192 	 * If the host has SSBD mitigation enabled, force it in the host's  in x86_virt_spec_ctrl()
228 /* Default mitigation for MDS-affected CPUs */
234 	[MDS_MITIGATION_FULL]	= "Mitigation: Clear CPU buffers",
288 /* Default mitigation for TAA-affected CPUs */
295 	[TAA_MITIGATION_VERW]		= "Mitigation: Clear CPU buffers",
296 	[TAA_MITIGATION_TSX_DISABLED]	= "Mitigation: TSX disabled",
320 	 * TAA mitigation via VERW is turned off if both  in taa_select_mitigation()
347 	 * TSX is enabled, select alternate mitigation for TAA which is  in taa_select_mitigation()
351 	 * present on host, enable the mitigation for UCODE_NEEDED as well.  in taa_select_mitigation()
389 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
396 	[MMIO_MITIGATION_VERW]		= "Mitigation: Clear CPU buffers",
416 	 * Enable CPU buffer clear mitigation for host and VMM, if also affected  in mmio_select_mitigation()
417 	 * by MDS or TAA. Otherwise, enable mitigation for VMM only.  in mmio_select_mitigation()
425 	 * mitigations, disable KVM-only mitigation in that case.  in mmio_select_mitigation()
443 	 * CPU Fill buffer clear mitigation is enumerated by either an explicit  in mmio_select_mitigation()
489 /* Default mitigation for Register File Data Sampling */
495 	[RFDS_MITIGATION_VERW]			= "Mitigation: Clear Register File",
544 	 * Stale Data mitigation, if necessary.  in md_clear_update_mitigation()
592 	 * after mitigation selection is done for each of these vulnerabilities.  in md_clear_select_mitigation()
613 	[SRBDS_MITIGATION_FULL]		= "Mitigation: Microcode",
614 	[SRBDS_MITIGATION_TSX_OFF]	= "Mitigation: TSX disabled",
711 	[GDS_MITIGATION_FORCE]		= "Mitigation: AVX disabled, no microcode",
712 	[GDS_MITIGATION_FULL]		= "Mitigation: Microcode",
713 	[GDS_MITIGATION_FULL_LOCKED]	= "Mitigation: Microcode (locked)",
737 		 * the same state. Make sure the mitigation is enabled on all  in update_gds_msr()
775 	/* Will verify below that mitigation _can_ be disabled */  in gds_select_mitigation()
785 			pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");  in gds_select_mitigation()
792 	/* Microcode has mitigation, use it */  in gds_select_mitigation()
799 			pr_warn("Mitigation locked. Disable failed.\n");  in gds_select_mitigation()
802 		 * The mitigation is selected from the boot CPU. All other CPUs  in gds_select_mitigation()
806 		 * ensure the other CPUs have the mitigation enabled.  in gds_select_mitigation()
846 …[SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitizati…
850  * Does SMAP provide full mitigation against speculative kernel access to
861 	 * Consider SMAP to be non-functional as a mitigation on these  in smap_works_speculatively()
881 		 * value.  The mitigation is to add lfences to both code paths.  in spectre_v1_select_mitigation()
893 			 * Mitigation can be provided from SWAPGS itself or  in spectre_v1_select_mitigation()
894 			 * PTI as the CR3 write in the Meltdown mitigation  in spectre_v1_select_mitigation()
946 	[RETBLEED_MITIGATION_UNRET]	= "Mitigation: untrained return thunk",
947 	[RETBLEED_MITIGATION_IBPB]	= "Mitigation: IBPB",
948 	[RETBLEED_MITIGATION_IBRS]	= "Mitigation: IBRS",
949 	[RETBLEED_MITIGATION_EIBRS]	= "Mitigation: Enhanced IBRS",
992 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on A…
993 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attack…
1039 		 * The Intel mitigation (IBRS or eIBRS) was already selected in  in retbleed_select_mitigation()
1126 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data lea…
1128 …_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data le…
1129 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may …
1186 	[SPECTRE_V2_USER_STRICT]		= "User space: Mitigation: STIBP protection",
1187 	[SPECTRE_V2_USER_STRICT_PREFERRED]	= "User space: Mitigation: STIBP always-on protection",
1188 	[SPECTRE_V2_USER_PRCTL]			= "User space: Mitigation: STIBP via prctl",
1189 	[SPECTRE_V2_USER_SECCOMP]		= "User space: Mitigation: STIBP via seccomp and prctl",
1314 		pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",  in spectre_v2_user_select_mitigation()
1348 			pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");  in spectre_v2_user_select_mitigation()
1360 	[SPECTRE_V2_RETPOLINE]			= "Mitigation: Retpolines",
1361 	[SPECTRE_V2_LFENCE]			= "Mitigation: LFENCE",
1362 	[SPECTRE_V2_EIBRS]			= "Mitigation: Enhanced / Automatic IBRS",
1363 	[SPECTRE_V2_EIBRS_LFENCE]		= "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1364 	[SPECTRE_V2_EIBRS_RETPOLINE]		= "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1365 	[SPECTRE_V2_IBRS]			= "Mitigation: IBRS",
1478 		pr_err("Kernel not compiled with retpoline; no mitigation available!");  in spectre_v2_select_retpoline()
1544 	pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");  in spectre_v2_determine_rsb_fill_type_at_vmexit()
1700 	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");  in spectre_v2_select_mitigation()
1751 	pr_info("Update user space SMT mitigation: STIBP %s\n",  in update_stibp_strict()
1869 	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled",
1870 	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl",
1871 …[SPEC_STORE_BYPASS_SECCOMP]	= "Mitigation: Speculative Store Bypass disabled via prctl and seccomp…
1957 	 *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation  in __ssb_select_mitigation()
1996 	 * mitigation until it is scheduled next.  in task_update_spec_tif()
1998 	 * This can only happen for SECCOMP mitigation. For PRCTL it's  in task_update_spec_tif()
2086 		 * mitigation is force disabled.  in ib_prctl_set()
2202 /* Default mitigation for L1TF-affected CPUs */
2214  * The L1TF mitigation uses the top most address bit for the inversion of
2218  * then the mitigation range check in l1tf_select_mitigation() triggers.
2219  * This is a false positive because the mitigation is still possible due to
2278 	pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");  in l1tf_select_mitigation()
2285 		pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");  in l1tf_select_mitigation()
2342 	[SRSO_MITIGATION_MICROCODE]      = "Mitigation: microcode",
2343 	[SRSO_MITIGATION_SAFE_RET]	 = "Mitigation: safe RET",
2344 	[SRSO_MITIGATION_IBPB]		 = "Mitigation: IBPB",
2345 	[SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only"
2373 …NING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options."
2384 	 * for guests to verify whether IBPB is a viable mitigation.  in srso_select_mitigation()
2409 			pr_err("Retbleed IBPB mitigation enabled, using same for SRSO\n");  in srso_select_mitigation()
2490 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2523 		return sprintf(buf, "KVM: Mitigation: VMX unsupported\n");  in itlb_multihit_show_state()
2525 		return sprintf(buf, "KVM: Mitigation: VMX disabled\n");  in itlb_multihit_show_state()
2527 		return sprintf(buf, "KVM: Mitigation: Split huge pages\n");  in itlb_multihit_show_state()
2696 		return sysfs_emit(buf, "Mitigation: SMT disabled\n");  in srso_show_state()
2712 			return sprintf(buf, "Mitigation: PTI\n");  in cpu_show_common()
2715 			return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");  in cpu_show_common()