Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intel & AMD cpu: add config (off by default) option that disables relevant security mitigations for huge (20-40%) performance uplift #1205

Open
ahydronous opened this issue Oct 24, 2024 · 1 comment

Comments

@ahydronous
Copy link

ahydronous commented Oct 24, 2024

I have a blurb in my own nixos config for certain CPUs to disable either retbleed and/or downfall mitigations.

Both of these are pretty much lab-only exploits that are virtually impossible to exploit without extreme setup and conditions. And at least for retbleed, the primary danger is to cloud providers, not personal computers. This is not worth paying a 20-40% (average 22.5%) performance cost for.

Nonetheless, I understand it would make people uncomfortable, so this "smart mitigations" option should be off by default.

Retbleed

AMD

  • Zen 1
    • Summit Ridge (Ryzen 1000)
    • Whitehaven (Threadripper 1000)
    • Raven Ridge (Ryzen/Athlon 2000)
    • Dali (Ryzen/Athlon APU 3000)
    • Naples (Epyc 7001)
  • Zen 1+
    • Pinnacle Ridge (Ryzen 2000)
    • Colfax (Threadripper 2000)
    • Picasso (Ryzen/Athlon 3000 APU)
  • Zen 2
    • Matisse (Ryzen 3000)
    • Castle Peak (Threadripper 3000)
    • Renoir (Ryzen 4000 APU)
    • Lucienne (Ryzen 5000)
    • Mendocino (Ryzen/Athlon 7020 APU)
    • Rome (Epyc 7002)

Intel

  • Skylake (6th gen)
  • Kaby Lake (7th gen)
  • Coffee Lake (8th gen)

Downfall

Intel

  • Skylake, 6th gen
  • Kaby Lake + mobile (Apollo Lake / Skylake-X), 7th gen
  • Coffee Lake + mobile (Amber Lake / Whiskey Lake), 8th gen
  • Coffee Lake Refresh, 9th gen
  • Comet Lake + mobile (Ice Lake / Amber Lake), 10th gen
  • Rocket Lake + mobile (Tiger Lake), 11th gen
@ahydronous ahydronous changed the title Intel & AMD cpu: add config (off by default) option that disables relevant security mitigations for huge performance uplift Intel & AMD cpu: add config (off by default) option that disables relevant security mitigations for huge (20-40%) performance uplift Oct 24, 2024
@Mic92
Copy link
Member

Mic92 commented Dec 2, 2024

When you say cloud providers are mainly affected, what types of attacks does this entail?
VM escapes? Is my browser also a VM in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants