[$] Taming STIBP

The Spectre class of hardware vulnerabilities was apparently so-named
because it can be expected to haunt us for some time. One aspect of that
haunting can be seen in the fact that, nearly one year after Spectre was
disclosed, the kernel is still unable to prevent one user-space process
from attacking another in some situations. An attempt to provide that
protection using a new x86 microcode feature called STIBP has run into
trouble once its performance impact was understood; now a more nuanced
approach may succeed in providing protection where it is needed without
slowing down everybody else.