Benchmarking The Performance Impact To AMD Inception Mitigations
Last week the AMD Inception vulnerability was made public as a speculative side channel attack affecting Zen processors and different mitigation options based on the CPU generation. There wasn't too much communication around the performance implications of mitigating Inception while over the past week I have begun benchmarking the software and microcode updates on Ryzen and EPYC processors.
For Zen 3 and Zen 4 processors AMD is in the process of rolling out new microcode while for Zen 1 / Zen 2 there is simply a kernel-based mitigation needed. For Zen 3 and Zen 4 though the kernel-only mitigation solution is also available in the event your system doesn't yet have updated firmware/microcode. AMD already published the updated Family 19h microcode for EPYC processors in linux-firmware.git while on the consumer/client side AMD partners will be rolling out updated AGESA with the mitigated microcode.
The Linux kernel changes for mitigating Inception were merged last week and already found in stable kernel versions. There are though updated patches in development to clean-up this Inception (SRSO) mitigation code and that cleaned up work will likely be upstreamed in the coming days, but ultimately isn't expected to change the mitigation overhead costs.
For getting an initial idea of the AMD Inception mitigation performance impact, I used an AMD EPYC 7763 (Milan / Zen 3) server running Ubuntu 22.04 LTS and using a custom kernel build as of last week, The following kernel configurations were tested:
off - No Inception mitigations. All other CPU security mitigations were at their defaults... This testing is just looking at the Inception mitigation overhead.
safe RET no microcode - The purely kernel-based mitigation while using the prior Family 19h CPU microcode without the Inception mitigation there.
safe RET - The default safe RET mode when using the newest CPU microcode.
IBPB - The alternative IBPB-based mitigation approach.
For details on these different mitigation routes, see the kernel documentation around this Speculative Return Stack Overflow (SRSO) mitigation for Inception. The "safe RET" mode is the default mode of operation with AMD Zen processors on the Linux kernel versions patched since last week.
Following the EPYC 7763 benchmarks are also some AMD Ryzen 9 7950X benchmarks later in this article.