[Sorry for replying a little late] On Mon, 2019-04-15 at 13:41 -0700, PGNet Dev wrote: > *Suse also enables "IBPB" by default. is that (still) correct? > > Which I'd like to NOT take the purported ~20% performance hit for, > and > believe I've correctly (?) DISabled with adding: > > spectre_v2=retpoline,generic > > to my grub config's kernel command line > I think you're talking about IBRS. I mean, we do enable IBPB, but that's what pretty much everyone does, I think.
In fact, on openSUSE kernel-default, Spectre-v2 is mitigated like this (on post-SkyLake hardware): Mitigation: Indirect Branch Restricted Speculation, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling with kernel-vanilla, like this: Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling The impact, as said, varies, and it may not be *always* 20%. But yes, it's non-negligible, for most workloads > Also, I *did* see a KVM host-side change (namely, an upgrade to a > fully > patched Host) that switched the reporting of Variant 3a & 4 > vulnerabilities from VULNERABLE ==> NOT VULNERABLE, in the guest. > > Which I believe is expected. > Yes, makes sense. Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
signature.asc
Description: This is a digitally signed message part
