Intel & AMD cpu: add config (off by default) option that disables relevant security mitigations for huge (20-40%) performance uplift

[ahydronous]

I have a blurb in my own nixos config for certain CPUs to disable either retbleed and/or downfall mitigations.

Both of these are pretty much lab-only exploits that are virtually impossible to exploit without extreme setup and conditions. And at least for retbleed, the primary danger is to cloud providers, not personal computers. This is not worth paying a 20-40% (average 22.5%) performance cost for.

Nonetheless, I understand it would make people uncomfortable, so this "smart mitigations" option should be off by default.

Retbleed

AMD

• Zen 1
  • Summit Ridge (Ryzen 1000)
  • Whitehaven (Threadripper 1000)
  • Raven Ridge (Ryzen/Athlon 2000)
  • Dali (Ryzen/Athlon APU 3000)
  • Naples (Epyc 7001)
• Zen 1+
  • Pinnacle Ridge (Ryzen 2000)
  • Colfax (Threadripper 2000)
  • Picasso (Ryzen/Athlon 3000 APU)
• Zen 2
  • Matisse (Ryzen 3000)
  • Castle Peak (Threadripper 3000)
  • Renoir (Ryzen 4000 APU)
  • Lucienne (Ryzen 5000)
  • Mendocino (Ryzen/Athlon 7020 APU)
  • Rome (Epyc 7002)

Intel

• Skylake (6th gen)
• Kaby Lake (7th gen)
• Coffee Lake (8th gen)

Downfall

Intel

• Skylake, 6th gen
• Kaby Lake + mobile (Apollo Lake / Skylake-X), 7th gen
• Coffee Lake + mobile (Amber Lake / Whiskey Lake), 8th gen
• Coffee Lake Refresh, 9th gen
• Comet Lake + mobile (Ice Lake / Amber Lake), 10th gen
• Rocket Lake + mobile (Tiger Lake), 11th gen