€•qO      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ//translations/zh_CN/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/zh_TW/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/it_IT/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/ja_JP/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/ko_KR/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/sp_SP/admin-guide/hw-vuln/vmscape”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒI/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/vmscape.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒVMSCAPE”h]”hŒVMSCAPE”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ	paragraph”“”)”}”(hŒ–VMSCAPE is a vulnerability that may allow a guest to influence the branch
prediction in host userspace. It particularly affects hypervisors like QEMU.”h]”hŒ–VMSCAPE is a vulnerability that may allow a guest to influence the branch
prediction in host userspace. It particularly affects hypervisors like QEMU.”…””}”(hhËhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hŒ±Even if a hypervisor may not have any sensitive data like disk encryption keys,
guest-userspace may be able to attack the guest-kernel using the hypervisor as
a confused deputy.”h]”hŒ±Even if a hypervisor may not have any sensitive data like disk encryption keys,
guest-userspace may be able to attack the guest-kernel using the hypervisor as
a confused deputy.”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K	hh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒAffected processors”h]”hŒAffected processors”…””}”(hhêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hhçhžhhŸh³h KubhÊ)”}”(hŒ3The following CPU families are affected by VMSCAPE:”h]”hŒ3The following CPU families are affected by VMSCAPE:”…””}”(hhøhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhhçhžhubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hŒÂ**Intel processors:**
- Skylake generation (Parts without Enhanced-IBRS)
- Cascade Lake generation - (Parts affected by ITS guest/host separation)
- Alder Lake and newer (Parts affected by BHI)
”h]”(hŒterm”“”)”}”(hŒ**Intel processors:**”h]”hŒstrong”“”)”}”(hj  h]”hŒIntel processors:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj  ubhŒ
definition”“”)”}”(hhh]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ0Skylake generation (Parts without Enhanced-IBRS)”h]”hÊ)”}”(hj:  h]”hŒ0Skylake generation (Parts without Enhanced-IBRS)”…””}”(hj<  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khj8  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hj3  ubj7  )”}”(hŒGCascade Lake generation - (Parts affected by ITS guest/host separation)”h]”hÊ)”}”(hjQ  h]”hŒGCascade Lake generation - (Parts affected by ITS guest/host separation)”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hj3  ubj7  )”}”(hŒ-Alder Lake and newer (Parts affected by BHI)
”h]”hÊ)”}”(hŒ,Alder Lake and newer (Parts affected by BHI)”h]”hŒ,Alder Lake and newer (Parts affected by BHI)”…””}”(hjj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khjf  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hj3  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j1  hŸh³h Khj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhçhžhhŸNh NubhÊ)”}”(hŒsNote that, BHI affected parts that use BHB clearing software mitigation e.g.
Icelake are not vulnerable to VMSCAPE.”h]”hŒsNote that, BHI affected parts that use BHB clearing software mitigation e.g.
Icelake are not vulnerable to VMSCAPE.”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khhçhžhubj  )”}”(hhh]”(j  )”}”(hŒ=**AMD processors:**
- Zen series (families 0x17, 0x19, 0x1a)
”h]”(j  )”}”(hŒ**AMD processors:**”h]”j  )”}”(hj¯  h]”hŒAMD processors:”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj­  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj©  ubj-  )”}”(hhh]”j2  )”}”(hhh]”j7  )”}”(hŒ'Zen series (families 0x17, 0x19, 0x1a)
”h]”hÊ)”}”(hŒ&Zen series (families 0x17, 0x19, 0x1a)”h]”hŒ&Zen series (families 0x17, 0x19, 0x1a)”…””}”(hjÎ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhjÊ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjÇ  ubah}”(h]”h ]”h"]”h$]”h&]”j„  j…  uh1j1  hŸh³h KhjÄ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  hj©  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj¦  ubj  )”}”(hŒ%** Hygon processors:**
- Family 0x18
”h]”(j  )”}”(hŒ** Hygon processors:**”h]”hŒ** Hygon processors:**”…””}”(hjø  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khjô  ubj-  )”}”(hhh]”j2  )”}”(hhh]”j7  )”}”(hŒFamily 0x18
”h]”hÊ)”}”(hŒFamily 0x18”h]”hŒFamily 0x18”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hj	  ubah}”(h]”h ]”h"]”h$]”h&]”j„  j…  uh1j1  hŸh³h Khj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  hjô  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj¦  hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hhçhžhhŸNh Nubeh}”(h]”Œaffected-processors”ah ]”h"]”Œaffected processors”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”hº)”}”(hŒ
