6.8-stable patches

added patches:
	x86-bugs-clarify-that-syscall-hardening-isn-t-a-bhi-mitigation.patch
	x86-bugs-remove-config_bhi_mitigation_auto-and-spectre_bhi-auto.patch
	x86-bugs-replace-config_spectre_bhi_-on-off-with-config_mitigation_spectre_bhi.patch

6 files changed, 268 insertions, 59 deletions

diff --git a/queue-6.8/series b/queue-6.8/series
index 0d3db67fca..b02cb7d337 100644
--- a/queue-6.8/series
+++ b/queue-6.8/series
@@ -151,6 +151,8 @@ kernfs-annotate-different-lockdep-class-for-of-mutex-of-writable-files.patch
 x86-bugs-fix-return-type-of-spectre_bhi_state.patch
 x86-bugs-fix-bhi-documentation.patch
 x86-bugs-cache-the-value-of-msr_ia32_arch_capabilities.patch
-x86-speculation-do-not-enable-automatic-ibrs-if-sev-snp-is-enabled.patch
 x86-bugs-rename-various-ia32_cap-variables-to-x86_arch_cap_msr.patch
 x86-bugs-fix-bhi-handling-of-rrsba.patch
+x86-bugs-clarify-that-syscall-hardening-isn-t-a-bhi-mitigation.patch
+x86-bugs-remove-config_bhi_mitigation_auto-and-spectre_bhi-auto.patch
+x86-bugs-replace-config_spectre_bhi_-on-off-with-config_mitigation_spectre_bhi.patch
diff --git a/queue-6.8/x86-bugs-clarify-that-syscall-hardening-isn-t-a-bhi-mitigation.patch b/queue-6.8/x86-bugs-clarify-that-syscall-hardening-isn-t-a-bhi-mitigation.patch
new file mode 100644
index 0000000000..2623f26526
--- /dev/null
+++ b/queue-6.8/x86-bugs-clarify-that-syscall-hardening-isn-t-a-bhi-mitigation.patch
@@ -0,0 +1,82 @@
+From 5f882f3b0a8bf0788d5a0ee44b1191de5319bb8a Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+Date: Wed, 10 Apr 2024 22:40:48 -0700
+Subject: x86/bugs: Clarify that syscall hardening isn't a BHI mitigation
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+commit 5f882f3b0a8bf0788d5a0ee44b1191de5319bb8a upstream.
+
+While syscall hardening helps prevent some BHI attacks, there's still
+other low-hanging fruit remaining.  Don't classify it as a mitigation
+and make it clear that the system may still be vulnerable if it doesn't
+have a HW or SW mitigation enabled.
+
+Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/b5951dae3fdee7f1520d5136a27be3bdfe95f88b.1712813475.git.jpoimboe@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/hw-vuln/spectre.rst   |   11 +++++------
+ Documentation/admin-guide/kernel-parameters.txt |    3 +--
+ arch/x86/kernel/cpu/bugs.c                      |    6 +++---
+ 3 files changed, 9 insertions(+), 11 deletions(-)
+
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
+@@ -441,10 +441,10 @@ The possible values in this file are:
+    - System is protected by BHI_DIS_S
+  * - BHI: SW loop, KVM SW loop
+    - System is protected by software clearing sequence
+- * - BHI: Syscall hardening
+-   - Syscalls are hardened against BHI
+- * - BHI: Syscall hardening, KVM: SW loop
+-   - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence
++ * - BHI: Vulnerable
++   - System is vulnerable to BHI
++ * - BHI: Vulnerable, KVM: SW loop
++   - System is vulnerable; KVM is protected by software clearing sequence
+ 
+ Full mitigation might require a microcode update from the CPU
+ vendor. When the necessary microcode is not available, the kernel will
+@@ -661,8 +661,7 @@ kernel command line.
+ 	spectre_bhi=
+ 
+ 		[X86] Control mitigation of Branch History Injection
+-		(BHI) vulnerability. Syscalls are hardened against BHI
+-		regardless of this setting. This setting affects the deployment
++		(BHI) vulnerability.  This setting affects the deployment
+ 		of the HW BHI control and the SW BHB clearing sequence.
+ 
+ 		on
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -6033,8 +6033,7 @@
+ 			See Documentation/admin-guide/laptops/sonypi.rst
+ 
+ 	spectre_bhi=	[X86] Control mitigation of Branch History Injection
+-			(BHI) vulnerability. Syscalls are hardened against BHI
+-			reglardless of this setting. This setting affects the
++			(BHI) vulnerability.  This setting affects the
+ 			deployment of the HW BHI control and the SW BHB
+ 			clearing sequence.
+ 
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2817,10 +2817,10 @@ static const char *spectre_bhi_state(voi
+ 		return "; BHI: SW loop, KVM: SW loop";
+ 	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled)
+ 		return "; BHI: Retpoline";
+-	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
+-		return "; BHI: Syscall hardening, KVM: SW loop";
++	else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
++		return "; BHI: Vulnerable, KVM: SW loop";
+ 
