Kernel Documentation: "AMD Zen, generations 1-4. That is, all families 0x17 and 0x19. Older processors have not been investigated.​"

I always disable CPU mitigations. If I have malware on my system, my least problem are CPU attacks. I guess this is more about Cloud systems where one instance serves several customers.

Can someone explain, do microcode fixes (generally, not just in this particular case) affect performance with mitigations=off or not? May it be beneficial to use old microcode? I am talking about a server running only trusted code where performance is top priority, if that matters.

So are we still at the point where we can avoid all these speculative execution vulnerabilities by disabling hyperthreading? I might try that again. When Spectre and Meltdown first came out I tried disabling hyperthreading for a couple of weeks just to see how it would go, and I didn't notice any difference in running my regular office applications and browser. For me I only really need it for larger compile jobs since I don't game or do much else that's CPU intensive.

There are people with good reason to be very paranoid, and they give us evidence the rest of us should be ready with precautions like having vulnerabilities fixed or mitigated, performance overhead doesn't matter in that case.

At home just fscking around, playing games in my first world comfort - you're right I don't care.

But as soon as I pick up my laptop and travel into an airport or a consulate or any place with attackers and sniffers, I have reason to be cautious and worry. You can say "well, don't bring it! don't use it there!" But yet I must, sometimes its my own for long travel, sometimes its work for work reasons. I've had passwords that gave access to systems that had very sensitive data and literal definition spies would be in our building quite often (govt). You think thats not normal? We were just aware of it.

Again, I'm sure its just your game or home laptop, right? You don't have any keys or password managers and its all encrypted with elliptic curve based algos (along with your home drive too) and you follow some tight security standards like nist or fips or something ridiculous and you never do banking or have any credit card transactions go through especially on public wifi right? And you don't use that insecure device on the same home network as a work device, right?

Yes, I'm talking about my private stuff. I do use a password manager and my MacBook is encrypted by default (I used to use Linux and AMD with disabled CPU mitigations). My password manager only runs when I need it. And as I said: if I got malware on my system, my last problems are CPU attacks. It is much, much probable that this malware will use some software vulnerability than a CPU vulnerability. - Why? Well, because it is well documented that this is the common strategy.

98% of the microcode updates are for correctness (non-security). Some of those issues have had workarounds implemented in the kernel, I would think that performance would actually improve when such software workarounds are no longer required with a microcode update. Of course, any particular microcode update could make things slower, but I don't think that's the rule by any stretch, and since we're talking about correctness/reliability issues, not the security objectives linus is such a fan of*, so I don't see how performance can trump correctness.

.(* see https://archive.ph/vqB1 )

Please retest with enable KASAN in kernel.
I noticed that KASAN + safe RATE decrease performance of 7950X in two times in games and kernel build.
Fedora Rawhide enable KASAN by default in debug builds.

Michael , this one looks curious:
My first thought was the "better" arrow was pointing the wrong direction, but it's consistent with the units. Maybe those are wrong?

Did you not see the 7950X benchmarks? It doesn't work if your latest model is (also) affected!

WTF? Are we looking at the same results?

Yeah, some benches are virtually unaffected, but way too many are hit way too hard for such a dismissive attitude. IMO, this is pretty bad.​