199 	 * If the host has SSBD mitigation enabled, force it in the host's  in x86_virt_spec_ctrl()
235 /* Default mitigation for MDS-affected CPUs */
242 	[MDS_MITIGATION_FULL]	= "Mitigation: Clear CPU buffers",
296 /* Default mitigation for TAA-affected CPUs */
304 	[TAA_MITIGATION_VERW]		= "Mitigation: Clear CPU buffers",
305 	[TAA_MITIGATION_TSX_DISABLED]	= "Mitigation: TSX disabled",
327 	 * TAA mitigation via VERW is turned off if both  in taa_select_mitigation()
353 	 * TSX is enabled, select alternate mitigation for TAA which is  in taa_select_mitigation()
357 	 * present on host, enable the mitigation for UCODE_NEEDED as well.  in taa_select_mitigation()
395 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
403 	[MMIO_MITIGATION_VERW]		= "Mitigation: Clear CPU buffers",
419 	 * Enable CPU buffer clear mitigation for host and VMM, if also affected  in mmio_select_mitigation()
420 	 * by MDS or TAA. Otherwise, enable mitigation for VMM only.  in mmio_select_mitigation()
428 	 * mitigations, disable KVM-only mitigation in that case.  in mmio_select_mitigation()
446 	 * CPU Fill buffer clear mitigation is enumerated by either an explicit  in mmio_select_mitigation()
492 /* Default mitigation for Register File Data Sampling */
498 	[RFDS_MITIGATION_VERW]			= "Mitigation: Clear Register File",
547 	 * Stale Data mitigation, if necessary.  in md_clear_update_mitigation()
595 	 * after mitigation selection is done for each of these vulnerabilities.  in md_clear_select_mitigation()
617 	[SRBDS_MITIGATION_FULL]		= "Mitigation: Microcode",
618 	[SRBDS_MITIGATION_TSX_OFF]	= "Mitigation: TSX disabled",
638 	 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX  in update_srbds_msr()
744 	[GDS_MITIGATION_FORCE]		= "Mitigation: AVX disabled, no microcode",
745 	[GDS_MITIGATION_FULL]		= "Mitigation: Microcode",
746 	[GDS_MITIGATION_FULL_LOCKED]	= "Mitigation: Microcode (locked)",
770 		 * the same state. Make sure the mitigation is enabled on all  in update_gds_msr()
808 	/* Will verify below that mitigation _can_ be disabled */  in gds_select_mitigation()
818 			pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");  in gds_select_mitigation()
825 	/* Microcode has mitigation, use it */  in gds_select_mitigation()
832 			pr_warn("Mitigation locked. Disable failed.\n");  in gds_select_mitigation()
835 		 * The mitigation is selected from the boot CPU. All other CPUs  in gds_select_mitigation()
839 		 * ensure the other CPUs have the mitigation enabled.  in gds_select_mitigation()
880 …[SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitizati…
884  * Does SMAP provide full mitigation against speculative kernel access to
895 	 * Consider SMAP to be non-functional as a mitigation on these  in smap_works_speculatively()
915 		 * value.  The mitigation is to add lfences to both code paths.  in spectre_v1_select_mitigation()
927 			 * Mitigation can be provided from SWAPGS itself or  in spectre_v1_select_mitigation()
928 			 * PTI as the CR3 write in the Meltdown mitigation  in spectre_v1_select_mitigation()
981 	[RETBLEED_MITIGATION_UNRET]	= "Mitigation: untrained return thunk",
982 	[RETBLEED_MITIGATION_IBPB]	= "Mitigation: IBPB",
983 	[RETBLEED_MITIGATION_IBRS]	= "Mitigation: IBRS",
984 	[RETBLEED_MITIGATION_EIBRS]	= "Mitigation: Enhanced IBRS",
985 	[RETBLEED_MITIGATION_STUFF]	= "Mitigation: Stuffing",
1032 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on A…
1033 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attack…
1094 		 * The Intel mitigation (IBRS or eIBRS) was already selected in  in retbleed_select_mitigation()
1122 		 * other mitigation like SRSO has selected them.  in retbleed_select_mitigation()
1206 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data lea…
