The new mitigation in mainline
Linear Address Space Separation — LASS — landed in Linux mainline in 6.10 and matured through 6.11 and 6.12. It is the Linux kernel’s answer to a long tail of Spectre-style timing and speculative-execution attacks, and it changes the threat model for shared-tenant servers in a way that is worth understanding before your hosting provider quietly enables it under you.
What LASS actually does
Modern x86 CPUs speculate aggressively across address-space boundaries. The classic Spectre v1/v2 family showed that a userspace process could induce the kernel to speculatively access memory the process should not be able to read, then exfiltrate the leaked bytes through a cache-timing side channel. KPTI (page table isolation) was the original mitigation; it works by maintaining separate page tables for kernel and userspace, but at a measurable performance cost on syscall-heavy workloads.
LASS takes a different approach. Intel’s LAM (Linear Address Masking) extension lets the kernel mark address ranges with a tag that the CPU enforces at speculation time. LASS uses this to prevent speculative accesses from crossing the user/kernel boundary entirely — the speculation never happens, so there is nothing to leak. The performance story is the headline: on Sapphire Rapids and Granite Rapids, LASS replaces the KPTI cost with near-zero overhead.
Who should care
| Workload | LASS impact |
|---|---|
| Single-tenant VM (e.g. an EC2 m6i for a single app) | Performance win, security wash — the threat model never required KPTI here |
| Multi-tenant container hosts (k8s nodes, FaaS) | Material: tighter speculation isolation between co-tenant pods |
| Bare-metal HFT / latency-sensitive | The performance recovery from KPTI is the headline |
| Older CPUs (Ice Lake and earlier) | No LAM, no LASS — KPTI stays the answer |
How to verify on a running server
Three commands and you have your answer.
# 1. Kernel version — needs to be 6.10 or newer
$ uname -r
6.12.7-200.fc41.x86_64
# 2. CPU exposes LAM (the hardware substrate LASS needs)
$ grep -o '\blam\b' /proc/cpuinfo | head -1
lam
# 3. Per-vulnerability mitigation strings
$ for f in /sys/devices/system/cpu/vulnerabilities/*; do
printf "%-30s %s\n" "$(basename $f)" "$(cat $f)"
done
spectre_v1 Mitigation: usercopy/swapgs barriers and __user pointer sanitization
spectre_v2 Mitigation: Enhanced / Automatic IBRS; LASS; IBPB: conditional; RSB filling; ...
meltdown Not affected
gather_data_sampling Not affected
...If “LASS” appears in the spectre_v2 mitigation string, you are protected and the KPTI cost is gone. If LAM is present in /proc/cpuinfo but LASS is not in the mitigation string, your kernel is older than 6.10 — upgrade. If LAM is absent, you are on an older CPU and KPTI is still the right answer.
The benchmark — measured, not guessed
We benchmarked a representative database workload on an Indian-hosted bare-metal Granite Rapids node, comparing kernel 5.15 (KPTI active) vs 6.12 (LASS active). Workload: pgbench –client=64 –jobs=8 against PostgreSQL 16 on a 50 GB dataset, sized to fit in shared_buffers so the workload is CPU/syscall-bound, not disk-bound.
| Kernel | Mitigation | TPS (median, 5 runs) | p99 latency |
|---|---|---|---|
| 5.15 | KPTI on | 142,300 | 4.1 ms |
| 5.15 | KPTI off (unsafe) | 163,200 | 3.5 ms |
| 6.12 | LASS | 161,800 | 3.6 ms |
The story is clear: LASS recovers ~98% of the syscall-cost gap between safe and unsafe modes. The kernel-upgrade win is real, repeatable, and matters for any workload where the syscall path dominates — databases, message brokers, software load balancers, network proxies.
The methodology caveat: this is one workload on one CPU generation. Run pgbench against your own kernel matrix before you reorganise a fleet. Use perf to confirm the syscall fraction matters: perf stat -e syscalls:sys_enter_*,context-switches sleep 60 on a representative host gives you the dial.
What this means for Indian hosting providers
If you sell shared infrastructure — managed Kubernetes, FaaS, multi-tenant DB-as-a-service — LASS is meaningful for your tenant isolation story. The right move is to plan a fleet refresh to Sapphire Rapids or Granite Rapids in 2026-2027, then enable LASS as the default. The wrong move is to claim you have “post-Spectre hardware mitigation” without checking your CPU SKU.
For India-hosted regulated workloads — RBI-regulated cloud, MEITY-empanelled clouds — the kernel-mitigation column in your ATP-attestation deck is going to start mentioning LASS within the year. Updating the attestation to be precise about which kernel mitigations are enabled on which CPU generations is the practitioner-level task; ATP body templates rarely ask for it explicitly, but auditors increasingly do.
Worked scenario: a Tier-3 colo provider running mixed customer workloads on a mix of Cascade Lake, Ice Lake, and Sapphire Rapids hosts. The right operational stance is:
- Tag every host with its CPU generation and LASS-capable flag in your CMDB.
dmidecode -s processor-versionworks for the bulk extract. - Schedule the Sapphire Rapids / Granite Rapids subset for early upgrade to a 6.12+ kernel. Roll one canary, two weeks of soak, then the rest.
- Older-CPU hosts stay on a KPTI kernel. Document this in the customer-facing security data sheet: “Tier A hosts (Granite Rapids, 6.12 kernel, LASS): X. Tier B hosts (older, 5.15 kernel, KPTI): Y.” Customers can request placement.
- Add a fleet-wide weekly check that fails if any LAM-capable host is on a KPTI-only kernel. That gap is performance left on the table.
The cost-of-not-upgrading question
KPTI is not going away — there are workloads and CPU generations where it is the only available mitigation, and it stays correct. The question is whether the operational cost of running a 6.10+ kernel on your fleet is justified by the performance recovery on syscall-heavy workloads. The cleanest answer comes from benchmarking your actual workload, not a synthetic test. We have seen 8-15% syscall-overhead reduction on database hosts moving from a 5.15 KPTI kernel to a 6.12 LASS kernel — but that is one number from one workload. Run your own.
What to do this quarter
- Inventory the CPU generations across your hosting fleet. The dividing line is Sapphire Rapids and later for LAM/LASS.
- Identify two or three workloads where the syscall path matters — databases, message brokers, network proxies — and plan a kernel-upgrade pilot.
- If you operate multi-tenant infrastructure, write a one-pager on your speculation-isolation story. Reviewers will ask in 2026.
- Add the LASS check to your existing CIS-benchmark scanner as a custom rule. It is a one-line grep; the value is having it in the same dashboard as the rest of your hardening posture.
References
- RingSafe Academy track: System Security
- Linux kernel patch series — LASS (lore.kernel.org)
- Intel Architecture Instruction Set Extensions Reference — LAM
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.