+-	return "; BHI: Vulnerable (Syscall hardening enabled)";
++	return "; BHI: Vulnerable";
+ }
+ 
+ static ssize_t spectre_v2_show_state(char *buf)
diff --git a/queue-6.8/x86-bugs-remove-config_bhi_mitigation_auto-and-spectre_bhi-auto.patch b/queue-6.8/x86-bugs-remove-config_bhi_mitigation_auto-and-spectre_bhi-auto.patch
new file mode 100644
index 0000000000..637fffd705
--- /dev/null
+++ b/queue-6.8/x86-bugs-remove-config_bhi_mitigation_auto-and-spectre_bhi-auto.patch
@@ -0,0 +1,102 @@
+From 36d4fe147c870f6d3f6602befd7ef44393a1c87a Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+Date: Wed, 10 Apr 2024 22:40:50 -0700
+Subject: x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+commit 36d4fe147c870f6d3f6602befd7ef44393a1c87a upstream.
+
+Unlike most other mitigations' "auto" options, spectre_bhi=auto only
+mitigates newer systems, which is confusing and not particularly useful.
+
+Remove it.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Cc: Sean Christopherson <seanjc@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/412e9dc87971b622bbbaf64740ebc1f140bff343.1712813475.git.jpoimboe@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/hw-vuln/spectre.rst   |    4 ----
+ Documentation/admin-guide/kernel-parameters.txt |    3 ---
+ arch/x86/Kconfig                                |    4 ----
+ arch/x86/kernel/cpu/bugs.c                      |   10 +---------
+ 4 files changed, 1 insertion(+), 20 deletions(-)
+
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
+@@ -669,10 +669,6 @@ kernel command line.
+ 			needed.
+ 		off
+ 			Disable the mitigation.
+-		auto
+-			Enable the HW mitigation if needed, but
+-			*don't* enable the SW mitigation except for KVM.
+-			The system may be vulnerable.
+ 
+ For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
+ 
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -6040,9 +6040,6 @@
+ 			on   - (default) Enable the HW or SW mitigation
+ 			       as needed.
+ 			off  - Disable the mitigation.
+-			auto - Enable the HW mitigation if needed, but
+-			       *don't* enable the SW mitigation except
+-			       for KVM.  The system may be vulnerable.
+ 
+ 	spectre_v2=	[X86] Control mitigation of Spectre variant 2
+ 			(indirect branch speculation) vulnerability.
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -2630,10 +2630,6 @@ config SPECTRE_BHI_OFF
+ 	bool "off"
+ 	help
+ 	  Equivalent to setting spectre_bhi=off command line parameter.
+-config SPECTRE_BHI_AUTO
+-	bool "auto"
+-	help
+-	  Equivalent to setting spectre_bhi=auto command line parameter.
+ 
+ endchoice
+ 
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1624,13 +1624,10 @@ static bool __init spec_ctrl_bhi_dis(voi
+ enum bhi_mitigations {
+ 	BHI_MITIGATION_OFF,
+ 	BHI_MITIGATION_ON,
+-	BHI_MITIGATION_AUTO,
+ };
+ 
+ static enum bhi_mitigations bhi_mitigation __ro_after_init =
+-	IS_ENABLED(CONFIG_SPECTRE_BHI_ON)  ? BHI_MITIGATION_ON  :
+-	IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF :
+-					     BHI_MITIGATION_AUTO;
++	IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
+ 
+ static int __init spectre_bhi_parse_cmdline(char *str)
+ {
+@@ -1641,8 +1638,6 @@ static int __init spectre_bhi_parse_cmdl
+ 		bhi_mitigation = BHI_MITIGATION_OFF;
+ 	else if (!strcmp(str, "on"))
+ 		bhi_mitigation = BHI_MITIGATION_ON;
+-	else if (!strcmp(str, "auto"))
+-		bhi_mitigation = BHI_MITIGATION_AUTO;
+ 	else
+ 		pr_err("Ignoring unknown spectre_bhi option (%s)", str);
+ 
+@@ -1672,9 +1667,6 @@ static void __init bhi_select_mitigation
+ 	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
+ 	pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
+ 
+-	if (bhi_mitigation == BHI_MITIGATION_AUTO)
+-		return;
+-
+ 	/* Mitigate syscalls when the mitigation is forced =on */
+ 	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
+ 	pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
diff --git a/queue-6.8/x86-bugs-rename-various-ia32_cap-variables-to-x86_arch_cap_msr.patch b/queue-6.8/x86-bugs-rename-various-ia32_cap-variables-to-x86_arch_cap_msr.patch
index 7875891522..9a089c9113 100644
--- a/queue-6.8/x86-bugs-rename-various-ia32_cap-variables-to-x86_arch_cap_msr.patch
+++ b/queue-6.8/x86-bugs-rename-various-ia32_cap-variables-to-x86_arch_cap_msr.patch
@@ -235,14 +235,12 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  	   !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
  		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
  
-@@ -1389,17 +1389,17 @@ static void __init cpu_set_bug_bits(stru
- 	 * Don't use AutoIBRS when SNP is enabled because it degrades host
- 	 * userspace indirect branch performance.
+@@ -1386,15 +1386,15 @@ static void __init cpu_set_bug_bits(stru
+ 	 * AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature
+ 	 * flag and protect from vendor-specific bugs via the whitelist.
  	 */
--	if ((ia32_cap & ARCH_CAP_IBRS_ALL) ||
-+	if ((x86_arch_cap_msr & ARCH_CAP_IBRS_ALL) ||
- 	    (cpu_has(c, X86_FEATURE_AUTOIBRS) &&
- 	     !cpu_feature_enabled(X86_FEATURE_SEV_SNP))) {
+-	if ((ia32_cap & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) {
++	if ((x86_arch_cap_msr & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) {
  		setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
  		if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
 -		    !(ia32_cap & ARCH_CAP_PBRSB_NO))
@@ -256,7 +254,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  		setup_force_cpu_bug(X86_BUG_MDS);
  		if (cpu_matches(cpu_vuln_whitelist, MSBDS_ONLY))
  			setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
-@@ -1418,9 +1418,9 @@ static void __init cpu_set_bug_bits(stru
+@@ -1413,9 +1413,9 @@ static void __init cpu_set_bug_bits(stru
  	 * TSX_CTRL check alone is not sufficient for cases when the microcode
  	 * update is not present or running as guest that don't get TSX_CTRL.
  	 */
@@ -268,7 +266,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  		setup_force_cpu_bug(X86_BUG_TAA);
  
  	/*
-@@ -1446,7 +1446,7 @@ static void __init cpu_set_bug_bits(stru
+@@ -1441,7 +1441,7 @@ static void __init cpu_set_bug_bits(stru
  	 * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist,
  	 * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits.
  	 */
@@ -277,7 +275,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  		if (cpu_matches(cpu_vuln_blacklist, MMIO))
  			setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
  		else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO))
-@@ -1454,7 +1454,7 @@ static void __init cpu_set_bug_bits(stru
+@@ -1449,7 +1449,7 @@ static void __init cpu_set_bug_bits(stru
  	}
  
  	if (!cpu_has(c, X86_FEATURE_BTC_NO)) {
@@ -286,7 +284,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  			setup_force_cpu_bug(X86_BUG_RETBLEED);
  	}
  
-@@ -1472,15 +1472,15 @@ static void __init cpu_set_bug_bits(stru
+@@ -1467,15 +1467,15 @@ static void __init cpu_set_bug_bits(stru
  	 * disabling AVX2. The only way to do this in HW is to clear XCR0[2],
  	 * which means that AVX will be disabled.
  	 */
@@ -305,7 +303,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  	    !cpu_matches(cpu_vuln_whitelist, NO_BHI) &&
  	    (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) ||
  	     boot_cpu_has(X86_FEATURE_HYPERVISOR)))
-@@ -1490,7 +1490,7 @@ static void __init cpu_set_bug_bits(stru
+@@ -1485,7 +1485,7 @@ static void __init cpu_set_bug_bits(stru
  		return;
  
