On Thu, Jan 04, 2018 at 07:52:19PM +0100, Borislav Petkov wrote: > So why not "IBRS always" or off? No need for the "IBRS only in the > kernel" setting.
Because it's slower (or much slower depending on how much stuff the microcode has to disable in the CPU to provide IBSR) and you only need that kind of protection in kernel if you've PTI enabled already. ibrs 1 (not 2) is the current default because of that.