Linux users can rejoice: work-in-progress changes to the Linux 4.20 kernel's implementation of the Single Thread Indirect Branch Predictors (STIBP) mitigation appear to restore performance on Intel systems. Now instead of taking up to a 50% performance hit in some benchmarks when updating to the latest kernel release, Linux users can expect their systems to perform about as well as they did before while also enjoying better security.
STIBP is supposed to defend against Spectre v2 exploits, which rely on a vulnerability in CPUs with simultaneous multithreading (SMT), such as Intel processors with Hyper-Threading enabled. That should be a good thing--nobody wants their system to be affected by a known vulnerability. Yet the nature of the vulnerability combined with the dramatic effect this release had on performance led many to question the benefits of using STIBP.
Those questions eventually reached Linus Torvalds, who said that "when performance goes down by 50% on some loads, people need to start asking themselves whether it was worth it," and that "I think we should use the same logic as for L1TF: we default to something that doesn't kill performance." He also noted that truly security-conscious people are more likely to disable SMT entirely than to rely on STIBP mitigations.
Phoronix benchmarked some preliminary changes to Linux 4.20's implementation of STIBP to see what kind of effect it could have on performance. Many of the results are favorable: the updates bring the Linux 4.20 WIP Conditional STIBP release in line with Linux 4.19.0 in many benchmarks. This release still performs worse in some benchmarks, but it's also notably better than 4.20, so it should appease most people affected by the hit.
All this because the Linux 4.20 WIP Conditional STIBP release changes the mitigation implementation to only run when processes ask it to or for SECCOMP threads. That actually brings the kernel's implementation more in line with AMD and Intel's recommendations, which is to use the tools "surgically" instead of enabling it by default, as Intel Fellow Arjan van de Ven said in reply to Torvalds' email about the STIBP performance issue.