The "x86/bugs" code has been merged for the Linux 6.11 kernel that is just three patches this go around but includes a new Spectre BHI mitigation option.

Being added to Linux 6.11 is the "spectre_bhi=vmexit" mitigation option intended for use by cloud providers. As previously explained in [1]Linux Prepares New Spectre BHI Mitigation Option For Cloud Environments , the new "vmexit" option will mitigate the Spectre Branch History Injection (BHI) vulnerability just on VMEXIT for fending off VM-originated attacks. However, Spectre BHI will still be vulnerable on older servers to system call attacks. Protecting against VM-originated attacks is important for the public cloud without exposing the performance overhead of mitigating system calls too.

Spectre BHI/BHB can lead to leaking arbitrary kernel memory on modern Intel CPUs and was disclosed back in 2022 by VUSec. The Spectre BHI VMEXIT option is basically a lighter-weight alternative to spectre_bhi=on (default) for lessening the performance burden on servers primarily dealing with (untrusted) virtual machines as their workloads.

The Spectre BHI VMEXIT option landed in Linux 6.11 Git via the [2]x86/bugs pull request .



[1] https://www.phoronix.com/news/Linux-Spectre-BHI-VMEXIT

[2] https://lore.kernel.org/lkml/20240715173433.GAZpVdqWGG1ymjPfER@fat_crate.local/