A series of Friday patches reveals a new, previously undocumented security feature with Zen 4: automatic IBRS.
This is a new AMD Zen 4 processor capability providing automatic “IBRS” branch restricted indirect speculation as part of Specter V2 protections. Automatic IBRS is said to provide better performance compared to the generic Retpoline mitigation handled on previous AMD CPUs to mitigate Retpolines. The automatic aspect of this new Zen 4 security feature is that it is automatically handled by IBRS mitigation resource hardware during privilege level transitions. Details beyond that are sparse, and I haven’t seen any AMD white papers on this automatic IBRS or other information beyond the few patch comments when reviewing the Linux code.
It turns out that AMD Zen 4 has a new security feature, Automatic IBRS.
With Zen 4 processors when running on a patched Linux kernel, automatic IBRS will be used as the default mitigation approach over the generic implementation of “Retpolines” rebound trampolines. Kernel option “spectre_v2=autoibrs” is also added if you want to explicitly opt for automatic IBRS on supported processors. Linux kernel patches also allow the use of Auto IBRS for KVM guests.
So in the end, these Auto IBRS patches are good news for Linux users – albeit belated – in that this Specter V2 mitigation mode is less expensive than the current Retpolines approach. In other words, system performance should improve over current (unpatched/pre-IBRS) Linux kernel performance.
For now, this AMD Automatic IBRS support is under review on the kernel mailing list where already some upstream developers are inquiring about its behavior and asking for more details.
By now dedicated Phoronix readers will probably recall my previous original articles on how disabling security mitigations on the Ryzen 7000 series actually hurts performance (the opposite of previous Intel/AMD processors where disabling security mitigations normally mitigations improves performance) and this anomalous performance change I tracked to be the management of Specter V2 on Zen 4. Since then talking to some folks at AMD, some of them caught off guard behavior and unexpected. One person called it a Linux “bug” while another called it a “difference” but ultimately never got a full explanation but was told Linux kernel fixes would be on the way . These automatic IBRS activation patches today seem to be that fruit. I’ll be running some tests soon to see what difference this alternate mitigation makes on Zen 4. In any event, it’s unfortunate that this Linux kernel patch work is only now coming out more than a month after the first CPUs of the Ryzen 7000 series Expedited. We’ll see if it’s sent because it’s security-related for Linux 6.1 or if it’s suspended until the Linux 6.2 merge window in December.
#AMD #Releases #Linux #Patches #Automatic #IBRS #Feature #Zen