(In reply to Borislav Petkov from comment #72) > (In reply to Nicol�s Luciano B�rtolo from comment #70) > > I can confirm that those parameters help a lot. But in my tests I couldn't > > find a difference between 4.19 and 4.20. 4.20 with mitigations enabled is > > just as bad as 4.19-default. > > Well, the mitigations do cost and we've tried to make them as > unpunishing as possible. For example, my workstation with 20-rc5 has: > > /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected > /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: > Speculative Store Bypass disabled via prctl and seccomp > /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user > pointer sanitization > /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD > retpoline, IBPB: conditional, STIBP: disabled, RSB filling > > which means that SSB will be enabled only for applications which request > it (prctl and seccomp), spectre_v2 is mitigated by retpolines (a lot > cheaper than IBRS) and the indirect branch predictor barrier happens > when switching between different user processes of which one can be a > malicious one. > > And this is the default setting. > > The whole idea behind having all those cmdline options was for people > who don't want to sacrifice performance and would like to disable the > security mitigations. So the ultimate decision will be with the user. > > In any case, the default case does enable a *sensible* set of the > mitigations but they are not for free(!) and depend on the workload. > > I hope I'm making sense here. To me you are making sense, thank you for looking into this. I have the same result as https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c70 However, I also tested kernel-vanilla, from Head and current 4.19.5. Kernel-vanilla gives similar or almost similar result as with mitigations off as you mentioned in https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c66 But in my understanding kernel-vanilla has all default mitigations on, as running latest spectre-meltdown-checker says my system is not vulnerable. So it seems to me there must be a difference in the kernels. 4.19.5-1-vanilla: /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable /sys/devices/system/cpu/vulnerabilities/meltdown Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/spectre_v1 Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Full generic retpoline, IBPB, IBRS_FW 4.19.5-1-default: /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable /sys/devices/system/cpu/vulnerabilities/meltdown Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/spectre_v1 Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Indirect Branch Restricted Speculation, IBPB, IBRS_FW Apparently on my Intel system both kernels have different spectre_v2 mitigations. Kernel-default is using IBRS, which as you say is more expensive than retpoline, which is used by kernel-vanilla.