€•OPŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ//translations/zh_CN/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/zh_TW/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/it_IT/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/ja_JP/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/ko_KR/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/pt_BR/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/sp_SP/admin-guide/hw-vuln/vmscape”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒI/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/vmscape.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒVMSCAPE”h]”hŒVMSCAPE”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒ–VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace. It particularly affects hypervisors like QEMU.”h]”hŒ–VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace. It particularly affects hypervisors like QEMU.”…””}”(hhßh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhhÊh²hubhŞ)”}”(hŒ±Even if a hypervisor may not have any sensitive data like disk encryption keys, guest-userspace may be able to attack the guest-kernel using the hypervisor as a confused deputy.”h]”hŒ±Even if a hypervisor may not have any sensitive data like disk encryption keys, guest-userspace may be able to attack the guest-kernel using the hypervisor as a confused deputy.”…””}”(hhíh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K hhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒAffected processors”h]”hŒAffected processors”…””}”(hhşh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhûh²hh³hÇh´KubhŞ)”}”(hŒ3The following CPU families are affected by VMSCAPE:”h]”hŒ3The following CPU families are affected by VMSCAPE:”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khhûh²hubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hŒÂ**Intel processors:** - Skylake generation (Parts without Enhanced-IBRS) - Cascade Lake generation - (Parts affected by ITS guest/host separation) - Alder Lake and newer (Parts affected by BHI) ”h]”(hŒterm”“”)”}”(hŒ**Intel processors:**”h]”hŒstrong”“”)”}”(hj)h]”hŒIntel processors:”…””}”(hj-h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j+hj'ubah}”(h]”h ]”h"]”h$]”h&]”uh1j%h³hÇh´Khj!ubhŒ definition”“”)”}”(hhh]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒ0Skylake generation (Parts without Enhanced-IBRS)”h]”hŞ)”}”(hjNh]”hŒ0Skylake generation (Parts without Enhanced-IBRS)”…””}”(hjPh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhjLubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjGubjK)”}”(hŒGCascade Lake generation - (Parts affected by ITS guest/host separation)”h]”hŞ)”}”(hjeh]”hŒGCascade Lake generation - (Parts affected by ITS guest/host separation)”…””}”(hjgh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khjcubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjGubjK)”}”(hŒ-Alder Lake and newer (Parts affected by BHI) ”h]”hŞ)”}”(hŒ,Alder Lake and newer (Parts affected by BHI)”h]”hŒ,Alder Lake and newer (Parts affected by BHI)”…””}”(hj~h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khjzubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjGubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1jEh³hÇh´KhjBubah}”(h]”h ]”h"]”h$]”h&]”uh1j@hj!ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÇh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhhûh²hh³Nh´NubhŞ)”}”(hŒsNote that, BHI affected parts that use BHB clearing software mitigation e.g. Icelake are not vulnerable to VMSCAPE.”h]”hŒsNote that, BHI affected parts that use BHB clearing software mitigation e.g. Icelake are not vulnerable to VMSCAPE.”…””}”(hj¬h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khhûh²hubj)”}”(hhh]”(j )”}”(hŒ=**AMD processors:** - Zen series (families 0x17, 0x19, 0x1a) ”h]”(j&)”}”(hŒ**AMD processors:**”h]”j,)”}”(hjÃh]”hŒAMD processors:”…””}”(hjÅh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j+hjÁubah}”(h]”h ]”h"]”h$]”h&]”uh1j%h³hÇh´Khj½ubjA)”}”(hhh]”jF)”}”(hhh]”jK)”}”(hŒ'Zen series (families 0x17, 0x19, 0x1a) ”h]”hŞ)”}”(hŒ&Zen series (families 0x17, 0x19, 0x1a)”h]”hŒ&Zen series (families 0x17, 0x19, 0x1a)”…””}”(hjâh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhjŞubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjÛubah}”(h]”h ]”h"]”h$]”h&]”j˜j™uh1jEh³hÇh´KhjØubah}”(h]”h ]”h"]”h$]”h&]”uh1j@hj½ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÇh´Khjºubj )”}”(hŒ%** Hygon processors:** - Family 0x18 ”h]”(j&)”}”(hŒ** Hygon processors:**”h]”hŒ** Hygon processors:**”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j%h³hÇh´KhjubjA)”}”(hhh]”jF)”}”(hhh]”jK)”}”(hŒ Family 0x18 ”h]”hŞ)”}”(hŒ Family 0x18”h]”hŒ Family 0x18”…””}”(hj$h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khj ubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubah}”(h]”h ]”h"]”h$]”h&]”j˜j™uh1jEh³hÇh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1j@hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÇh´Khjºh²hubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhhûh²hh³Nh´Nubeh}”(h]”Œaffected-processors”ah ]”h"]”Œaffected processors”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”hÎ)”}”(hŒ Mitigation”h]”hŒ Mitigation”…””}”(hj[h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjXh²hh³hÇh´K!ubah}”(h]”Œ mitigation”ah ]”h"]”Œ mitigation”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K!ubhÉ)”}”(hhh]”(hÎ)”}”(hŒConditional IBPB”h]”hŒConditional IBPB”…””}”(hjth²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjqh²hh³hÇh´K$ubhŞ)”}”(hŒÖKernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. If userspace did not run between VM-exit and the next VM-entry, no IBPB is issued.”h]”hŒÖKernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. If userspace did not run between VM-exit and the next VM-entry, no IBPB is issued.”