On 7 February 2018 at 12:01, Colin Watson <cjwatson@xxxxxxxxxx> wrote: > However, my understanding is that on > pre-Skylake Intel CPUs those techniques are significantly slower than > retpoline. OK so now I have some numbers. TL;DR: mitigating OpenSSH alone within the margin of error, with libcrypto 0.5% - 1% slower. The flags are now in and will be on by default if the compiler supports them. They are from the cipher-speed regression test, chosen because it's cpu bound and doesn't have to wait for anything. The first is OpenSSH and LibreSSL compiled with the mitigations, the second is just OpenSSH. Xeon X3210 @ 2.13GHz, gcc version 7.2.1 20171218 (prerelease) baseline: 31.0748s (+0%) -mfunction-return=thunk -mindirect-branch=thunk -z retpolineplt: 31.2674s (+0.6%) -mfunction-return=thunk-inline -mindirect-branch=thunk-inline -z retpolineplt: 31.2958s (+0.7%) -mfunction-return=thunk -mindirect-branch-register -z retpolineplt: 31.3798s (+1%) Atom C2750 @ 2.40GHz, clang version 6.0.0 (prerelease) baseline: 15.0s -mretpoline -z retpolineplt: 14.9s -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev