http://bugzilla.opensuse.org/show_bug.cgi?id=1112824 http://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c78 --- Comment #78 from Dead Mozay <windowskaput@gmail.com> --- (In reply to Borislav Petkov from comment #76)
(In reply to Michiel Janssens from comment #73)
Apparently on my Intel system both kernels have different spectre_v2 mitigations. Kernel-default is using IBRS, which as you say is more expensive than retpoline, which is used by kernel-vanilla.
Yes, kernel-default has our SUSE patches which are part of SLE and have this additional IBRS enablement which is not upstream and thus vanilla doesn't have it.
IBRS is a heavy hammer and didn't get accepted upstream but we took it. Which is going to be replaced by enhanced IBRS which should be lighter but it is still being rolled out and I don't know whether older, already released machines can even get it through microcode. For details, see:
https://software.intel.com/sites/default/files/managed/c5/63/336996- Speculative-Execution-Side-Channel-Mitigations.pdf
where all the different mitigation mechanisms are explained.
Now, it is debatable whether a Skylake class machine which needs IBRS to be fully mitigated is even exploitable when only retpolines are enabled. It has been said that running a spectre v2 exploit on a machine only with retpolines and not IBRS is very very hard to do. Thus, many people are unwilling to pay the performance penalty and revert to retpolines. IOW, if you boot with spectre_v2=retpoline on kernel-default, you should be getting close to vanilla.
All IMHO, of course.
I build a kernel 4.19.5 without IBRS patches, nothing has changed, although I do not exclude the possibility that I could do something wrong, or skip. https://build.opensuse.org/package/show/home:Dead_Mozay:Kernel/kernel-defaul... -- You are receiving this mail because: You are on the CC list for the bug.