One of the few on the net who gets it, I applaud your post.

I try and explain to people, that these exploits in the real word are not much of an issue, but they cry "but it can read unauthorised memory blah blah blah", they are in panic mode and not thinking rationally.

Malware authors go for low hanging fruit, and none of these exploits are low hanging fruit, they are difficult to pull off and all the test cases have been done with admin/root access already on a machine, in other words you need to be already compromised.

When looking as security one should always balance the pros and cons, do not just blindly apply every single security measure without thinking about it. One of the worse pieces of advise I often read is "always update your machine, its the number one thing you can do for been secure", that advice is given because its what computer illiterate users are capable of doing, its sort of like the old tech support "clear your internet cache and reboot".

The reality is these exploits are probably only going to be a problem for a typical end user if all other aspects of computer security get locked down, these are literally a last resort type exploit for malware authors, so one is basically throwing away large chunks of performance for maybe a decade in the future someone has a tiny chance of trying to use these exploits in the wild.

Its akin to spending $300 on anti ransomware software "just incase" you get asked for $200 to get your files back. The former is a guarantee, the latter is a extremely low chance maybe.

I find these tests really good, pretty much noone else has done anything like this, but what I would like to see is the impact of these mitigations one by one, so we can see if individual impacts have a reasonable level of impact that can be disregarded.

On proxmox qemu on a ivy bridge xeon host (has PCID but not NVPCID), I compared a fully patched system on its defaults against toggling individual mitigations. They were only toggled on the proxmox host I didnt bother to toggle on the guests as well which may make the results even bigger.

The result was in my case.

PTI on its own had a small but not ignorable level of impact, tasks on a guest dont take noticeably longer but do have higher cpu utilisation, on average 1.1 or 1.2x multiple on cpu utilisation so 10-20% more cpu cost.
IBRS, almost doubles cpu utilisation and makes things slower on the guest, absolutely trashes hypervisor performance.
l1tf on its default setting, makes compiling code on a guest take about 30% longer, cpu utilisation isnt much affected on low threaded workloads, but high threaded workloads like compiling are noticeably more expensive in cpu cycles. So e.g. on a pfsense firewall in a guest, it has pretty much no impact, but if you encoding stuff, compiling, that sort of thing, you will feel it. Disabling this on the host I noticed also disabled it on qemu, qemu auto appended the flag that disables it in the guest when I disabled it on the host.

Microsoft have clearly been uneasy about IBRS, they pulled the intel microcode from automatic updates and have recently announced they switching to the reptoline solution in a future build of windows 10, the microcode solution was never even offered to win 7/8 users at all. The reality is this stuff should not have been disclosed given there is no evidence ofit been out in the wild, and in addition to that patches should not have been deployed in such a rushed and panic'd manner, IBRS should never have even reached stable clode, reptoline should have been the "first" spectre v2 mitigation on offer, and things like l1tf should not be enabled by default as the benefit is very situational.

Well I am confident in saying this.

Lets say we got two different users.

One has fully patched OS, all these mitigation's enabled (also bear in mind these mitigation's aside from PTI are partial only, they have ways to bypass), however he allows all javascript by default in browser, has no filesystem isolation, no isolated process in browser and no ad filtering.
Second user has no intel cpu mitigation activated, either disabled or OS not up to date, but does block all javascript in browser unless whitelisted, blocks ads unless whitelisted, is vigilant so doesnt click on random url's that are spoofed, doesnt download exe's from dodgy sources etc., isolates his filesystem with things like SRP, Applocker, isolates his browser.

My bet would be on the first guy getting bad things happening to his PC before the second, easily.

Actually they're not. There's only a handful of games that stress the cpu. Most games are heavy on the gpu, and only moderate to light on the cpu. It's why you can game comfortable on a 5+ year old CPU, paired with a Vega or RTX.

It probably depends heavily on the games you play. The games I play are almost entirely CPU limited on my machine.

Yes that's true. There's a Linus Tech Tips video where he does this exact comparison, and he found that maybe 20% of AAA games are CPU bound, while the vast majority are not.

It also depends on the settings. E-sports gamers like lowest possible graphics detail, and often have large numbers of other players onscreen. This is demanding on the CPU, but not so much on the GPU. E-sports gamers want the very fastest i7 cpu, paired with a mid-range gpu like Rx 480 or GTX 1060.

But for most visually demanding AAA titles, you want the biggest baddest GPU you can get, but a midrange cpu is fine. I'll share my own personal setup, it's an Opteron 4386 (circa 2012) with a Vega 56 @ 1080p. This *six* year old CPU paired with a modern GPU, gets me 100+ fps on Ultra settings for most AAA games released through ~2017.

Edit: You don't have to take my word for it. Look at the system requirements for the newly released (Feb 2019) Metro Exodus. Look at the "recommended" hardware for 1080p. It recommends a very new GPU, Radeon Vega or Nvidia RTX. But it recommends a six year old CPU from 2013, the i7-4770k: https://www.guru3d.com/articles_page...chmarks,2.html