[PATCH v3 0/4] x86/spec: improve command line parsing

[PATCH v3 0/4] x86/spec: improve command line parsing

[Roger Pau Monne]

Hello,

A couple of improvements for the spec-ctrl command line parsing.

Thanks, Roger.

Roger Pau Monne (4):
  x86/spec: print the built-in SPECULATIVE_HARDEN_* options
  x86/spec: fix BRANCH_HARDEN option to only be set when build-enabled
  x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled
  x86/spec: do not print thunk option selection if not built-in

 docs/misc/xen-command-line.pandoc | 10 +++----
 xen/arch/x86/spec_ctrl.c          | 46 +++++++++++++++++++++++++------
 2 files changed, 42 insertions(+), 14 deletions(-)

-- 
2.43.0

[PATCH v3 1/4] x86/spec: print the built-in SPECULATIVE_HARDEN_* options

[Roger Pau Monne]

Just like it's done for INDIRECT_THUNK and SHADOW_PAGING.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Changes since v2:
 - New in this version.
---
 xen/arch/x86/spec_ctrl.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 421fe3f640df..9f5ed8772533 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -466,13 +466,25 @@ static void __init print_details(enum ind_thunk thunk)
            (e21a & cpufeat_mask(X86_FEATURE_SBPB))           ? " SBPB"           : "");
 
     /* Compiled-in support which pertains to mitigations. */
-    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
+    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ||
+         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) ||
+         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) ||
+         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) )
         printk("  Compiled-in support:"
 #ifdef CONFIG_INDIRECT_THUNK
                " INDIRECT_THUNK"
 #endif
 #ifdef CONFIG_SHADOW_PAGING
                " SHADOW_PAGING"
+#endif
+#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY
+               " SPECULATIVE_HARDEN_ARRAY"
+#endif
+#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
+               " SPECULATIVE_HARDEN_BRANCH"
+#endif
+#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS
+               " SPECULATIVE_HARDEN_GUEST_ACCESS"
 #endif
                "\n");
 
-- 
2.43.0

Re: [PATCH v3 1/4] x86/spec: print the built-in SPECULATIVE_HARDEN_* options

[Jan Beulich]

On 26.02.2024 12:07, Roger Pau Monne wrote:
> Just like it's done for INDIRECT_THUNK and SHADOW_PAGING.
> 
> Reported-by: Jan Beulich <jbeulich@suse.com>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

In principle
Reviewed-by: Jan Beulich <jbeulich@suse.com>
but ...

> --- a/xen/arch/x86/spec_ctrl.c
> +++ b/xen/arch/x86/spec_ctrl.c
> @@ -466,13 +466,25 @@ static void __init print_details(enum ind_thunk thunk)
>             (e21a & cpufeat_mask(X86_FEATURE_SBPB))           ? " SBPB"           : "");
>  
>      /* Compiled-in support which pertains to mitigations. */
> -    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
> +    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ||
> +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) ||
> +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) ||
> +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) )
>          printk("  Compiled-in support:"
>  #ifdef CONFIG_INDIRECT_THUNK
>                 " INDIRECT_THUNK"
>  #endif
>  #ifdef CONFIG_SHADOW_PAGING
>                 " SHADOW_PAGING"
> +#endif
> +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY
> +               " SPECULATIVE_HARDEN_ARRAY"
> +#endif
> +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
> +               " SPECULATIVE_HARDEN_BRANCH"
> +#endif
> +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS
> +               " SPECULATIVE_HARDEN_GUEST_ACCESS"
>  #endif

... I'd like to suggest to drop the SPECULATIVE_ from the string literals.
They're relevant in the Kconfig identifiers, but they're imo redundant in
the context of these log messages. (Happy to adjust while committing, if
need be.)

Jan

Re: [PATCH v3 1/4] x86/spec: print the built-in SPECULATIVE_HARDEN_* options

[Roger Pau Monné]