  	/* Rogue Data Cache Load? No! */
diff --git a/queue-6.8/x86-bugs-replace-config_spectre_bhi_-on-off-with-config_mitigation_spectre_bhi.patch b/queue-6.8/x86-bugs-replace-config_spectre_bhi_-on-off-with-config_mitigation_spectre_bhi.patch
new file mode 100644
index 0000000000..92b26c16f3
--- /dev/null
+++ b/queue-6.8/x86-bugs-replace-config_spectre_bhi_-on-off-with-config_mitigation_spectre_bhi.patch
@@ -0,0 +1,71 @@
+From 4f511739c54b549061993b53fc0380f48dfca23b Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+Date: Wed, 10 Apr 2024 22:40:51 -0700
+Subject: x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+commit 4f511739c54b549061993b53fc0380f48dfca23b upstream.
+
+For consistency with the other CONFIG_MITIGATION_* options, replace the
+CONFIG_SPECTRE_BHI_{ON,OFF} options with a single
+CONFIG_MITIGATION_SPECTRE_BHI option.
+
+[ mingo: Fix ]
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Sean Christopherson <seanjc@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nikolay Borisov <nik.borisov@suse.com>
+Link: https://lore.kernel.org/r/3833812ea63e7fdbe36bf8b932e63f70d18e2a2a.1712813475.git.jpoimboe@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Kconfig           |   17 +++--------------
+ arch/x86/kernel/cpu/bugs.c |    2 +-
+ 2 files changed, 4 insertions(+), 15 deletions(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -2612,27 +2612,16 @@ config MITIGATION_RFDS
+ 	  stored in floating point, vector and integer registers.
+ 	  See also <file:Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst>
+ 
+-choice
+-	prompt "Clear branch history"
++config MITIGATION_SPECTRE_BHI
++	bool "Mitigate Spectre-BHB (Branch History Injection)"
+ 	depends on CPU_SUP_INTEL
+-	default SPECTRE_BHI_ON
++	default y
+ 	help
+ 	  Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks
+ 	  where the branch history buffer is poisoned to speculatively steer
+ 	  indirect branches.
+ 	  See <file:Documentation/admin-guide/hw-vuln/spectre.rst>
+ 
+-config SPECTRE_BHI_ON
+-	bool "on"
+-	help
+-	  Equivalent to setting spectre_bhi=on command line parameter.
+-config SPECTRE_BHI_OFF
+-	bool "off"
+-	help
+-	  Equivalent to setting spectre_bhi=off command line parameter.
+-
+-endchoice
+-
+ endif
+ 
+ config ARCH_HAS_ADD_PAGES
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1627,7 +1627,7 @@ enum bhi_mitigations {
+ };
+ 
+ static enum bhi_mitigations bhi_mitigation __ro_after_init =
+-	IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
++	IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
+ 
+ static int __init spectre_bhi_parse_cmdline(char *str)
+ {
diff --git a/queue-6.8/x86-speculation-do-not-enable-automatic-ibrs-if-sev-snp-is-enabled.patch b/queue-6.8/x86-speculation-do-not-enable-automatic-ibrs-if-sev-snp-is-enabled.patch
deleted file mode 100644
index ee4500e1c1..0000000000
--- a/queue-6.8/x86-speculation-do-not-enable-automatic-ibrs-if-sev-snp-is-enabled.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From acaa4b5c4c854b5009f4d4a5395b2609ad0f4937 Mon Sep 17 00:00:00 2001
-From: Kim Phillips <kim.phillips@amd.com>
-Date: Thu, 25 Jan 2024 22:11:02 -0600
-Subject: x86/speculation: Do not enable Automatic IBRS if SEV-SNP is enabled
-
-From: Kim Phillips <kim.phillips@amd.com>
-
-commit acaa4b5c4c854b5009f4d4a5395b2609ad0f4937 upstream.
-
-Without SEV-SNP, Automatic IBRS protects only the kernel. But when
-SEV-SNP is enabled, the Automatic IBRS protection umbrella widens to all
-host-side code, including userspace. This protection comes at a cost:
-reduced userspace indirect branch performance.
-
-To avoid this performance loss, don't use Automatic IBRS on SEV-SNP
-hosts and all back to retpolines instead.
-
-  [ mdr: squash in changes from review discussion. ]
-
-Signed-off-by: Kim Phillips <kim.phillips@amd.com>
-Signed-off-by: Michael Roth <michael.roth@amd.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Acked-by: Dave Hansen <dave.hansen@intel.com>
-Link: https://lore.kernel.org/r/20240126041126.1927228-3-michael.roth@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/common.c |    7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1385,8 +1385,13 @@ static void __init cpu_set_bug_bits(stru
- 	/*
- 	 * AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature
- 	 * flag and protect from vendor-specific bugs via the whitelist.
-+	 *
-+	 * Don't use AutoIBRS when SNP is enabled because it degrades host
-+	 * userspace indirect branch performance.
- 	 */
--	if ((ia32_cap & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) {
-+	if ((ia32_cap & ARCH_CAP_IBRS_ALL) ||
-+	    (cpu_has(c, X86_FEATURE_AUTOIBRS) &&
-+	     !cpu_feature_enabled(X86_FEATURE_SEV_SNP))) {
- 		setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
- 		if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
- 		    !(ia32_cap & ARCH_CAP_PBRSB_NO))