From patchwork Tue Feb 21 18:49:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: KP Singh <kpsingh@kernel.org>
X-Patchwork-Id: 60222
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp177695wrd;
        Tue, 21 Feb 2023 11:10:36 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set+e0OLsemXryVYmnWcitxgF5s38LPR9SXLwFg+zDPi88Rkx0ha3S6fTdAV37ZTu2XnA0iF7
X-Received: by 2002:a05:6a20:3d82:b0:c7:6453:5654 with SMTP id
 s2-20020a056a203d8200b000c764535654mr7092317pzi.45.1677006636120;
        Tue, 21 Feb 2023 11:10:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677006636; cv=none;
        d=google.com; s=arc-20160816;
        b=KL2qZq+0byAbIHahcBHW3eSOTkkS2dNFOTLMX1sSNl70pcngCBE6ySsCUrcbdPIIXI
         hSO9AkkiJTrlMgOJxyQjLg0TlfypK2hC2hV3pxHYU02lazbNXBhzxkcmD0UH0rRdIAXt
         ZRhlZ4Mjj6vonA3Nmdm5Fkop0yh6xs9u8hX4+5T/QqibUFiFmAtkOwpys5P6fRSOH42Z
         08rH3mW/CH2gxmlT6I0/Mgyt33CbNtvQSzMKdy4zFYuRmMLXIZFGM3kQNp1yUVcpRq82
         285WG334pVArp6aS3GeXEFVxFRo5eOLHuiMI+1EZMgSLK2uUxRpthxxkhRdrxlvNOaQy
         IESg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=KvK/FtzUz5Jxyx7wOfU7m7/O3F14TgSxK2gXEShsrDE=;
        b=lu4EPZuJe09JiUI97hg+r2jv7Q8W8/xnk9J9b1xbUnJ6yQccIvZSevyRCpgElSoupU
         kBB+WK9jf0r+bidmiqBQnZUqvpWOINsByeVEC0Gx2FGE1O8ebqYUGXVdqwzmYocsEJ/n
         SjnTQ52Scf/azf/EUYKD4oTAVh5U3vBM+bOPHi9QmZkxS5VndopCyiXQmM/Qv2jZL4tk
         gPW/dKrNtBla14QhCEZRe/DUBPeoumGD1d0mL9vKW0Vwr/mhxIbUOkzphfs66jm17ewV
         PPydPnaqRUYPgVzXbEhT5N1JiidwfV+Hv+/Pe75p2FwK1PFpidrOlrUfQ5BW6wu4i8TR
         na7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fwLUgot0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 h75-20020a62834e000000b005a8c6715004si17624534pfe.86.2023.02.21.11.10.23;
        Tue, 21 Feb 2023 11:10:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fwLUgot0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229755AbjBUSt0 (ORCPT <rfc822;hanasaki@gmail.com> + 99 others);
        Tue, 21 Feb 2023 13:49:26 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46738 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229535AbjBUStY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 Feb 2023 13:49:24 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4557629E34;
        Tue, 21 Feb 2023 10:49:23 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id D9693B81098;
        Tue, 21 Feb 2023 18:49:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9355FC433EF;
        Tue, 21 Feb 2023 18:49:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1677005360;
        bh=L82aBSe/Z4BrUN9rIqknCi+Y2l3Bh6nIrbf77fJYo5o=;
        h=From:To:Cc:Subject:Date:From;
        b=fwLUgot0ePaiegmkRWsuc1IuMo5D8YJt99abSN2mdDeGb+g+WhQSQP1oqh6UQP8k/
         Fe4mMtXhHFEPvE2m3CJvS43gn9IlCu2YVxJQi6FzVm2UVzvKbSPOBol7KgJdkxEDqR
         Ijk2qigX+AYHz5QqD3Pz++4mBJoeNtrSgE/sDWZIMBRznbNIFlvAJLCcMMtjV91GpP
         C1g9qot37KqmnIdsm0Spg46X6r3pOWFj2/bbUE6axTi0G59VnSt2Kq1JrZrIStZSMG
         tqLJdq3iAj5ijjJIY2TtukILuzyIzd0FyxMPjv0Cpiw8pyb+WKlaDaR1GiAF82XmPp
         gOCbuTWTyw6Fw==
From: KP Singh <kpsingh@kernel.org>
To: linux-kernel@vger.kernel.org
Cc: pjt@google.com, evn@google.com, jpoimboe@kernel.org, tglx@linutronix.de,
 x86@kernel.org, hpa@zytor.com, peterz@infradead.org,
 pawan.kumar.gupta@linux.intel.com, kim.phillips@amd.com,
 alexandre.chartre@oracle.com, daniel.sneddon@linux.intel.com, corbet@lwn.net,
 bp@suse.de, linyujun809@huawei.com, kpsingh@kernel.org, jmattson@google.com,
	=?utf-8?q?Jos=C3=A9_Oliveira?= <joseloliveira11@gmail.com>,
 Rodrigo Branco <rodrigo@kernelhacking.com>,
 Alexandra Sandulescu <aesa@google.com>, stable@vger.kernel.org
Subject: [PATCH v2 1/2] x86/speculation: Allow enabling STIBP with legacy IBRS
Date: Tue, 21 Feb 2023 19:49:07 +0100
Message-Id: <20230221184908.2349578-1-kpsingh@kernel.org>
X-Mailer: git-send-email 2.39.2.637.g21b0678d19-goog
MIME-Version: 1.0
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758468910535707455?=
X-GMAIL-MSGID: =?utf-8?q?1758468910535707455?=

