By now you’ve probably heard of the Meltdown/Spectre attacks. (background rumors, technical note) Matthew Dillon’s put together a Meltdown mitigation in DragonFly, done in four commits.
It’s turned off and on by the sysctl machdep.isolated_user_pmap – and defaults to on for Intel CPUs. Buildworld tests show about a 4-5% performance hit, but that’s only one form of activity, measured, so there will surely be other effects.
Note that Spectre is not mitigated by this commit series, and as I understand it, cannot be realistically fixed in software.
Update: Matthew Dillon posted a summary to users@.
Update 2: He told us so.
Thanks for introducing the sysctl machdep.isolated_user_pmap. I can imagine many cases of a server running 100% trusted code and not wanting to take factor of three slowdown in the system calls mechanism.
For desktop systems, if isolated_user_pmap could be implemented per process, then the trusted part of user land could run full speed and with only the untrusted code, for example web assembly in a browser, experiencing a slowdown from the mitigation.