Mitigation”h]”hŒ
Mitigation”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjD  hžhhŸh³h K!ubah}”(h]”Œ
mitigation”ah ]”h"]”Œ
mitigation”ah$]”h&]”uh1h´hh¶hžhhŸh³h K!ubhµ)”}”(hhh]”(hº)”}”(hŒConditional IBPB”h]”hŒConditional IBPB”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj]  hžhhŸh³h K$ubhÊ)”}”(hŒÖKernel tracks when a CPU has run a potentially malicious guest and issues an
IBPB before the first exit to userspace after VM-exit. If userspace did not run
between VM-exit and the next VM-entry, no IBPB is issued.”h]”hŒÖKernel tracks when a CPU has run a potentially malicious guest and issues an
IBPB before the first exit to userspace after VM-exit. If userspace did not run
between VM-exit and the next VM-entry, no IBPB is issued.”…””}”(hjn  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K&hj]  hžhubhÊ)”}”(hXI  Note that the existing userspace mitigation against Spectre-v2 is effective in
protecting the userspace. They are insufficient to protect the userspace VMMs
from a malicious guest. This is because Spectre-v2 mitigations are applied at
context switch time, while the userspace VMM can run after a VM-exit without a
context switch.”h]”hXI  Note that the existing userspace mitigation against Spectre-v2 is effective in
protecting the userspace. They are insufficient to protect the userspace VMMs
from a malicious guest. This is because Spectre-v2 mitigations are applied at
context switch time, while the userspace VMM can run after a VM-exit without a
context switch.”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K*hj]  hžhubhÊ)”}”(hŒµVulnerability enumeration and mitigation is not applied inside a guest. This is
because nested hypervisors should already be deploying IBPB to isolate
themselves from nested guests.”h]”hŒµVulnerability enumeration and mitigation is not applied inside a guest. This is
because nested hypervisors should already be deploying IBPB to isolate
themselves from nested guests.”…””}”(hjŠ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K0hj]  hžhubeh}”(h]”Œconditional-ibpb”ah ]”h"]”Œconditional ibpb”ah$]”h&]”uh1h´hh¶hžhhŸh³h K$ubhµ)”}”(hhh]”(hº)”}”(hŒSMT considerations”h]”hŒSMT considerations”…””}”(hj£  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj   hžhhŸh³h K5ubhÊ)”}”(hŒÈWhen Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be
vulnerable to cross-thread attacks. For complete protection against VMSCAPE
attacks in SMT environments, STIBP should be enabled.”h]”hŒÈWhen Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be
vulnerable to cross-thread attacks. For complete protection against VMSCAPE
attacks in SMT environments, STIBP should be enabled.”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K7hj   hžhubhÊ)”}”(hŒpThe kernel will issue a warning if SMT is enabled without adequate STIBP
protection. Warning is not issued when:”h]”hŒpThe kernel will issue a warning if SMT is enabled without adequate STIBP
protection. Warning is not issued when:”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K;hj   hžhubj2  )”}”(hhh]”(j7  )”}”(hŒSMT is disabled”h]”hÊ)”}”(hjÒ  h]”hŒSMT is disabled”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K>hjÐ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjÍ  hžhhŸh³h Nubj7  )”}”(hŒSTIBP is enabled system-wide”h]”hÊ)”}”(hjé  h]”hŒSTIBP is enabled system-wide”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K?hjç  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjÍ  hžhhŸh³h Nubj7  )”}”(hŒ8Intel eIBRS is enabled (which implies STIBP protection)
”h]”hÊ)”}”(hŒ7Intel eIBRS is enabled (which implies STIBP protection)”h]”hŒ7Intel eIBRS is enabled (which implies STIBP protection)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K@hjþ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjÍ  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”j„  j…  uh1j1  hŸh³h K>hj   hžhubeh}”(h]”Œsmt-considerations”ah ]”h"]”Œsmt considerations”ah$]”h&]”uh1h´hh¶hžhhŸh³h K5ubhµ)”}”(hhh]”(hº)”}”(hŒSystem information and options”h]”hŒSystem information and options”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj$  hžhhŸh³h KCubhÊ)”}”(hŒ4The sysfs file showing VMSCAPE mitigation status is:”h]”hŒ4The sysfs file showing VMSCAPE mitigation status is:”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KEhj$  hžhubhŒblock_quote”“”)”}”(hŒ0/sys/devices/system/cpu/vulnerabilities/vmscape
”h]”hÊ)”}”(hŒ//sys/devices/system/cpu/vulnerabilities/vmscape”h]”hŒ//sys/devices/system/cpu/vulnerabilities/vmscape”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KGhjE  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jC  hŸh³h KGhj$  hžhubhÊ)”}”(hŒ%The possible values in this file are:”h]”hŒ%The possible values in this file are:”…””}”(hj]  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KIhj$  hžhubjD  )”}”(hX)  * 'Not affected':

