Re: [PATCH v2 1/3] cpu/bugs: Allow forcing Automatic IBRS with SNP enabled using spectre_v2=eibrs
From: Pawan Gupta
Date: Fri Mar 13 2026 - 16:04:29 EST
On Wed, Mar 11, 2026 at 08:06:09AM -0500, Kim Phillips wrote:
> To allow this, do the SNP check in spectre_v2_select_mitigation()
> processing instead of the original commit's implementation in
> cpu_set_bug_bits().
>
> Since SPECTRE_V2_CMD_AUTO logic falls through to SPECTRE_V2_CMD_FORCE,
> double-check if SPECTRE_V2_CMD_FORCE is used before allowing
> SPECTRE_V2_EIBRS with SNP enabled.
>
> Also mute SPECTRE_V2_IBRS_PERF_MSG if SNP is enabled on an AutoIBRS
> capable machine, since, in that case, the message doesn't apply.
>
> Fixes: acaa4b5c4c85 ("x86/speculation: Do not enable Automatic IBRS if SEV-SNP is enabled")
> Reported-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
> Cc: Borislav Petkov (AMD) <bp@xxxxxxxxx>
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Kim Phillips <kim.phillips@xxxxxxx>
> ---
> v2:
> - Address Dave Hansen's comment to adhere to using the IBRS_ENHANCED
> Intel feature flag also for AutoIBRS.
>
> v1:
> https://lore.kernel.org/kvm/20260224180157.725159-2-kim.phillips@xxxxxxx/
>
> arch/x86/kernel/cpu/bugs.c | 12 ++++++++++--
> arch/x86/kernel/cpu/common.c | 6 +-----
> 2 files changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 83f51cab0b1e..957e0df38d90 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -2181,7 +2181,14 @@ static void __init spectre_v2_select_mitigation(void)
> break;
> fallthrough;
> case SPECTRE_V2_CMD_FORCE:
> - if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
> + /*
> + * Unless forced, don't use AutoIBRS when SNP is enabled
> + * because it degrades host userspace indirect branch performance.
> + */
> + if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) &&
> + (!boot_cpu_has(X86_FEATURE_SEV_SNP) ||
> + (boot_cpu_has(X86_FEATURE_SEV_SNP) &&
> + spectre_v2_cmd == SPECTRE_V2_CMD_FORCE))) {
This is forcing AutoIBRS when spectre_v2=on (meaning force), but the
subject says to allow forcing with spectre_v2=eibrs, which one is it?