AMD Posts Linux Patches For "Automatic IBRS" Feature New To Zen 4

A Friday patch series reveals a new security feature with Zen 4 previously not documented: Automatic IBRS.

This is a new AMD Zen 4 CPU capability providing automatic Indirect Branch Restricted Speculation "IBRS" as part of the Spectre V2 protections. Automatic IBRS is said to provide greater performance over the generic Retpolines mitigation handled on prior AMD CPUs for mitigating Retpolines. The automatic aspect of this new Zen 4 security feature is that it's hardware-managed of IBRS mitigation resources automatically across privilege level transitions. Details beyond that are scarce and I haven't seen any AMD whitepaper on this Automatic IBRS or other information beyond the few patch comments during the Linux code review.

It turns out AMD Zen 4 has a new security feature, Automatic IBRS.

With Zen 4 processors when running on a patched Linux kernel, Automatic IBRS will be used as the default mitigation approach over the generic return trampolines "Retpolines" implementation. The "spectre_v2=autoibrs" kernel option is also added if wanting to explicitly go for Automatic IBRS on supported processors. The Linux kernel patches also enable Auto IBRS use for KVM guests.

So ultimately these Auto IBRS patches are good news to Linux users -- albeit late -- in that this Spectre V2 mitigation mode is less costly than the current Retpolines approach. In other words, the system performance should improve over the current (unpatched / pre-Auto-IBRS) Linux kernel performance.

For now this AMD Automatic IBRS support is out for review on the kernel mailing list where already some upstream developers are inquiring about its behavior and requesting more details.

Now devoted Phoronix readers will likely recall my prior original articles on how disabling security mitigations on Ryzen 7000 series actually hurts performance (the opposite compared to prior Intel/AMD CPUs where normally disabling mitigations helps performance) and that abnormal performance change I tracked back to being the Spectre V2 handling on Zen 4. Since then in talking with some folks at AMD, it caught some of them off-guard and unexpected behavior. One person called it a Linux "bug" while another referred to it as a "difference" but ultimately never got a complete explanation, but was told Linux kernel patch(es) would be on the way. These Automatic IBRS enablement patches today appear to be that fruit. I'll be firing up some benchmarks soon to see what difference is made by this alternative mitigation on Zen 4. In any event it's unfortunate that this Linux kernel patch work is only coming out now more than a month after the Ryzen 7000 series processors first shipped. We'll see if it gets sent in as it's security related for Linux 6.1 or will be held off until the Linux 6.2 merge window in December.