Comment # 73 on bug 1112824 from
(In reply to Borislav Petkov from comment #72)
> (In reply to Nicol�s Luciano B�rtolo from comment #70)
> > I can confirm that those parameters help a lot. But in my tests I couldn't
> > find a difference between 4.19 and 4.20. 4.20 with mitigations enabled is
> > just as bad as 4.19-default.
> 
> Well, the mitigations do cost and we've tried to make them as
> unpunishing as possible. For example, my workstation with 20-rc5 has:
> 
> /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
> /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation:
> Speculative Store Bypass disabled via prctl and seccomp
> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user
> pointer sanitization
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD
> retpoline, IBPB: conditional, STIBP: disabled, RSB filling
> 
> which means that SSB will be enabled only for applications which request
> it (prctl and seccomp), spectre_v2 is mitigated by retpolines (a lot
> cheaper than IBRS) and the indirect branch predictor barrier happens
> when switching between different user processes of which one can be a
> malicious one.
> 
> And this is the default setting.
> 
> The whole idea behind having all those cmdline options was for people
> who don't want to sacrifice performance and would like to disable the
> security mitigations. So the ultimate decision will be with the user.
> 
> In any case, the default case does enable a *sensible* set of the
> mitigations but they are not for free(!) and depend on the workload.
> 
> I hope I'm making sense here.

To me you are making sense, thank you for looking into this.
I have the same result as
https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c70
However, I also tested kernel-vanilla, from Head and current 4.19.5.
Kernel-vanilla gives similar or almost similar result as with mitigations off
as you mentioned in https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c66

But in my understanding kernel-vanilla has all default mitigations on, as
running latest spectre-meltdown-checker says my system is not vulnerable.
So it seems to me there must be a difference in the kernels.

4.19.5-1-vanilla:
/sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline, IBPB, IBRS_FW

4.19.5-1-default:
/sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Indirect Branch Restricted Speculation, IBPB, IBRS_FW

Apparently on my Intel system both kernels have different spectre_v2
mitigations.
Kernel-default is using IBRS, which as you say is more expensive than
retpoline, which is used by kernel-vanilla.


You are receiving this mail because: