On 01/04/2018 10:52 AM, Borislav Petkov wrote: >> Paranoid people want "IBRS always" aka "ibrs 2". > > So why not "IBRS always" or off? No need for the "IBRS only in the > kernel" setting.
IBRS=1 slows execution down. If it's on all the time, you pay a performance cost in userspace. The assumption is that the user/kernel boundary switching cost is below the cost of having it on all the time.
