Recently, folks in my company suspect if Spectre mitigations are involved once they see a performance bug. So I make a simple summary of different X86 Spectre Variants, performance loss and workarounds. So they can have a general idea if Spectre might be involved or rule out the issue by suggesting the proper workaround to customer when necessory. Some of the kernel command line are for UEK series only, but most of them are compatible with kernel. Spectre V1 (Bounds Check Bypass) can't toggle at runtime No performance impact Spectre V2 (Branch Target Injection) There are two mitigations, Retpoline and IBRS. Retpoline is the prefered and by default enabled mitigation for most X86 systems, 0%-5% performance loss. IBRS is intel suggested mitigation for Skylake+ processor and enabled by default for Skylake+, performance loss is less than 20% in extreme case. Dynamic switch: /sys/kernel/debug/x86{retpoline_enabled,ibrs_enabled} Kernel bootup parameter: spectre_v2= on - unconditionally enable off - unconditionally disable auto - kernel detects whether your CPU model is vulnerable (default) retpoline - replace indirect branches retpoline,generic - google's original retpoline retpoline,amd - AMD-specific minimal thunk ibrs - Use IBRS (if microcode is available). nospectre_v2 Euivalent to spectre_v2=off spectre_v2_heuristics= off - disable all heuristics (see below) skylake=off - do not use IBRS if present on Skylake
X86 Spectre Variants and Mitigations
最新推荐文章于 2023-04-13 10:45:41 发布