Right this testing is intended at just comparing Retpoline and not different CPUs against their performance.

ah yeah, ok that explanation makes perfect sense. Thanks.

Not defending the ad-hominem by the original poster, but I'd just like to clarify that the Koolaid did in fact inhibit your thought process, since it was lethal.

The "negligible performance impact" is related to variant 1. The retpoline patchset fixes variant 2, which AMD deemed is impossible on their CPUs.

Not sure what is the plan forward. Either retpoline won't be enabled on AMD CPUs (since, as of now, it is not needed) or it will (just in case someone reproduces variant 2 on AMD CPUs). Since variant 2 depends on branch prediction inner workings, it is heavily dependent on CPU microarchitecture. The fact it was not done on AMD CPUs doesn't mean it's impossible. For now, without retpoline, we have something like "security by obscurity" - AMD CPUs are safe since their branch predictor was not reverse-engineered yet.

RetPoline is only partially effective for SkyLake or later CPUs. You also need to test with the Intel microcode patched and the IBRS feature turned on. Test with IBRS mode 1 and IBRS mode 2 (on Linux). IBRS mode 1 is kernel protection (IBRS enabled only while in the kernel). IBRS mode 2 is kernel & user protection (IBRS enabled at all times). Mode 2 will result in a 30-40% loss in performance. What people are most interested in right now is mode 1 operation... how much performance loss is there when only the kernel is protected.

RetPoline itself isn't expected to add any significant overhead because only 1 in every 100 calls is typically going to be an indirect call (which is what RetPoline patches).

-Matt

Let me be a little more clear.

RetPoline is effective for all Intel CPUs that are older than SkyLake. For SkyLake and later CPUs, RetPoline is only partially effective.

The microcode update is not intended to replace RetPoline. Its intended to work in conjunction with RetPoline, and it is not intended to be left on (linux IBRS mode 2), though some people will be paranoid to leave it on and take the 30-40% performance hit. For older CPUs, even with the presence of the microcode update, it might be better to just rely on RetPoline and not enable IBRS due to the extreme performance penalty. Intel has stated on the LKML lists that the microcode will get better over time (probably mean over the next few years, honestly), and ultimately can just be left enabled full-time, but that time is not now.

AMD is also working on microcode updates for Spectre, but I have no information on what it does or the ABI. One thing it does NOT do is disable branch speculation (lots of press articles say it does, but it does not). The effectiveness of RetPoline on AMD systems is not known, either.

At the moment, all of these mitigations are poor hacks. Also, I would be careful of any wordage (from both Intel and AMD) about mitigations being solved by software. That will never happen. Bleeding edge recompiled software, sure. Kernels... probably (and eventually gain penetration). But probably almost none of the application software out in the wild will ever get these hacks.

-Matt

Ah, sorry to burst your bubble, but that isn't really the case. Enabling IBRS for the kernel will be bad enough, enabling IBRS for userland too will completely destroy performance. I doubt that any OS will be enabling IBRS for usermode by default. If you run Linux, IBRS for usermode + kernel is IBRS mode 2 operation. Kernel-only is IBRS mode 1 operation.

-Matt

From the cloud provider perspective, this will only increase revenue. Higher CPU utilization for existing workloads means customers will pay for more resources.

I didn't know that retpolines are still required with IBRS. I've thought that setting the MSR disables prediction for existing indirect jmp instructions. Which would still be bad performance-wise, but at least it could mitigate Spectre in software that can't be recompiled with retpolines.

I'm just hoping that future kernel patches will allow setting IBRS=2 in a specific cgroup (running only vulnerable software, like browsers).

The fix for variant 2 is called Retpoline while the fix for variant 3 (Meltdown) is called KPTI (kernel page table isolation). How is called the fix for variant 1?