Originally Posted by
rage2
The OS patches have 3 fixes, one for Meltdown (KPTI) and 2 for Spectre. KPTI slows down any kernel/user mode switching. One of the Spectre fixes has zero performance impact, and is enabled under all OS's. The second Spectre fixes requires microcode update, without it, it's not addressed. That has the potential to slow down as well. Both Meltdown and the second Spectre fix can be optionally disabled under Linux and Windows.
The official guidance from vendors is to evaluate your environment and see what mitigation steps you need based on your usage. Remember, to perform Meltdown and Spectre, you need to have the ability to run untrusted code on your OS as an attack vector. If you have users able to login to the box, they can run code to take advantage of this. This limits the exposure to just the OS, so someone would be able to dump memory across the OS. Basically a little worse than privilege escalation as it dumps memory contents that can contain unencrypted sensitive data. If you are locked down and have zero reasons for anyone to log in and run code, or you trust any user that has the ability to log in to not exploit it, you can get away with disabling the 2 mitigations.
The Hypervisor patch slows things down. It's KPTI to stop data leakage between VMs. There's no turning it off, this is a massively serious issue.
So depending on how much you trust your users and applications on your VM's, you can get away with just the Hypervisor patch, and walk away with a negligible performance hit that you probably won't even notice.
Hope that helps.
edit - as a side note, we have noticed zero performance impact on AWS. They were patching hosts to stop cross VM leakage starting in November, we were completely on patched hosts by mid-December based on our logs. Comparing metrics in the last 6 months, it's been flat.