Benchmarking The Performance Impact Of Speculative Store Bypass Disable For Spectre V4 On Intel Core i7
In late May Spectre V4 was made public and coinciding with the public reveal was the Linux kernel patches for the Speculative Store Bypass Disable (SSBD) mode for mitigating this latest side-channel attack. For SSBD on Intel CPUs, updated microcode is required and those patched microcode files are now being delivered down through new BIOS updates from motherboard vendors. In recent days with seeing ASUS motherboards get the updated supported, I decided to run some initial Core i7 Coffeelake benchmarks with/without the SSBD support being enabled in the Linux kernel.
Intel CPUs need updated microcode for SSBD mitigation in order to set the new IA32_SPEC_CTRL MSR while AMD CPUs do not need any microcode update. On a supported system and with a recent version of the Linux kernel, the Spectre V4 mitigation defaults to not being globally-enabled but rather programs/processes can opt into coverage via the prctl() interface or seccomp filter. SSBD isn't enabled globally by default since it can cause a performance penalty and isn't needed everywhere but rather particularly for managed code environments and sandboxed scenarios.
For those that prefer the most secure possibility, the kernel can be booted with the spec_store_bypass_disable=on boot parameter to force it to be unconditionally enabled for all processes. The state of the system's Spectre V4 / SSBD mitigation can be found via /sys/devices/system/cpu/vulnerabilities/spec_store_bypass.
Since yesterday I've been running some benchmarks of a Linux 4.18 Git kernel with spec_store_bypass_disable=on for seeing the full potential mitigation impact and then spec_store_bypass_disable=off for exposing the system to the Spectre Variant Four vulnerability. All tests were done on the same Intel Core i7 8086K system running Ubuntu 18.04 and with an assortment of benchmarks via the Phoronix Test Suite.