Setting the IBRS bit implicitly enables STIBP to protect against
cross-thread branch target injection. With enhanced IBRS, the bit it set
once and is not cleared again. However, on CPUs with just legacy IBRS,
IBRS bit set on user -> kernel and cleared on kernel -> user (a.k.a
KERNEL_IBRS). Clearing this bit also disables the implicitly enabled
STIBP, thus requiring some form of cross-thread protection in userspace.

Enable STIBP, either opt-in via prctl or seccomp, or always on depending
on the choice of mitigation selected via spectre_v2_user.

Reported-by: José Oliveira <joseloliveira11@gmail.com>
Reported-by: Rodrigo Branco <rodrigo@kernelhacking.com>
Reviewed-by: Alexandra Sandulescu <aesa@google.com>
Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
Cc: stable@vger.kernel.org
Signed-off-by: KP Singh <kpsingh@kernel.org>
Reported-by: José Oliveira <joseloliveira11@gmail.com>
Reported-by: Rodrigo Branco <rodrigo@kernelhacking.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
---
 arch/x86/kernel/cpu/bugs.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 85168740f76a..5be6075d8e36 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1124,14 +1124,30 @@ spectre_v2_parse_user_cmdline(void)
 	return SPECTRE_V2_USER_CMD_AUTO;
 }
 
-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
+static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
 {
-	return mode == SPECTRE_V2_IBRS ||
-	       mode == SPECTRE_V2_EIBRS ||
+	return mode == SPECTRE_V2_EIBRS ||
 	       mode == SPECTRE_V2_EIBRS_RETPOLINE ||
 	       mode == SPECTRE_V2_EIBRS_LFENCE;
 }
 
+static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
+{
+	return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
+}
+
+static inline bool spectre_v2_user_needs_stibp(enum spectre_v2_mitigation mode)
+{
+	/*
+	 * enhanced IBRS also protects against user-mode attacks as the IBRS bit
+	 * remains always set which implicitly enables cross-thread protections.
+	 * However, In legacy IBRS mode, the IBRS bit is set only in kernel
+	 * and cleared on return to userspace. This disables the implicit
+	 * cross-thread protections and STIBP is needed.
+	 */
+	return !spectre_v2_in_eibrs_mode(mode);
+}
+
 static void __init
 spectre_v2_user_select_mitigation(void)
 {
@@ -1193,13 +1209,8 @@ spectre_v2_user_select_mitigation(void)
 			"always-on" : "conditional");
 	}
 