On Mon, Feb 26, 2024 at 01:39:49PM +0100, Jan Beulich wrote:
> On 26.02.2024 12:07, Roger Pau Monne wrote:
> > Just like it's done for INDIRECT_THUNK and SHADOW_PAGING.
> > 
> > Reported-by: Jan Beulich <jbeulich@suse.com>
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> 
> In principle
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> but ...
> 
> > --- a/xen/arch/x86/spec_ctrl.c
> > +++ b/xen/arch/x86/spec_ctrl.c
> > @@ -466,13 +466,25 @@ static void __init print_details(enum ind_thunk thunk)
> >             (e21a & cpufeat_mask(X86_FEATURE_SBPB))           ? " SBPB"           : "");
> >  
> >      /* Compiled-in support which pertains to mitigations. */
> > -    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
> > +    if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ||
> > +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) ||
> > +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) ||
> > +         IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) )
> >          printk("  Compiled-in support:"
> >  #ifdef CONFIG_INDIRECT_THUNK
> >                 " INDIRECT_THUNK"
> >  #endif
> >  #ifdef CONFIG_SHADOW_PAGING
> >                 " SHADOW_PAGING"
> > +#endif
> > +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY
> > +               " SPECULATIVE_HARDEN_ARRAY"
> > +#endif
> > +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
> > +               " SPECULATIVE_HARDEN_BRANCH"
> > +#endif
> > +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS
> > +               " SPECULATIVE_HARDEN_GUEST_ACCESS"
> >  #endif
> 
> ... I'd like to suggest to drop the SPECULATIVE_ from the string literals.
> They're relevant in the Kconfig identifiers, but they're imo redundant in
> the context of these log messages. (Happy to adjust while committing, if
> need be.)

Oh, yes, indeed, we already print HARDEN_BRANCH instead of
SPECULATIVE_HARDEN_BRANCH.  Please adjust at commit if you don't mind.

Thanks, Roger.

[PATCH v3 2/4] x86/spec: fix BRANCH_HARDEN option to only be set when build-enabled

[Roger Pau Monne]

The current logic to handle the BRANCH_HARDEN option will report it as enabled
even when build-time disabled. Fix this by only allowing the option to be set
when support for it is built into Xen.

Fixes: 2d6f36daa086 ('x86/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Changes since v2:
 - Use IS_ENABLED() in the parser.

Changes since v1:
 - Use no_config_param().
---
 xen/arch/x86/spec_ctrl.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 9f5ed8772533..5fae80774519 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -50,7 +50,8 @@ static int8_t __initdata opt_psfd = -1;
 int8_t __ro_after_init opt_ibpb_ctxt_switch = -1;
 int8_t __read_mostly opt_eager_fpu = -1;
 int8_t __read_mostly opt_l1d_flush = -1;
-static bool __initdata opt_branch_harden = true;
+static bool __initdata opt_branch_harden =
+    IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH);
 
 bool __initdata bsp_delay_spec_ctrl;
 uint8_t __read_mostly default_xen_spec_ctrl;
@@ -268,7 +269,16 @@ static int __init cf_check parse_spec_ctrl(const char *s)
         else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
             opt_l1d_flush = val;
         else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 )
-            opt_branch_harden = val;
+        {
+            if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) )
+                opt_branch_harden = val;
+            else
+            {
+                no_config_param("SPECULATIVE_HARDEN_BRANCH", "spec-ctrl", s,
+                                ss);
+                rc = -EINVAL;
+            }
+        }
         else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
             opt_srb_lock = val;
         else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 )
-- 
2.43.0

Re: [PATCH v3 2/4] x86/spec: fix BRANCH_HARDEN option to only be set when build-enabled

[Jan Beulich]

On 26.02.2024 12:07, Roger Pau Monne wrote:
> The current logic to handle the BRANCH_HARDEN option will report it as enabled
> even when build-time disabled. Fix this by only allowing the option to be set
> when support for it is built into Xen.
> 
> Fixes: 2d6f36daa086 ('x86/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH')
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>

[PATCH v3 3/4] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled

[Roger Pau Monne]

Attempt to provide a more helpful error message when the user attempts to set
spec-ctrl=bti-thunk option but the support is build-time disabled.

While there also adjust the command line documentation to mention
CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Changes since v2:
 - Adjust documentation.
 - Use IS_ENABLED() instead of #ifdef.

Changes since v1:
 - New in this version.
---
 docs/misc/xen-command-line.pandoc | 10 +++++-----
 xen/arch/x86/spec_ctrl.c          |  7 ++++++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index be76be8d5365..02896598df6f 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2417,11 +2417,11 @@ guests to use.
   performance reasons dom0 is unprotected by default.  If it is necessary to
   protect dom0 too, boot with `spec-ctrl=ibpb-entry`.
 
-If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
-select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
-locations.  The default thunk is `retpoline` (generally preferred), with the
-alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and
-`lfence` (an `lfence; jmp *%reg` gadget).
+If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be
+used to select which of the thunks gets patched into the
+`__x86_indirect_thunk_%reg` locations.  The default thunk is `retpoline`
+(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget,
+minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget).
 
