It Turns Out Linux Is Supposed To Enable STIBP When Enabling AMD Zen 4's Auto IBRS

Automatic IBRS is a new feature with AMD Zen 4 processors akin to Intel's Enhanced IBRS functionality. Linux 6.3 added Auto IBRS support but it turns out when that was being enabled an oversight was made.

While AMD Automatic IBRS and Intel eIBRS are quite similar, Automatic IBRS does not protect processes running in user-mode. With eIBRS, STIBP is effectively enabled implicitly. As a result on the AMD side, Single Threaded Indirect Branch Predictors (STIBP) must be explicitly enabled to protect against cross-thread CPL3 branch target injections when using this Auto IBRS mode.

Automatic IBRS is one of the new features with AMD Zen 4 CPUs.

This patch to ensure STIBP gets enabled when using AMD Automatic IBRS was added to the tip/tip.git's x86/urgent branch this weekend. In turn as soon as today before the Linux 6.5-rc3 release it should then be picked up by mainline. This patch is also marked for back-porting to the relevant stable series having Auto IBRS support.

I'll be running some benchmarks to see what (small) performance difference there is with STIBP being forced on for Auto IBRS mode. Back when Auto IBRS was being enabled for the Linux kernel and I ran Auto IBRS benchmarks compared to the prior defaults that included having STIBP enabled. Ultimately there was only some slight performance differences so now with STIBP + Auto IBRS it's likely to be some mid-distance in between those prior figures (a.k.a. likely 1% or less difference for most workloads). In any event it's a bit surprising this oversight was only sorted out months after Automatic IBRS was enabled for the Linux kernel.