AMD Zen 5 Not Affected By Inception/SRSO, mitigations=off Yields No Benefit On Ryzen 9000 Series
([Software] 34 Minutes Ago
1 Comment)
- Reference: 0001490172
- News link: https://www.phoronix.com/review/amd-zen5-mitigations-off
- Source link:
One of the security changes with AMD [1]Zen 5 processors that I haven't seen AMD publicly mention at least not prominently is that the new cores are not vulnerable to Speculative Return Stack Overflow (SRSO). Unlike Zen 4 and prior, under Linux I noticed that Zen 5 is no longer affected by the SRSO "INCEPTION" vulnerability. But of course there does remain other CPU security mitigations in place carried over from Zen 4. For those wondering about the mitigation costs or if it's worthwhile running Zen 5 with the "mitigations=off" insane mode, here are some benchmarks.
Speculative Return Stack Overflow was [2]made public one year ago and better known by the "INCEPTION" name and officially as CVE-2023-20569. This CPU speculative execution vulnerability affects up through Zen 4 cores and required updated CPU microcode and kernel modifications. Zen 4 on Linux relies on the "Safe RET" mitigation when having up-to-date microcode for a combination of microcode/software mitigations. With my Zen 5 testing all tested Ryzen AI 300 series and Ryzen 9000 series desktop processors have reported being not affected by INCEPTION / Speculative Return Stack Overflow.
[3]
But Zen 5 does still applies Spectre V1 handling with usercopy/SWAPGS barriers and __user pointer sanitization, Spectre V2 protections by default of enhanced/automatic IBRS, always-on STIBP, and conditional IBPB. For Speculative Store Bypass (V4) it can be disabled via the prctl() interface. But for all the other prominent CPU security vulnerabilities, Zen 5 is not affected.
So while there isn't much in the way of software mitigations needed for AMD Zen 5, with Phoronix readers ultimately always asking "what about running mitigations=off performance?!?!", this article is for you. Even on Zen 4 there hasn't been much benefit from running mitigations=off and is certainly not recommended for production systems due to the security risks. But for those wondering about the Zen 5 performance out-of-the-box versus running the Linux kernel in this unprotected mode, I did run a few dozen benchmarks on the AMD Ryzen 9 9950X.
These benchmarks are very straight-forward in looking at the out-of-the-box performance versus those that opt for mitigations=off to try to squeeze out a bit extra performance...
[1] https://www.phoronix.com/search/Zen+5
[2] https://www.phoronix.com/news/AMD-Inception-Cleanups
[3] https://www.phoronix.com/image-viewer.php?id=amd-zen5-mitigations-off&image=zen5_mitigations_2_lrg
Speculative Return Stack Overflow was [2]made public one year ago and better known by the "INCEPTION" name and officially as CVE-2023-20569. This CPU speculative execution vulnerability affects up through Zen 4 cores and required updated CPU microcode and kernel modifications. Zen 4 on Linux relies on the "Safe RET" mitigation when having up-to-date microcode for a combination of microcode/software mitigations. With my Zen 5 testing all tested Ryzen AI 300 series and Ryzen 9000 series desktop processors have reported being not affected by INCEPTION / Speculative Return Stack Overflow.
[3]
But Zen 5 does still applies Spectre V1 handling with usercopy/SWAPGS barriers and __user pointer sanitization, Spectre V2 protections by default of enhanced/automatic IBRS, always-on STIBP, and conditional IBPB. For Speculative Store Bypass (V4) it can be disabled via the prctl() interface. But for all the other prominent CPU security vulnerabilities, Zen 5 is not affected.
So while there isn't much in the way of software mitigations needed for AMD Zen 5, with Phoronix readers ultimately always asking "what about running mitigations=off performance?!?!", this article is for you. Even on Zen 4 there hasn't been much benefit from running mitigations=off and is certainly not recommended for production systems due to the security risks. But for those wondering about the Zen 5 performance out-of-the-box versus running the Linux kernel in this unprotected mode, I did run a few dozen benchmarks on the AMD Ryzen 9 9950X.
These benchmarks are very straight-forward in looking at the out-of-the-box performance versus those that opt for mitigations=off to try to squeeze out a bit extra performance...
[1] https://www.phoronix.com/search/Zen+5
[2] https://www.phoronix.com/news/AMD-Inception-Cleanups
[3] https://www.phoronix.com/image-viewer.php?id=amd-zen5-mitigations-off&image=zen5_mitigations_2_lrg