> + /*
> + * The following Intel CPUs are affected by BHI, but they don't have
> + * the eIBRS feature. In that case, the default Spectre v2 mitigations
> + * are enough to also mitigate BHI. We mark these CPUs with NO_BHI so
> + * that X86_BUG_BHI doesn't get set and no extra BHI mitigation is
> + * enabled.
> + *
> + * This avoids guest VMs from enabling extra BHI mitigation when this
> + * is not needed. For guest, X86_BUG_BHI is never set for CPUs which
> + * don't have the eIBRS feature. But this doesn't happen in guest VMs
> + * as the virtualization can hide the eIBRS feature.
> + */
> + VULNWL_INTEL(IVYBRIDGE_X, NO_BHI),
> + VULNWL_INTEL(HASWELL_X, NO_BHI),
> + VULNWL_INTEL(BROADWELL_X, NO_BHI),
> + VULNWL_INTEL(SKYLAKE_X, NO_BHI),
> + VULNWL_INTEL(SKYLAKE_X, NO_BHI),
Isn't this at odds with the existing comment?
/* When virtualized, eIBRS could be hidden, assume vulnerable */
Because it seems now that we've got two relatively conflicting pieces of
vulnerability information when running under a hypervisor.