1208 …_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data le…
1209 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may …
1266 	[SPECTRE_V2_USER_STRICT]		= "User space: Mitigation: STIBP protection",
1267 	[SPECTRE_V2_USER_STRICT_PREFERRED]	= "User space: Mitigation: STIBP always-on protection",
1268 	[SPECTRE_V2_USER_PRCTL]			= "User space: Mitigation: STIBP via prctl",
1269 	[SPECTRE_V2_USER_SECCOMP]		= "User space: Mitigation: STIBP via seccomp and prctl",
1387 		pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",  in spectre_v2_user_select_mitigation()
1423 			pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");  in spectre_v2_user_select_mitigation()
1435 	[SPECTRE_V2_RETPOLINE]			= "Mitigation: Retpolines",
1436 	[SPECTRE_V2_LFENCE]			= "Mitigation: LFENCE",
1437 	[SPECTRE_V2_EIBRS]			= "Mitigation: Enhanced / Automatic IBRS",
1438 	[SPECTRE_V2_EIBRS_LFENCE]		= "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1439 	[SPECTRE_V2_EIBRS_RETPOLINE]		= "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1440 	[SPECTRE_V2_IBRS]			= "Mitigation: IBRS",
1554 		pr_err("Kernel not compiled with retpoline; no mitigation available!");  in spectre_v2_select_retpoline()
1625 	pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");  in spectre_v2_determine_rsb_fill_type_at_vmexit()
1693 		pr_info("Spectre BHI mitigation: SW BHB clearing on VM exit only\n");  in bhi_select_mitigation()
1698 	pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and VM exit\n");  in bhi_select_mitigation()
1859 	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");  in spectre_v2_select_mitigation()
1910 	pr_info("Update user space SMT mitigation: STIBP %s\n",  in update_stibp_strict()
2026 	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled",
2027 	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl",
2028 …[SPEC_STORE_BYPASS_SECCOMP]	= "Mitigation: Speculative Store Bypass disabled via prctl and seccomp…
2116 	 *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation  in __ssb_select_mitigation()
2155 	 * mitigation until it is scheduled next.  in task_update_spec_tif()
2157 	 * This can only happen for SECCOMP mitigation. For PRCTL it's  in task_update_spec_tif()
2263 		 * mitigation is force disabled.  in ib_prctl_set()
2395 /* Default mitigation for L1TF-affected CPUs */
2408  * The L1TF mitigation uses the top most address bit for the inversion of
2412  * then the mitigation range check in l1tf_select_mitigation() triggers.
2413  * This is a false positive because the mitigation is still possible due to
2472 	pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");  in l1tf_select_mitigation()
2479 		pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");  in l1tf_select_mitigation()
2541 	[SRSO_MITIGATION_SAFE_RET]		= "Mitigation: Safe RET",
2542 	[SRSO_MITIGATION_IBPB]			= "Mitigation: IBPB",
2543 	[SRSO_MITIGATION_IBPB_ON_VMEXIT]	= "Mitigation: IBPB on VMEXIT only"
2571 …NING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options."
2651 				 * other mitigation like Retbleed has selected them.  in srso_select_mitigation()
2691 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2724 		return sysfs_emit(buf, "KVM: Mitigation: VMX unsupported\n");  in itlb_multihit_show_state()
2726 		return sysfs_emit(buf, "KVM: Mitigation: VMX disabled\n");  in itlb_multihit_show_state()
2728 		return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");  in itlb_multihit_show_state()
2912 		return sysfs_emit(buf, "Mitigation: SMT disabled\n");  in srso_show_state()
2931 			return sysfs_emit(buf, "Mitigation: PTI\n");  in cpu_show_common()
2934 			return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");  in cpu_show_common()