(In reply to Borislav Petkov from comment #76) > (In reply to Michiel Janssens from comment #73) > > > Apparently on my Intel system both kernels have different spectre_v2 > > mitigations. > > Kernel-default is using IBRS, which as you say is more expensive than > > retpoline, which is used by kernel-vanilla. > > Yes, kernel-default has our SUSE patches which are part of SLE and have > this additional IBRS enablement which is not upstream and thus vanilla > doesn't have it. > > IBRS is a heavy hammer and didn't get accepted upstream but we took it. > Which is going to be replaced by enhanced IBRS which should be lighter > but it is still being rolled out and I don't know whether older, already > released machines can even get it through microcode. For details, see: > > https://software.intel.com/sites/default/files/managed/c5/63/336996- > Speculative-Execution-Side-Channel-Mitigations.pdf > > where all the different mitigation mechanisms are explained. > > Now, it is debatable whether a Skylake class machine which needs IBRS to > be fully mitigated is even exploitable when only retpolines are enabled. > It has been said that running a spectre v2 exploit on a machine only > with retpolines and not IBRS is very very hard to do. Thus, many people > are unwilling to pay the performance penalty and revert to retpolines. > IOW, if you boot with spectre_v2=retpoline on kernel-default, you should > be getting close to vanilla. > > All IMHO, of course. I build a kernel 4.19.5 without IBRS patches, nothing has changed, although I do not exclude the possibility that I could do something wrong, or skip. https://build.opensuse.org/package/show/home:Dead_Mozay:Kernel/kernel-default?expand=0