[Sorry for replying a little late] On Mon, 2019-04-15 at 13:41 -0700, PGNet Dev wrote:
*Suse also enables "IBPB" by default. is that (still) correct?
Which I'd like to NOT take the purported ~20% performance hit for, and believe I've correctly (?) DISabled with adding:
spectre_v2=retpoline,generic
to my grub config's kernel command line
I think you're talking about IBRS. I mean, we do enable IBPB, but that's what pretty much everyone does, I think. In fact, on openSUSE kernel-default, Spectre-v2 is mitigated like this (on post-SkyLake hardware): Mitigation: Indirect Branch Restricted Speculation, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling with kernel-vanilla, like this: Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling The impact, as said, varies, and it may not be *always* 20%. But yes, it's non-negligible, for most workloads
Also, I *did* see a KVM host-side change (namely, an upgrade to a fully patched Host) that switched the reporting of Variant 3a & 4 vulnerabilities from VULNERABLE ==> NOT VULNERABLE, in the guest.
Which I believe is expected.
Yes, makes sense. Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)