For the Branch History Injection variant of Spectre ( [1]Spectre BHI ) there is a patch pending to add a new mitigation option for that two year old CPU security vulnerability.

Spectre BHI/BHB can lead to leaking arbitrary kernel memory on modern Intel CPUs and was disclosed back in 2022 by [2]VUSec . The Linux kernel has supported enabling the hardware mitigations and otherwise software fallback mitigations for Spectre BHI to protect both system calls and virtual machines. Via the "spectre_bhi=" boot argument, administrators can enable/disable the Spectre BHI mitigation state.

What's coming now to the Linux kernel is supporting the "spectre_bhi=vmexit" option. The new VMEXIT option will only protect the VM exit process on systems needing software-based mitigations. To avoid the performance costs of software mitigating the system calls, this new option is intended for cloud environments on older processors to just fend off VM-originated Spectre BHI attacks. System calls are left vulnerable but at least in cloud/virtualized environments is protecting against attacks from inside the virtual machines.

Thus spectre_bhi=vmexit is a lower-cost mitigation for such cloud environments with untrusted VMs while not going full bore with spectre_bhi=on.

This new Spectre BHI mitigation option can be found in [3]TIP.git's x86/bugs branch ahead of the upcoming Linux 6.11 merge window.



[1] https://www.phoronix.com/search/Spectre%20BHI

[2] https://www.vusec.net/projects/bhi-spectre-bhb/

[3] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=42c141fbb651b64db492aab35bc1d96eb4c20261