-	/*
-	 * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
-	 * STIBP is not required.
-	 */
-	if (!boot_cpu_has(X86_FEATURE_STIBP) ||
-	    !smt_possible ||
-	    spectre_v2_in_ibrs_mode(spectre_v2_enabled))
+	if (!boot_cpu_has(X86_FEATURE_STIBP) || !smt_possible ||
+	    !spectre_v2_user_needs_stibp(spectre_v2_enabled))
 		return;
 
 	/*
@@ -2327,7 +2338,7 @@ static ssize_t mmio_stale_data_show_state(char *buf)
 
 static char *stibp_state(void)
 {
-	if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
+	if (!spectre_v2_user_needs_stibp(spectre_v2_enabled))
 		return "";
 
 	switch (spectre_v2_user_stibp) {

From patchwork Tue Feb 21 18:49:08 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: KP Singh <kpsingh@kernel.org>
X-Patchwork-Id: 60221
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp174169wrd;
        Tue, 21 Feb 2023 11:03:16 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set9vMNMilt2nTNmb6vvmQzuyTzLI+wpcr2ljm6p8PTv1b1+BGs/nelJoU1d55FHjTEeaEyG4
X-Received: by 2002:a17:906:494c:b0:879:6abe:915e with SMTP id
 f12-20020a170906494c00b008796abe915emr15456704ejt.69.1677006196358;
        Tue, 21 Feb 2023 11:03:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677006196; cv=none;
        d=google.com; s=arc-20160816;
        b=UDfr4OevxoplY4s3riqgEpvE68WYsu2Kl49B1av0Oov2UUyLkaXCB8hsa5oym5JUg+
         DnunqqrU2k28JmX6OqODb8ruBIbOvr+PfCTncYdpHGpsbjbGkhHFrvwZy63Zw8aWCZMk
         ZAVPfmdBwDcl3EqNgIbQnfPlOYAUSL9AZqsl8bdFmJxSJrcJV5z8APIEeA5NquRlllw4
         q23FbUrJQEmd47R6SbLAEHBQ7BFNNxvUm12MI9dzK06r4otV6PwxCPFuYDwbqw6+WLt4
         MA4NUk6pBTei0IbsqJqEzB7hk0SWAu/kIyCeu2Z4o1jRftv3BJm8JMtBJHH3y+UsIO3h
         T/Pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=L5SqzzAsA6dN2F6cOWs+N+ULkuplwVDqpdxe26A3nPU=;
        b=dGcRU0vLUN/fNQKij9BG8A0vQmvCoZM0FTbiR3J5xZAvLqOldOHJiSNJz1WF7NRLDd
         YwZhUOv8SCWS4X1s509ZwK667rM/T6FcCTotmK/to2j+UQSiMADFRWQy/3BIeFJDosVb
         CI9mIGO46Q7KU2BOMFsAOSg6TUYJQBYXjzLDR1ideFLKtTxb+/97yosMR/XaTtnQ+eCa
         dK+bxBx6Z88OZUIGPDwdpk5FC7hZeO4hVe86uGEctoiL7kK4TvXT1IKE0n+1Jo9IkD2k
         8M64/ipXWMB/TFEQDYMMZuO8xjWoSBID1sGu6LdCBjwSQWZM/Tp8U6ZglDSIDXCPtwmX
         34VQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cuQrnBTM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 bp14-20020a170907918e00b008e45692b970si620540ejb.446.2023.02.21.11.02.52;
        Tue, 21 Feb 2023 11:03:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cuQrnBTM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229984AbjBUStc (ORCPT <rfc822;hanasaki@gmail.com> + 99 others);
        Tue, 21 Feb 2023 13:49:32 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46794 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229535AbjBUSt2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 Feb 2023 13:49:28 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D91D22A6C4
        for <linux-kernel@vger.kernel.org>;
 Tue, 21 Feb 2023 10:49:26 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 7C920B8109D
        for <linux-kernel@vger.kernel.org>;
 Tue, 21 Feb 2023 18:49:25 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8665C433A0;
        Tue, 21 Feb 2023 18:49:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1677005364;
        bh=Pq1/EGne3LaGE8RJqGaU426y8oEgl4zvqIPCQIl6Ii8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=cuQrnBTM6zmFnApUBUKl3tuyCnwcWoiMcvD6Jaj23nlDqxIUbYnYgaiL7M1s2pQVd
         RPbx/e2zE8SFaBuwFa063d5141E+dQcajNGtR12wlIMM+olITT6pFJ3bT0oJnizKRO
         JQWITQ/vklpjFWHvoNtVTNJeDPQB6/iwv+L3bcUbYMpbyBsr4VCEy0phVzL+lzcudy
         JvNU7qiNy38PQnnKIXaWGxLG6y+mOI5X47Lu0IQKAZ4C0Ti8R+G2tLRdOMj7pzuXrv
         w9BUJFnH/9QMvsXvOXR9VhEoIHSxGL7c7g9l+ib1keIJhRlBzC/wsZtu/bDOTg08fV
         wHd8CXxFNOlYw==
From: KP Singh <kpsingh@kernel.org>
To: linux-kernel@vger.kernel.org
Cc: pjt@google.com, evn@google.com, jpoimboe@kernel.org,
        tglx@linutronix.de, x86@kernel.org, hpa@zytor.com,
        peterz@infradead.org, pawan.kumar.gupta@linux.intel.com,
        kim.phillips@amd.com, alexandre.chartre@oracle.com,
        daniel.sneddon@linux.intel.com, corbet@lwn.net, bp@suse.de,
        linyujun809@huawei.com, kpsingh@kernel.org, jmattson@google.com
Subject: [PATCH v2 2/2] Documentation/hw-vuln: Document the interaction
 between IBRS and STIBP
Date: Tue, 21 Feb 2023 19:49:08 +0100
Message-Id: <20230221184908.2349578-2-kpsingh@kernel.org>
X-Mailer: git-send-email 2.39.2.637.g21b0678d19-goog
In-Reply-To: <20230221184908.2349578-1-kpsingh@kernel.org>
References: <20230221184908.2349578-1-kpsingh@kernel.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758468449346053687?=
X-GMAIL-MSGID: =?utf-8?q?1758468449346053687?=