…””}”(hj‚h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K&hjqh²hubhŞ)”}”(hXINote that the existing userspace mitigation against Spectre-v2 is effective in protecting the userspace. They are insufficient to protect the userspace VMMs from a malicious guest. This is because Spectre-v2 mitigations are applied at context switch time, while the userspace VMM can run after a VM-exit without a context switch.”h]”hXINote that the existing userspace mitigation against Spectre-v2 is effective in protecting the userspace. They are insufficient to protect the userspace VMMs from a malicious guest. This is because Spectre-v2 mitigations are applied at context switch time, while the userspace VMM can run after a VM-exit without a context switch.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K*hjqh²hubhŞ)”}”(hŒµVulnerability enumeration and mitigation is not applied inside a guest. This is because nested hypervisors should already be deploying IBPB to isolate themselves from nested guests.”h]”hŒµVulnerability enumeration and mitigation is not applied inside a guest. This is because nested hypervisors should already be deploying IBPB to isolate themselves from nested guests.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K0hjqh²hubeh}”(h]”Œconditional-ibpb”ah ]”h"]”Œconditional ibpb”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K$ubhÉ)”}”(hhh]”(hÎ)”}”(hŒSMT considerations”h]”hŒSMT considerations”…””}”(hj·h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj´h²hh³hÇh´K5ubhŞ)”}”(hŒÈWhen Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be vulnerable to cross-thread attacks. For complete protection against VMSCAPE attacks in SMT environments, STIBP should be enabled.”h]”hŒÈWhen Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be vulnerable to cross-thread attacks. For complete protection against VMSCAPE attacks in SMT environments, STIBP should be enabled.”…””}”(hjÅh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K7hj´h²hubhŞ)”}”(hŒpThe kernel will issue a warning if SMT is enabled without adequate STIBP protection. Warning is not issued when:”h]”hŒpThe kernel will issue a warning if SMT is enabled without adequate STIBP protection. Warning is not issued when:”…””}”(hjÓh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K;hj´h²hubjF)”}”(hhh]”(jK)”}”(hŒSMT is disabled”h]”hŞ)”}”(hjæh]”hŒSMT is disabled”…””}”(hjèh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K>hjäubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjáh²hh³hÇh´NubjK)”}”(hŒSTIBP is enabled system-wide”h]”hŞ)”}”(hjıh]”hŒSTIBP is enabled system-wide”…””}”(hjÿh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K?hjûubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjáh²hh³hÇh´NubjK)”}”(hŒ8Intel eIBRS is enabled (which implies STIBP protection) ”h]”hŞ)”}”(hŒ7Intel eIBRS is enabled (which implies STIBP protection)”h]”hŒ7Intel eIBRS is enabled (which implies STIBP protection)”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K@hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jJhjáh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”j˜j™uh1jEh³hÇh´K>hj´h²hubeh}”(h]”Œsmt-considerations”ah ]”h"]”Œsmt considerations”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K5ubhÉ)”}”(hhh]”(hÎ)”}”(hŒSystem information and options”h]”hŒSystem information and options”…””}”(hj;h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj8h²hh³hÇh´KCubhŞ)”}”(hŒ4The sysfs file showing VMSCAPE mitigation status is:”h]”hŒ4The sysfs file showing VMSCAPE mitigation status is:”…””}”(hjIh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KEhj8h²hubhŒ block_quote”“”)”}”(hŒ0/sys/devices/system/cpu/vulnerabilities/vmscape ”h]”hŞ)”}”(hŒ//sys/devices/system/cpu/vulnerabilities/vmscape”h]”hŒ//sys/devices/system/cpu/vulnerabilities/vmscape”…””}”(hj]h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KGhjYubah}”(h]”h ]”h"]”h$]”h&]”uh1jWh³hÇh´KGhj8h²hubhŞ)”}”(hŒ%The possible values in this file are:”h]”hŒ%The possible values in this file are:”…””}”(hjqh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KIhj8h²hubjX)”}”(hX)* 'Not affected': The processor is not vulnerable to VMSCAPE attacks. * 'Vulnerable': The processor is vulnerable and no mitigation has been applied. * 'Mitigation: IBPB before exit to userspace': Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. * 'Mitigation: IBPB on VMEXIT': IBPB is issued on every VM-exit. This occurs when other mitigations like RETBLEED or SRSO are already issuing IBPB on VM-exit. ”h]”jF)”}”(hhh]”(jK)”}”(hŒE'Not affected': The processor is not vulnerable to VMSCAPE attacks. ”h]”(hŞ)”}”(hŒ'Not affected':”h]”hŒ‘Not affected’:”…””}”(hjŠh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KKhj†ubhŞ)”}”(hŒ3The processor is not vulnerable to VMSCAPE attacks.”h]”hŒ3The processor is not vulnerable to VMSCAPE attacks.”