Comment # 78 on bug 1112824 from
(In reply to Borislav Petkov from comment #76)
> (In reply to Michiel Janssens from comment #73)
> 
> > Apparently on my Intel system both kernels have different spectre_v2
> > mitigations.
> > Kernel-default is using IBRS, which as you say is more expensive than
> > retpoline, which is used by kernel-vanilla.
> 
> Yes, kernel-default has our SUSE patches which are part of SLE and have
> this additional IBRS enablement which is not upstream and thus vanilla
> doesn't have it.
> 
> IBRS is a heavy hammer and didn't get accepted upstream but we took it.
> Which is going to be replaced by enhanced IBRS which should be lighter
> but it is still being rolled out and I don't know whether older, already
> released machines can even get it through microcode. For details, see:
> 
> https://software.intel.com/sites/default/files/managed/c5/63/336996-
> Speculative-Execution-Side-Channel-Mitigations.pdf
> 
> where all the different mitigation mechanisms are explained.
> 
> Now, it is debatable whether a Skylake class machine which needs IBRS to
> be fully mitigated is even exploitable when only retpolines are enabled.
> It has been said that running a spectre v2 exploit on a machine only
> with retpolines and not IBRS is very very hard to do. Thus, many people
> are unwilling to pay the performance penalty and revert to retpolines.
> IOW, if you boot with spectre_v2=retpoline on kernel-default, you should
> be getting close to vanilla.
> 
> All IMHO, of course.

I build a kernel 4.19.5 without IBRS patches, nothing has changed, although I
do not exclude the possibility that I could do something wrong, or skip.
https://build.opensuse.org/package/show/home:Dead_Mozay:Kernel/kernel-default?expand=0


You are receiving this mail because: