With AMD Zen 4 there is surprisingly no need to disable CPU security mitigations

With AMD Zen 4 there is surprisingly no need to disable CPU security mitigations

AMD --

While some Linux enthusiasts urge users to boot their systems with the “attenuations=off” Kernel setting for disabling at runtime various relevant CPU security mitigations for Spectre, Meltdown, L1TF, TAA, Retbleed and friends, with newer AMD Ryzen 7000 “Zen 4” processors while still needing some mitigations software, it is surprisingly faster for most of the time leaving the relevant mitigations enabled.

Along with AMD Zen 4 processors and currently public security disclosures, Linux 6.0 on Ryzen 7000 series processors has speculative store bypass disabled via prctl for SSBD / Specter V4 mitigations and Specter V1 mitigations of usercopy barriers / SWAPGS and sanitizing the __user pointer. Then for Specter V2 there are retpolines, Conditional Indirect Branch Prediction Barriers (IBPB), Firmware IBRS, Single-Threaded Indirect Branch Predictors (STIBP), and Return Stack Buffer Fill (RSB) . These are the only software security mitigations involved in Zen 4 at present, with the new processors not vulnerable to the assortment of other known vulnerabilities affecting different processors.

Zen 4 mitigation status on Linux 6.0

With Zen 4 you can still boot the kernel with attenuations=off to disable applied SSB, Specter V1, and Specter V2 mitigations while leaving the system in a “vulnerable” state. While many opt for the mitigations=off approach to avoid the performance penalties attributed to the various mitigations, in the case of AMD Zen 4 on the Ryzen 9 7950X this isn’t exactly beneficial.

Much to the surprise, the default/out-of-the-box state with mitigation controls was generally faster than booting with attenuations=off. Here are the benchmarks with a measurable difference in either direction:

Running with mitigations=off was faster for a few synthetic benchmarks like Stress-NG, OSBench, Sockperf and the usual others. But maintaining the default mitigation state surprisingly resulted in a noticeable benefit for web browser benchmarks, Stargate DAW, various OpenJDK workloads, and other workloads that typically suffered performance impacts from different security mitigations of the last 4 years.

Maintaining the default attenuation state was faster for the majority of benchmarks tested.

Or for the wide range of 190 different benchmarks performed, keeping default mitigations on was about 3% faster overall than running with mitigations=off. Basically the opposite of what we normally see with other older processors. As to why keeping the default attenuations leads to a faster Ryzen 9 7950X is a good question (normally it’s the opposite!) but one that I hadn’t bothered to dig into yet with profiling the system due to time constraints and ultimately not being too important because for production systems you should really stick to the default security recommendations.

Those wishing to browse all 190 references in their entirety can find all of my data here. Long story short, with AMD Zen 4 it doesn’t seem useful to start with “mitigations=off”, but it can actually have a negative impact on some real world workloads.

#AMD #Zen #surprisingly #disable #CPU #security #mitigations

Leave a Comment

Your email address will not be published. Required fields are marked *