Discover Security Trends News
With AMD Zen 4, It's Surprisingly Not Worthwhile Disabling CPU Security Mitigations
While some Linux enthusiasts eagerly recommend users boot their systems with the "mitigations=off" kernel parameter for run-time disabling of various relevant CPU security mitigations for Spectre, Meltdown, L1TF, TAA, Retbleed, and friends, with the new AMD Ryzen 7000 "Zen 4" processors while still needing some software mitigations, it's surprisingly faster for the most part leaving the relevant mitigations enabled.
With AMD Zen 4 processors and the currently public security disclosures, Linux 6.0 on the Ryzen 7000 series CPUs has Speculative Store Bypass disabled via prctl for the SSBD / Spectre V4 mitigation and Spectre V1 mitigations of usercopy/SWAPGS barriers and __user pointer sanitization. Then for Spectre V2 there are Retpolines, conditional Indirect Branch Predictor Barriers (IBPB), IBRS firmware, always-on Single Threaded Indirect Branch Predictors (STIBP), and return stack buffer (RSB) filling. Those are the only software security mitigations involved with Zen 4 at this time with the new CPUs not being vulnerable to the assortment of other known vulnerabilities affecting different CPUs.