Correction, I meant IBRS, not IBPB. IBPB support is forthcoming. IBRS is a mode, IBPB is a barrier.
-Matt Sent from my iPad > On Jan 9, 2018, at 10:48 PM, Matthew Dillon <[email protected]> wrote: > > DragonFlyBSD master now has initial spectre sysctl support, and the mmu > isolation sysctl has been renamed. > > machdep.meltdown_mitigation > > System automatically enables this by default on Intel CPUs. > Performance loss for normal workloads approximately 4%. > > machdep.spectre_mitigation > > System automatically sets mode 1 if the microcode supports it. Will be > disabled if the microcode does not support it. It is possible to load > unofficial microcode at run-time and then set the sysctl, but is a bit messy > to obtain and decode the microcode in a format that cpucontrol understands. > I just posted the sequence. But you need to pull the microcode from > somewhere, too if the normal packages don't have it (which they don't, yet). > This mitigation currently only messes with the IBPB bit (MSR 0x48=1). > > Performance loss for normal workloads depends on the cpu. Approximately > 12% on Haswell and 5% on Skylake. This does NOT count the loss from the > meltdown mitigation, so add them together. > > Modes supported: > > 0 IBPB disabled, no Spectre mitigation > > 1 IBPB enabled for kernel mode. > > 2 IBPB enabled at all times. > > Note that mode 2 results in a HUGE performance loss. Approximately 53% > on Haswell and 24% on Skylake. Mode 2 is not recommended at this time. > > Again, this sysctl will only operate if the machine's microcode supports > the feature. > > RetPoline work is in progress but it could be a while (up to a month) before > we get a compiler capable of generating it fully integrated. > > -- > > Generally speaking, we recommend letting the system select the defaults if > safety and security is a concern. We will try to pick reasonable settings. > It will turn on meltdown for Intel CPUs and it will use Spectre mode 1 for > Intel CPUs if the microcode has the feature. Once RetPoline is in place, > some people may opt to turn off the Spectre mitigation. > > I don't have any new AMD microcode for testing yet, so the Spectre mitigation > is currently Intel-only. > > -Matt