 On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
 `ibrs=` option can be used to force or prevent Xen using the feature itself.
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 5fae80774519..ca82b9e41ccd 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -241,7 +241,12 @@ static int __init cf_check parse_spec_ctrl(const char *s)
         {
             s += 10;
 
-            if ( !cmdline_strcmp(s, "retpoline") )
+            if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
+            {
+                no_config_param("INDIRECT_THUNK", "spec-ctrl=bti-thunk", s, ss);
+                rc = -EINVAL;
+            }
+            else if ( !cmdline_strcmp(s, "retpoline") )
                 opt_thunk = THUNK_RETPOLINE;
             else if ( !cmdline_strcmp(s, "lfence") )
                 opt_thunk = THUNK_LFENCE;
-- 
2.43.0

Re: [PATCH v3 3/4] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled

[Jan Beulich]

On 26.02.2024 12:07, Roger Pau Monne wrote:
> Attempt to provide a more helpful error message when the user attempts to set
> spec-ctrl=bti-thunk option but the support is build-time disabled.
> 
> While there also adjust the command line documentation to mention
> CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK.
> 
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>
with one minor remark:

> --- a/xen/arch/x86/spec_ctrl.c
> +++ b/xen/arch/x86/spec_ctrl.c
> @@ -241,7 +241,12 @@ static int __init cf_check parse_spec_ctrl(const char *s)
>          {
>              s += 10;
>  
> -            if ( !cmdline_strcmp(s, "retpoline") )
> +            if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
> +            {
> +                no_config_param("INDIRECT_THUNK", "spec-ctrl=bti-thunk", s, ss);
> +                rc = -EINVAL;
> +            }
> +            else if ( !cmdline_strcmp(s, "retpoline") )
>                  opt_thunk = THUNK_RETPOLINE;
>              else if ( !cmdline_strcmp(s, "lfence") )
>                  opt_thunk = THUNK_LFENCE;

How about

            if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
            {
                no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss);
                rc = -EINVAL;
            }
            else if ( !cmdline_strcmp(s, "retpoline") )

or (likely less liked by you and Andrew) "s += 10;" dropped and then

            if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
            {
                no_config_param("INDIRECT_THUNK", "spec-ctrl", s, ss);
                rc = -EINVAL;
            }
            else if ( !cmdline_strcmp(s += 10, "retpoline") )

conserving a little on string literal space (sadly, despite the function
being __init, string literals remain post-init due to living in .rodata)?

Jan

Re: [PATCH v3 3/4] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled

[Roger Pau Monné]

On Mon, Feb 26, 2024 at 01:50:46PM +0100, Jan Beulich wrote:
> On 26.02.2024 12:07, Roger Pau Monne wrote:
> > Attempt to provide a more helpful error message when the user attempts to set
> > spec-ctrl=bti-thunk option but the support is build-time disabled.
> > 
> > While there also adjust the command line documentation to mention
> > CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK.
> > 
> > Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> 
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> with one minor remark:
> 
> > --- a/xen/arch/x86/spec_ctrl.c
> > +++ b/xen/arch/x86/spec_ctrl.c
> > @@ -241,7 +241,12 @@ static int __init cf_check parse_spec_ctrl(const char *s)
> >          {
> >              s += 10;
> >  
> > -            if ( !cmdline_strcmp(s, "retpoline") )
> > +            if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
> > +            {
> > +                no_config_param("INDIRECT_THUNK", "spec-ctrl=bti-thunk", s, ss);
> > +                rc = -EINVAL;
> > +            }
> > +            else if ( !cmdline_strcmp(s, "retpoline") )
> >                  opt_thunk = THUNK_RETPOLINE;
> >              else if ( !cmdline_strcmp(s, "lfence") )
> >                  opt_thunk = THUNK_LFENCE;
> 
> How about
> 
>             if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
>             {
>                 no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss);
>                 rc = -EINVAL;
>             }
>             else if ( !cmdline_strcmp(s, "retpoline") )
> 
> or (likely less liked by you and Andrew) "s += 10;" dropped and then
> 
>             if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) )
>             {
>                 no_config_param("INDIRECT_THUNK", "spec-ctrl", s, ss);
>                 rc = -EINVAL;
>             }
>             else if ( !cmdline_strcmp(s += 10, "retpoline") )
> 
> conserving a little on string literal space (sadly, despite the function
> being __init, string literals remain post-init due to living in .rodata)?

TBH I'm not overly worried about those 10 extra characters, but if I
had to choose I prefer the first option (so `s - 10`).

Thanks, Roger.

