News AMD's Inception Fix Causes Up to 54% Performance Drop

[cryoburner]

Interesting but how would this effect a server user or an average zen3 user? Is the vulnerability worth patching at the performance loss?

Do you use anything on something called the world wide internets? If so you use things that all of these vulnerabilities can exploit. And the servers serving you these exploits and more is what puts them at risk.
Is it worth patching? All depends on what you have to lose and how much you need performance: No money, no credentials/identity worth stealing, or activities of interest to other parties and only the need for max FPS in lame shooting title of the day? Then no, you have nothing to worry about. Otherwise, well, again, it all depends.

These potential attacks require local execution, meaning you need to already have malware running on your system for it to pose a threat. For shared servers that have multiple separate users, having one user be able to steal information from areas of the server that it's not supposed to have access to might be more of a concern. For a single-user environment though, if you have malware running on your system, then it is already compromised, and could be doing any number of other things even with these patches installed. So the risk to personal computers is arguably not that high, compared to the countless other things that malware could be doing on a system.

Of course, the performance impact of installing these patches might not be all that significant to the end-user either. Tom's focused on the absolute worst-case numbers for their article when using a more demanding alternative fix, and didn't show the results for the vast majority of tested software, which tended to show little to no noticeable performance impact, especially when using the default mitigations. Even that worst-case "54% performance drop" in that one server database software benchmark gets cut in half when using the standard fix, making the title of the article a bit deceptive. And of course, these are all Linux software tests, and the impact on Windows might be different. I suspect the effect on consumer software and game performance will tend to be low as well.

Even the site Tom's is quoting for the entirety of the content for this article downplayed the impact of these patches...

Overall it comes down to what workloads you are engaged in whether you may notice any performance difference when upgrading your Linux kernel (or otherwise being patched for Inception on your given OS) on an AMD Zen desktop or server. For the most part users are unlikely to notice anything drastic, aside from some sizable database performance hits in a few cases. It's unfortunate seeing some of these regressions due to the Inception mitigation but ultimately is unlikely to really change the competitive standing of AMD's latest wares on Linux. Most of the prior AMD CPU security mitigations have also not resulted in any performance degradation, so this Inception mitigation difference is a bit rare. It also was announced on the same day as Intel Downfall where there was again a sizable hit to Intel CPU performance. For those wanting to avoid the new mitigation, there is always the "mitigations=off" route or the "spec_rstack_overflow=off" as used in this round of testing (the "off" metrics) for only disabling the Inception/SRSO and leaving all other CPU security mitigations at their respective defaults. I continue to run more AMD Inception and Intel Downfall benchmarks in looking to uncover any other performance differences worth mentioning.

 

[bit_user]

These potential attacks require local execution, meaning you need to already have malware running on your system for it to pose a threat.

Some of these exploits have been demonstrated via Javascript. So, code running in one browser window/tab could potentially spy on other browser windows/tabs or other programs altogether.

Your other points about the mitigation's impact being exaggerated stand, although I wouldn't be so confident that it won't affect gaming. Let's wait and see some benchmarks on that.

 

[cryoburner]

Some of these exploits have been demonstrated via Javascript. So, code running in one browser window/tab could potentially spy on other browser windows/tabs or other programs altogether.

I'm pretty sure that's a different exploit than the one being discussed in this article though, and if it's something that doesn't have as much of a performance impact, then there's less reason to consider not patching it.