news is particularly significant for Google Cloud, as some see cloud services as uniquely vulnerable to the new processor issues. According to the post, Retpoline has already been deployed to the system with no significant impact on speeds.

“Of course, Google recommends thorough testing in your environment before deployment,” the post continues. “We cannot guarantee any particular performance or operational impact.”

That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.

More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it’s the variant that is arguably the most difficult to address. The other two vulnerabilities — “bounds check bypass” and “rogue data cache load” — would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns.