From Phoronix: OpenSUSE's Spectre Mitigation Approach Is One Of The Reasons For Its Slower Perf...

Article at Phoronix: OpenSUSE’s Spectre Mitigation Approach Is One Of The Reasons For Its Slower Performance
It is for an Intel processors.

OpenSUSE defaults to IBRS for its Spectre Variant Two mitigations rather than the Retpolines approach and that is one of the reasons for the distribution’s slower out-of-the-box performance compared to other Linux distributions.
A Phoronix reader pointed out this opensuse-factory mailing list thread citing a “huge single-core performance loss” on a Lenovo laptop when using openSUSE. There’s a ~21% performance loss in single-threaded performance around the Spectre Variant Two mitigations, which itself isn’t surprising as we’ve shown time and time again about the performance costs of the Spectre/Meltdown mitigations.

Additional links:

https://browser.geekbench.com/v4/cpu/compare/12738751?baseline=12738264
https://browser.geekbench.com/v4/cpu/compare/12738676?baseline=12738264

Just FYI. I cannot estimate is it good or bad.

Looking through the mailing list, I came across this:

retpolines are not complete protection on skylake+. Coffee lake has EIBRS which should restore the performance a bit. Perhaps, one day, Intel will add EIBRS support also to Skylake, if possible (I don’t remember the details).

Meaning:

  1. If Intel “Coffee Lake” then, EIBRS is present and therefore the performance hit with IBRS is not quite as bad as it could be …
  2. If Intel “Skylake” then, EIBRS is not present and therefore enabling IBRS will mean a performance hit.

Or, if you choose to do so, if “Skylake” then, change to retpolines if you want performance at the risk of losing some protection …

And, just for good measure:

The check script contains a bug:
IBRS is reported as YES even if only IBRS_FW is found in sysfs · Issue #275 · speed47/spectre-meltdown-checker · GitHub

It considers every occurence of “IBRS” as “IBRS is engaged”. Even if it is only “IBRS_FW”.

And this, as well as and also:

Also, fedora does not have up-to-date microcode for your CPU (Tumbleweed does) according to the links above.

Even then, your CPU is Coffee Lake and that should have support for EIBRS, but it does not according to the output:

  • Enhanced IBRS (IBRS_ALL)
  • CPU indicates ARCH_CAPABILITIES MSR availability: NO
  • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO

On the general subject of Spectre,
There seems to be now 4 main variants, and each requires different options to address

https://github.com/speed47/spectre-meltdown-checker

As given above,
The main page for the meltdown-spectre.sh checker is a good info page, at the bottom it lists each variant and a quick summary (not complete) list of mitigation options.
For a more full description of each vulnerability and the full array of possible mitigations, I’d recommend looking up the related page at kernel.org. SUSE also has posted some guidance based on the CVE number.

I’d recommend not taking anything written what is or is not configured as gospel, instead run the checker script(from github above or available in the openSUSE repos) to test your machine.

Note also that if you’re running any kind of hypervisor virtualization or isolation (like containers, Docker, LXC, etc), you should run the checker script inside every machine, even Guests.

I’d also take anything written about performance with a grain of salt. There are a great many articles written about poor performance associated with Meltdown and Spectre mitigations which haven’t borne out. Do your own testing. You may find that there isn’t a noticeable hit.

TSU