| ▲ | api 6 days ago | |
That's still really massive. It would only make sense in very high security environments. Honestly running system services in VMs would be cheaper and just as good, or an OS like Qubes. VM hit is much smaller, less than 1% in some cases on newer hardware. | ||
| ▲ | gpapilion 6 days ago | parent | next [-] | |
It makes sense in any environment you have two workloads sharing compute from two parties, public clouds. The protection here is to ensure the vms are isolated. Without doing this there is the potential you can leak data via speculative execution across guests. | ||
| ▲ | eptcyka 6 days ago | parent | prev | next [-] | |
VMs suffer from memory use overhead. Would be cool if the guest kernel would cooperate with the host on that. | ||
| ▲ | russdill 6 days ago | parent | prev | next [-] | |
Look at it this way, any time a new side channel attack comes out the situation changes. Having this as a mitigation that can be turned on is helpful | ||
| ▲ | riedel 6 days ago | parent | prev | next [-] | |
From reading the article that is the exactly also the feeling of the people involved. The question is if they are on track towards e.g. the 1% eventually. | ||
| ▲ | bjackman 5 days ago | parent | prev [-] | |
The next steps should make this much faster. Google's internal version generally gives us a sub-1% hit on everything we measure. If the community is up for merging this (which is a genuine question - the complexity hit is significant) I expect it to become the default everywhere and for most people it should be a performance win Vs the current default. But, yes. Not there right now, which is annoying. I'm hoping the community is willing to start merging this anyway with the trust we can get it to be really fast later. But they might say "no, we need a full prototype that's super fast right now", which would be fair. | ||