'%20x='0'%20y='0'%20height='100%25'%20width='100%25'%20%0A%20%20%20%20%20%20%20%20%20%20xlink%3Ahref='data:image/jpg;base64,/9j/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wgARCAAGAAoDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAf/xAAVAQEBAAAAAAAAAAAAAAAAAAACA//aAAwDAQACEAMQAAAAjU8DT//EAB4QAAIBAwUAAAAAAAAAAAAAAAEDAgAFEwQHEVGi/9oACAEBAAE/ANubyizYGs0uYtjJfqmjhswOzX//xAAWEQEBAQAAAAAAAAAAAAAAAAABADH/2gAIAQIBAT8ANb//xAAXEQADAQAAAAAAAAAAAAAAAAAAAQIy/9oACAEDAQE/AKyj/9k='%3E%3C/image%3E%3C/svg%3E)
Most synthetic benchmarks on Linux exhibit this phenomenon, including Stress-NG, which experienced a 26.6% decline in CPU performance when all security measures were turned on. However, security mitigation generally assists the vast majority of benchmarked apps.
This is quite surprising because, in the past, security mitigations have consistently led to decreased CPU performance. They either made certain CPU design features, such as branch prediction, less efficient or made the CPU need more processing resources to do particular tasks.
So, for security and improved speed, we strongly advise anyone running Ryzen 7000 to leave the security mitigations turned on by default.
How is the Zen 4 performing better with security mitigations in Linux 6.0
According to Phoronix research, Ryzen 7000 CPUs in the latest Linux version 6.0 are, for some reason operating quicker with security mitigations enabled vs. disabled. Although the reason for this anomaly in AMD's Zen 4 architecture is unknown, it is advised to keep all appropriate security mitigations enabled in Linux by default due to the finding.
While some Linux enthusiasts eagerly advise users to boot their systems with the "mitigations=off" kernel parameter to run-time disable various relevant CPU security mitigations for Spectre, Meltdown, L1TF, TAA, Retbleed, and friends, it's surprisingly faster, for the most part, leaving the relevant mitigations enabled with the new AMD Ryzen 7000 "Zen 4" processors even though they still need some software mitigations.
In addition to Speculative Store Bypass mitigation, SSBD related to Spectre V4 mitigations, and Spectre V1 mitigations about SWAPGS barriers and user point sanitization, Linux kernel 6.0 includes several security mitigations for Ryzen 7000. Retpolines conditional Indirect Branch Predictor Barriers, IBRS firmware always-on STIBP, and RSB filing are mitigations for Spectre V2.
The SSB, Spectre V1, and Spectre V2 mitigations may still be disabled with Zen 4 while keeping the system in a "vulnerable" condition by booting the kernel with mitigations=off.
While many turns to the mitigation disabled approach on Linux to avoid the performance penalties attributed to the different mitigations, such is not beneficial in current gen CPUs from AMD. With AMD Zen 4, it doesn't appear to be beneficial to boot with "mitigations=off," Doing so may have a detrimental effect on some real-world workloads.
Exceptions
For a few synthetic benchmarks like Stress-NG, OSBench, Sockperf, and the other standard ones, running with mitigations=off was quicker. However, the web browser benchmarks, Stargate DAW, other OpenJDK workloads, and other workloads that generally experienced performance consequences from the various security mitigations over the last 4+ years were benefiting significantly from sticking with the default mitigation set.
Maintaining the default mitigation settings for most of the benchmarks examined resulted in better results.
Final thoughts
Running with mitigations=off was around 3% slower overall than sticking with the default mitigations (enabled) over a wide range of 190 distinct benchmarks. This is the inverse of what we often observe with other, older CPUs.
It's understandable to wonder why the default mitigations make the Ryzen 9 7950X quicker when often the opposite is true. We shall make an updated post about why this anomaly is happening and when we have more info.