[PATCH v3 4/4] x86/spec: do not print thunk option selection if not built-in

[Roger Pau Monne]

Now that the thunk built-in enable is printed as part of the "Compiled-in
support:" line, avoid printing anything in "Xen settings:" if the thunk is
disabled at build time.

Note the BTI-Thunk option printing is also adjusted to print a colon in the
same way the other options on the line do.

Requested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Changes since v3:
 - New in this version.
---
 xen/arch/x86/spec_ctrl.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index ca82b9e41ccd..e8b0e62adba4 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -504,11 +504,12 @@ static void __init print_details(enum ind_thunk thunk)
                "\n");
 
     /* Settings for Xen's protection, irrespective of guests. */
-    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
-           thunk == THUNK_NONE      ? "N/A" :
-           thunk == THUNK_RETPOLINE ? "RETPOLINE" :
-           thunk == THUNK_LFENCE    ? "LFENCE" :
-           thunk == THUNK_JMP       ? "JMP" : "?",
+    printk("  Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n",
+           thunk != THUNK_NONE      ? "BTI-Thunk: " : "",
+           thunk == THUNK_NONE      ? "" :
+           thunk == THUNK_RETPOLINE ? "RETPOLINE, " :
+           thunk == THUNK_LFENCE    ? "LFENCE, " :
+           thunk == THUNK_JMP       ? "JMP, " : "?, ",
            (!boot_cpu_has(X86_FEATURE_IBRSB) &&
             !boot_cpu_has(X86_FEATURE_IBRS))         ? "No" :
            (default_xen_spec_ctrl & SPEC_CTRL_IBRS)  ? "IBRS+" :  "IBRS-",
-- 
2.43.0

Re: [PATCH v3 4/4] x86/spec: do not print thunk option selection if not built-in

[Jan Beulich]

On 26.02.2024 12:07, Roger Pau Monne wrote:
> Now that the thunk built-in enable is printed as part of the "Compiled-in
> support:" line, avoid printing anything in "Xen settings:" if the thunk is
> disabled at build time.

Why "Now that ..."? It's other logging the earlier patch adds there.

> Note the BTI-Thunk option printing is also adjusted to print a colon in the
> same way the other options on the line do.
> 
> Requested-by: Jan Beulich <jbeulich@suse.com>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

With either a clarification of what's meant or e.g. s/Now that/Since/
Reviewed-by: Jan Beulich <jbeulich@suse.com>

Jan

Re: [PATCH v3 4/4] x86/spec: do not print thunk option selection if not built-in

[Roger Pau Monné]

On Mon, Feb 26, 2024 at 01:54:54PM +0100, Jan Beulich wrote:
> On 26.02.2024 12:07, Roger Pau Monne wrote:
> > Now that the thunk built-in enable is printed as part of the "Compiled-in
> > support:" line, avoid printing anything in "Xen settings:" if the thunk is
> > disabled at build time.
> 
> Why "Now that ..."? It's other logging the earlier patch adds there.

'Now that ...'  would refer to patch 1/4.

> > Note the BTI-Thunk option printing is also adjusted to print a colon in the
> > same way the other options on the line do.
> > 
> > Requested-by: Jan Beulich <jbeulich@suse.com>
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> 
> With either a clarification of what's meant or e.g. s/Now that/Since/
> Reviewed-by: Jan Beulich <jbeulich@suse.com>

'Since' is likely more appropriate.

Thanks, Roger.

Re: [PATCH v3 4/4] x86/spec: do not print thunk option selection if not built-in

[Jan Beulich]

On 27.02.2024 12:20, Roger Pau Monné wrote:
> On Mon, Feb 26, 2024 at 01:54:54PM +0100, Jan Beulich wrote:
>> On 26.02.2024 12:07, Roger Pau Monne wrote:
>>> Now that the thunk built-in enable is printed as part of the "Compiled-in
>>> support:" line, avoid printing anything in "Xen settings:" if the thunk is
>>> disabled at build time.
>>
>> Why "Now that ..."? It's other logging the earlier patch adds there.
> 
> 'Now that ...'  would refer to patch 1/4.

But that's why I'm asking: Patch 1 does not add any printing for thunk
usage; it extends that and shadow-paging's printing by the three
hardening ones. But anyway ...

>>> Note the BTI-Thunk option printing is also adjusted to print a colon in the
>>> same way the other options on the line do.
>>>
>>> Requested-by: Jan Beulich <jbeulich@suse.com>
>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>
>> With either a clarification of what's meant or e.g. s/Now that/Since/
>> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> 
> 'Since' is likely more appropriate.

... I'll switch to this then.

Jan