AMD Posts Linux Patches For "Automatic IBRS" Feature New To Zen 4

Written by Michael Larabel in AMD on 4 November 2022 at 06:34 PM EDT. 3 Comments
AMD --
A Friday patch series reveals a new security feature with Zen 4 previously not documented: Automatic IBRS.

This is a new AMD Zen 4 CPU capability providing automatic Indirect Branch Restricted Speculation "IBRS" as part of the Spectre V2 protections. Automatic IBRS is said to provide greater performance over the generic Retpolines mitigation handled on prior AMD CPUs for mitigating Retpolines. The automatic aspect of this new Zen 4 security feature is that it's hardware-managed of IBRS mitigation resources automatically across privilege level transitions. Details beyond that are scarce and I haven't seen any AMD whitepaper on this Automatic IBRS or other information beyond the few patch comments during the Linux code review.


It turns out AMD Zen 4 has a new security feature, Automatic IBRS.


With Zen 4 processors when running on a patched Linux kernel, Automatic IBRS will be used as the default mitigation approach over the generic return trampolines "Retpolines" implementation. The "spectre_v2=autoibrs" kernel option is also added if wanting to explicitly go for Automatic IBRS on supported processors. The Linux kernel patches also enable Auto IBRS use for KVM guests.

So ultimately these Auto IBRS patches are good news to Linux users -- albeit late -- in that this Spectre V2 mitigation mode is less costly than the current Retpolines approach. In other words, the system performance should improve over the current (unpatched / pre-Auto-IBRS) Linux kernel performance.

For now this AMD Automatic IBRS support is out for review on the kernel mailing list where already some upstream developers are inquiring about its behavior and requesting more details.


Now devoted Phoronix readers will likely recall my prior original articles on how disabling security mitigations on Ryzen 7000 series actually hurts performance (the opposite compared to prior Intel/AMD CPUs where normally disabling mitigations helps performance) and that abnormal performance change I tracked back to being the Spectre V2 handling on Zen 4. Since then in talking with some folks at AMD, it caught some of them off-guard and unexpected behavior. One person called it a Linux "bug" while another referred to it as a "difference" but ultimately never got a complete explanation, but was told Linux kernel patch(es) would be on the way. These Automatic IBRS enablement patches today appear to be that fruit. I'll be firing up some benchmarks soon to see what difference is made by this alternative mitigation on Zen 4. In any event it's unfortunate that this Linux kernel patch work is only coming out now more than a month after the Ryzen 7000 series processors first shipped. We'll see if it gets sent in as it's security related for Linux 6.1 or will be held off until the Linux 6.2 merge window in December.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week