  The processor is not vulnerable to VMSCAPE attacks.

* 'Vulnerable':

  The processor is vulnerable and no mitigation has been applied.

* 'Mitigation: IBPB before exit to userspace':

  Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
  run a potentially malicious guest and issues an IBPB before the first
  exit to userspace after VM-exit.

* 'Mitigation: IBPB on VMEXIT':

  IBPB is issued on every VM-exit. This occurs when other mitigations like
  RETBLEED or SRSO are already issuing IBPB on VM-exit.
”h]”j2  )”}”(hhh]”(j7  )”}”(hŒE'Not affected':

The processor is not vulnerable to VMSCAPE attacks.
”h]”(hÊ)”}”(hŒ'Not affected':”h]”hŒâ€˜Not affectedâ€™:”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KKhjr  ubhÊ)”}”(hŒ3The processor is not vulnerable to VMSCAPE attacks.”h]”hŒ3The processor is not vulnerable to VMSCAPE attacks.”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KMhjr  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjo  ubj7  )”}”(hŒO'Vulnerable':

The processor is vulnerable and no mitigation has been applied.
”h]”(hÊ)”}”(hŒ'Vulnerable':”h]”hŒâ€˜Vulnerableâ€™:”…””}”(hjœ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KOhj˜  ubhÊ)”}”(hŒ?The processor is vulnerable and no mitigation has been applied.”h]”hŒ?The processor is vulnerable and no mitigation has been applied.”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KQhj˜  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjo  ubj7  )”}”(hŒÞ'Mitigation: IBPB before exit to userspace':

Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
run a potentially malicious guest and issues an IBPB before the first
exit to userspace after VM-exit.
”h]”(hÊ)”}”(hŒ,'Mitigation: IBPB before exit to userspace':”h]”hŒ0â€˜Mitigation: IBPB before exit to userspaceâ€™:”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KShj¾  ubhÊ)”}”(hŒ¯Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
run a potentially malicious guest and issues an IBPB before the first
exit to userspace after VM-exit.”h]”hŒ¯Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
run a potentially malicious guest and issues an IBPB before the first
exit to userspace after VM-exit.”…””}”(hjÐ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KUhj¾  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjo  ubj7  )”}”(hŒž'Mitigation: IBPB on VMEXIT':

