2 min Devops

Small security tweak Torvalds improves Linux performance

Small security tweak Torvalds improves Linux performance

Linux guru and founder Linus Torvalds has implemented a small security tweak in the OS’s source code that boosts performance just a bit more. His efforts increase Linux’s multithreaded performance in particular.

The security tweak implemented by Torvalds, which is designated x86/uaccess:Avoid barrier_nospec() in 64-bit copy_from_user(), focuses on improving the source code against the well-known Meltdown and Spectre attacks that have been known since 2018. The tweak (or patch) is a rewrite of an adjustment made by Red Hat specialist Josh Poimboeuf and is now faster. The speed gain is 2.6 percent, to be exact.

Tweak prevents speculative execution

Linus Torvalds’s tweak changes the use of the barrier_nospec() API, which prevents the speculative execution of some machine code. This modern CPU feature uses ‘branch prediction’ to predict what programming code is needed before the process is actually called upon. This way, the code can be run in advance, and the results cached. If this prediction is correct, it saves time running the code in question. If not, the code disappears from the cache unused.

Using this functionality potentially creates a security risk and enables attacks. In response, Red Hat’s Josh Poimboeuf’s code defends against that by stopping some of this execution. However, this can lead to lower performance of the underlying open-source OS and, for example, slower performance of servers running on it. And that’s just what Torvalds hates: sub-optimal performance.

Security measure rewritten

Torvalds’ tweak has improved Linux’s multithreaded performance by removing the use of barrier_nospec() in the copy_from_user() function. Instead, he replaced it with a more efficient approach using pointer masking, which avoids blocking speculative execution while still handling invalid addresses securely. This small tweak provides a measurable performance improvement of 2.6 percent during tests, which is pretty decent for multithreaded tasks on Linux.

So essentially, Torvalds has found a way to achieve the same security result without compromising performance. This may make a difference in Linux systems that require high performance and robust security, such as web servers. Few people have such a deep understanding of Linux and the x86 CPU architecture that they can squeeze out a performance gain at this level.

Also read: Microsoft will provide additional support for Hyper-V on Linux