Explain why STIBP is needed with legacy IBRS as currently implemented
(KERNEL_IBRS) and why STIBP is not needed when enhanced IBRS is enabled.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 Documentation/admin-guide/hw-vuln/spectre.rst | 22 ++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
index c4dcdb3d0d45..e193ee13dc9a 100644
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -479,8 +479,17 @@ Spectre variant 2
    On Intel Skylake-era systems the mitigation covers most, but not all,
    cases. See :ref:`[3] <spec_ref3>` for more details.
 
-   On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced
-   IBRS on x86), retpoline is automatically disabled at run time.
+   On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS
+   or enhanced IBRS on x86), retpoline is automatically disabled at run time.
+
+   Setting the IBRS bit implicitly enables STIBP which guards against
+   cross-thread branch target injection on SMT systems. On systems with enhanced
+   IBRS, the kernel sets the bit once, which keeps cross-thread protections
+   always enabled, obviating the need for an explicit STIBP. On CPUs with legacy
+   IBRS, the kernel clears the IBRS bit on returning to user-space, thus also
+   disabling the implicit STIBP. Consequently, STIBP needs to be explicitly
+   enabled to guard against cross-thread attacks in userspace.
+
 
    The retpoline mitigation is turned on by default on vulnerable
    CPUs. It can be forced on or off by the administrator
@@ -504,9 +513,12 @@ Spectre variant 2
    For Spectre variant 2 mitigation, individual user programs
    can be compiled with return trampolines for indirect branches.
    This protects them from consuming poisoned entries in the branch
-   target buffer left by malicious software.  Alternatively, the
-   programs can disable their indirect branch speculation via prctl()
-   (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
+   target buffer left by malicious software.
+
+   On legacy IBRS systems, at return to userspace, implicit STIBP is disabled
+   because the kernel clears the IBRS bit. In this case, the userspace programs
+   can disable indirect branch speculation via prctl() (See
+   :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
    On x86, this will turn on STIBP to guard against attacks from the
    sibling thread when the user program is running, and use IBPB to
    flush the branch target buffer when switching to/from the program.