[hlandau]

Only preproduction firmware was affected. Mitigations were implemented in firmware/Linux prior to shipping, and are actually superior to "mitigated" x86.

Before POWER9 shipped (but after the last silicon respin), the processor was vulnerable to both Meltdown and Spectre. IBM determined that this could be mitigated via firmware and kernel changes without another respin.

AIUI, it was determined that for intra-process Spectre mitigation in userspace, recompiling everything to use retpolines and modifying firmware to knacker the branch predictor, etc. in a way that mitigated Spectre had equivalent performance losses. So rather than make people recompile everything with retpolines, the firmware modification option was chosen. This yields a highly conservative Spectre mitigation erring on the side of security rather than performance.

By comparison, Intel/AMD have chosen not to mitigate intraprocess Spectre by default; it has been made the responsibility of application developers to mitigate intraprocess Spectre via retpolines if desired... it essentially shifts the spotlight for performance losses from the vendors to the developers, giving the vendors an escape from having their patches show huge performance losses. But of course, most people aren't shipping software with retpolines, so in practice, the x86 vendors have basically chosen not to mitigate intraprocess Spectre.

POWER9's firmware-based intraprocess mitigations can be disabled at boot if desired (leaving kernel and interprocess Spectre mitigations and Meltdown mitigations in place), providing a level of protection and performance comparable to "mitigated" x86.