IBPB is issued on every VM-exit. This occurs when other mitigations like
RETBLEED or SRSO are already issuing IBPB on VM-exit.
”h]”(hÊ)”}”(hŒ'Mitigation: IBPB on VMEXIT':”h]”hŒ!â€˜Mitigation: IBPB on VMEXITâ€™:”…””}”(hjè  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KYhjä  ubhÊ)”}”(hŒ~IBPB is issued on every VM-exit. This occurs when other mitigations like
RETBLEED or SRSO are already issuing IBPB on VM-exit.”h]”hŒ~IBPB is issued on every VM-exit. This occurs when other mitigations like
RETBLEED or SRSO are already issuing IBPB on VM-exit.”…””}”(hjö  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K[hjä  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjo  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  Œ*”uh1j1  hŸh³h KKhjk  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jC  hŸh³h KKhj$  hžhubeh}”(h]”Œsystem-information-and-options”ah ]”h"]”Œsystem information and options”ah$]”h&]”uh1h´hh¶hžhhŸh³h KCubhµ)”}”(hhh]”(hº)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h K_ubhÊ)”}”(hŒMThe mitigation can be controlled via the ``vmscape=`` command line parameter:”h]”(hŒ)The mitigation can be controlled via the ”…””}”(hj0  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``vmscape=``”h]”hŒvmscape=”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j8  hj0  ubhŒ command line parameter:”…””}”(hj0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kahj  hžhubjD  )”}”(hX  * ``vmscape=off``:

  Disable the VMSCAPE mitigation.

* ``vmscape=ibpb``:

  Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).

* ``vmscape=force``:

  Force vulnerability detection and mitigation even on processors that are
  not known to be affected.”h]”j2  )”}”(hhh]”(j7  )”}”(hŒ2``vmscape=off``:

Disable the VMSCAPE mitigation.
”h]”(hÊ)”}”(hŒ``vmscape=off``:”h]”(j9  )”}”(hŒ``vmscape=off``”h]”hŒvmscape=off”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j8  hj]  ubhŒ:”…””}”(hj]  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KchjY  ubhÊ)”}”(hŒDisable the VMSCAPE mitigation.”h]”hŒDisable the VMSCAPE mitigation.”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KehjY  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjV  ubj7  )”}”(hŒb``vmscape=ibpb``:

Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).
”h]”(hÊ)”}”(hŒ``vmscape=ibpb``:”h]”(j9  )”}”(hŒ``vmscape=ibpb``”h]”hŒvmscape=ibpb”…””}”(hj•  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j8  hj‘  ubhŒ:”…””}”(hj‘  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kghj  ubhÊ)”}”(hŒNEnable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).”h]”hŒNEnable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kihj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjV  ubj7  )”}”(hŒv``vmscape=force``:

Force vulnerability detection and mitigation even on processors that are
not known to be affected.”h]”(hÊ)”}”(hŒ``vmscape=force``:”h]”(j9  )”}”(hŒ``vmscape=force``”h]”hŒvmscape=force”…””}”(hjÉ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j8  hjÅ  ubhŒ:”…””}”(hjÅ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KkhjÁ  ubhÊ)”}”(hŒbForce vulnerability detection and mitigation even on processors that are
not known to be affected.”h]”hŒbForce vulnerability detection and mitigation even on processors that are
not known to be affected.”…””}”(hjá  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KmhjÁ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6  hjV  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  j  uh1j1  hŸh³h KchjR  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jC  hŸh³h Kchj  hžhubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1h´hh¶hžhhŸh³h K_ubeh}”(h]”Œvmscape”ah ]”h"]”Œvmscape”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j4  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j  j  jA  j>  jZ  jW  j  jš  j!  j  j  j  j  j  uŒ	nametypes”}”(j  ‰jA  ‰jZ  ‰j  ‰j!  ‰j  ‰j  ‰uh}”(j  h¶j>  hçjW  jD  jš  j]  j  j   j  j$  j  j  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.