…””}”(hj˜h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KMhj†ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjƒubjK)”}”(hŒO'Vulnerable': The processor is vulnerable and no mitigation has been applied. ”h]”(hŞ)”}”(hŒ 'Vulnerable':”h]”hŒ‘Vulnerable’:”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KOhj¬ubhŞ)”}”(hŒ?The processor is vulnerable and no mitigation has been applied.”h]”hŒ?The processor is vulnerable and no mitigation has been applied.”…””}”(hj¾h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KQhj¬ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjƒubjK)”}”(hŒŞ'Mitigation: IBPB before exit to userspace': Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. ”h]”(hŞ)”}”(hŒ,'Mitigation: IBPB before exit to userspace':”h]”hŒ0‘Mitigation: IBPB before exit to userspace’:”…””}”(hjÖh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KShjÒubhŞ)”}”(hŒ¯Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit.”h]”hŒ¯Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit.”…””}”(hjäh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KUhjÒubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjƒubjK)”}”(hŒ'Mitigation: IBPB on VMEXIT': IBPB is issued on every VM-exit. This occurs when other mitigations like RETBLEED or SRSO are already issuing IBPB on VM-exit. ”h]”(hŞ)”}”(hŒ'Mitigation: IBPB on VMEXIT':”h]”hŒ!‘Mitigation: IBPB on VMEXIT’:”…””}”(hjüh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KYhjøubhŞ)”}”(hŒ~IBPB is issued on every VM-exit. This occurs when other mitigations like RETBLEED or SRSO are already issuing IBPB on VM-exit.”h]”hŒ~IBPB is issued on every VM-exit. This occurs when other mitigations like RETBLEED or SRSO are already issuing IBPB on VM-exit.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K[hjøubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjƒubeh}”(h]”h ]”h"]”h$]”h&]”j˜Œ*”uh1jEh³hÇh´KKhjubah}”(h]”h ]”h"]”h$]”h&]”uh1jWh³hÇh´KKhj8h²hubeh}”(h]”Œsystem-information-and-options”ah ]”h"]”Œsystem information and options”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KCubhÉ)”}”(hhh]”(hÎ)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hj6h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj3h²hh³hÇh´K_ubhŞ)”}”(hŒMThe mitigation can be controlled via the ``vmscape=`` command line parameter:”h]”(hŒ)The mitigation can be controlled via the ”…””}”(hjDh²hh³Nh´NubhŒliteral”“”)”}”(hŒ ``vmscape=``”h]”hŒvmscape=”…””}”(hjNh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jLhjDubhŒ command line parameter:”…””}”(hjDh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kahj3h²hubjX)”}”(hX* ``vmscape=off``: Disable the VMSCAPE mitigation. * ``vmscape=ibpb``: Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y). * ``vmscape=force``: Force vulnerability detection and mitigation even on processors that are not known to be affected.”h]”jF)”}”(hhh]”(jK)”}”(hŒ2``vmscape=off``: Disable the VMSCAPE mitigation. ”h]”(hŞ)”}”(hŒ``vmscape=off``:”h]”(jM)”}”(hŒ``vmscape=off``”h]”hŒ vmscape=off”…””}”(hjuh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jLhjqubhŒ:”…””}”(hjqh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KchjmubhŞ)”}”(hŒDisable the VMSCAPE mitigation.”h]”hŒDisable the VMSCAPE mitigation.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kehjmubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjjubjK)”}”(hŒb``vmscape=ibpb``: Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y). ”h]”(hŞ)”}”(hŒ``vmscape=ibpb``:”h]”(jM)”}”(hŒ``vmscape=ibpb``”h]”hŒ vmscape=ibpb”…””}”(hj©h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jLhj¥ubhŒ:”…””}”(hj¥h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kghj¡ubhŞ)”}”(hŒNEnable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).”h]”hŒNEnable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).”…””}”(hjÁh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kihj¡ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjjubjK)”}”(hŒv``vmscape=force``: Force vulnerability detection and mitigation even on processors that are not known to be affected.”h]”(hŞ)”}”(hŒ``vmscape=force``:”h]”(jM)”}”(hŒ``vmscape=force``”h]”hŒ vmscape=force”…””}”(hjİh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jLhjÙubhŒ:”…””}”(hjÙh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KkhjÕubhŞ)”}”(hŒbForce vulnerability detection and mitigation even on processors that are not known to be affected.”h]”hŒbForce vulnerability detection and mitigation even on processors that are not known to be affected.”…””}”(hjõh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KmhjÕubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjjubeh}”(h]”h ]”h"]”h$]”h&]”j˜j$uh1jEh³hÇh´Kchjfubah}”(h]”h ]”h"]”h$]”h&]”uh1jWh³hÇh´Kchj3h²hubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K_ubeh}”(h]”Œvmscape”ah ]”h"]”Œvmscape”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jHŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j"jjUjRjnjkj±j®j5j2j0j-jjuŒ nametypes”}”(j"‰jU‰jn‰j±‰j5‰j0‰j‰uh}”(jhÊjRhûjkjXj®jqj2j´j-j8jj3uŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.