Is It Worthwhile Running Intel Alder Lake With mitigations=off?
Over the past month of trying out Intel Alder Lake processors on Linux, one of the questions that has come up a few times but not readily disclosed is whether it's still worthwhile on this latest-generation process to boot with "mitigations=off" to disable CPU security mitigations to help squeeze out some otherwise lost performance. Here are some benchmarks to answer that questions.
Particularly with Intel CPUs from 2018 and prior where there isn't in-silicon changes for mitigating the likes of Spectre and Meltdown, some Linux users have resorted to running with "mitigations=off" to run the security risk but at increased (or otherwise regressed) performance. This Linux parameter allows booting the system with software-controlled CPU security mitigations disabled. Running with mitigations disabled is a security risk but for prior generations of Intel CPUs can make a measurable difference with workloads that are heavy on context switching, I/O, and other areas impacted by the software mitigations.
In the case of the brand new Intel Alder Lake processors, the software-controlled mitigations amount to Spectre V4 / Speculative Store Bypass mitigation of SSB disabling (SSBD) via opt-in software with prctl() or running within SECCOMP, Spectre V1 mitigation of user-copy and SWAPGS barriers and __user pointer sanitization, and Spectre V2 on Alder Lake makes use of enhanced IBRS (Indirect Branch Restricted Speculation) IBPB (Indirect Branch Prediction Barriers) with conditional RSB (Return Stack Buffer) filling. The other prominent CPU security mitigations are addressed within the hardware / not affected or controlled by software.
Booting Alder Lake with the "mitigations=off" option leaves the system potentially vulnerable to Spectre V2 and V4, but an interesting candidate to benchmark to quantify what -- if any -- measurable difference there is on the new processors.
The testing for this article was simply running the Intel Core i9 12900K on Ubuntu 21.10 with Linux 5.15 and then repeating the tests on the same system while running with mitigations=off.