OpenSUSE defaults to IBRS for its Spectre Variant Two mitigations rather than the Retpolines approach and that is one of the reasons for the distribution’s slower out-of-the-box performance compared to other Linux distributions.
A Phoronix reader pointed out this opensuse-factory mailing list thread citing a “huge single-core performance loss” on a Lenovo laptop when using openSUSE. There’s a ~21% performance loss in single-threaded performance around the Spectre Variant Two mitigations, which itself isn’t surprising as we’ve shown time and time again about the performance costs of the Spectre/Meltdown mitigations.
Looking through the mailing list, I came across this:
retpolines are not complete protection on skylake+. Coffee lake has EIBRS which should restore the performance a bit. Perhaps, one day, Intel will add EIBRS support also to Skylake, if possible (I don’t remember the details).
Meaning:
If Intel “Coffee Lake” then, EIBRS is present and therefore the performance hit with IBRS is not quite as bad as it could be …
If Intel “Skylake” then, EIBRS is not present and therefore enabling IBRS will mean a performance hit.
Or, if you choose to do so, if “Skylake” then, change to retpolines if you want performance at the risk of losing some protection …
As given above,
The main page for the meltdown-spectre.sh checker is a good info page, at the bottom it lists each variant and a quick summary (not complete) list of mitigation options.
For a more full description of each vulnerability and the full array of possible mitigations, I’d recommend looking up the related page at kernel.org. SUSE also has posted some guidance based on the CVE number.
I’d recommend not taking anything written what is or is not configured as gospel, instead run the checker script(from github above or available in the openSUSE repos) to test your machine.
Note also that if you’re running any kind of hypervisor virtualization or isolation (like containers, Docker, LXC, etc), you should run the checker script inside every machine, even Guests.
I’d also take anything written about performance with a grain of salt. There are a great many articles written about poor performance associated with Meltdown and Spectre mitigations which haven’t borne out. Do your own testing. You may find that there isn’t a noticeable hit.