--- wikisrc/security/meltdown_spectre.mdwn	2018/05/22 07:37:22	1.30
+++ wikisrc/security/meltdown_spectre.mdwn	2018/05/22 08:24:53	1.31
@@ -94,8 +94,8 @@ riscv		|(Spec.)	|Not vulnerable	|		|		|
 
 ## Spectre Variant 3a
 
-This issue will be addressed in future microcode updates. No software
-change is required.
+This issue will be addressed in future microcode updates on x86. No
+software change is required.
 
 ## Spectre Variant 4
 
@@ -116,24 +116,39 @@ i386		|VIA		|Unknown	|		|		|
 Meltdown is mitigated with the SVS feature. It can be dynamically disabled
 by changing the "machdep.svs.enabled" sysctl.
 
-### Mitigation B: Intel IBRS
+### Mitigations B, C, D
 
-SpectreV2 can be mitigated with the IBRS method (Intel only for now). If
-the CPU supports this method, it is used automatically. It can be
-dynamically disabled by changing the "machdep.spectre_v2.mitigated"
-sysctl.
+There is no unified mitigation for SpectreV2. Rather, a set of mitigations
+are available, in both hardware and software.
+
+Three sysctls exist, under the machdep.spectre_v2 node:
+
+[[!template id=programlisting text="""
+machdep.spectre_v2.hwmitigated = {0/1} user-settable
+machdep.spectre_v2.swmitigated = {0/1} set by the kernel
+machdep.spectre_v2.method = {string} set by the kernel
+"""]]
+
+Only hwmitigated can be set by the user. When set to one, the kernel will
+determine the best hardware mitigation available for the currently
+running CPU, and will apply it.
+
+#### Mitigation B: Intel IBRS
+
+Hardware mitigation, Intel only (for now). If the CPU supports this method,
+it is used automatically by the kernel. It can be dynamically
+enabled/disabled by changing the "hwmitigated" sysctl.
 
-### Mitigation C: AMD DIS_IND
+#### Mitigation C: AMD DIS_IND
 
-SpectreV2 can be mitigated with the DIS_IND method, available only on a
-few AMD families. If the CPU supports this method, it is used
-automatically. It can be dynamically disabled by changing the
-"machdep.spectre_v2.mitigated" sysctl.
+Hardware mitigation, available only on a few AMD families. If the CPU
+supports this method, it is used automatically by the kernel. It can be
+dynamically enabled/disabled by changing the "hwmitigated" sysctl.
 
-### Mitigation D: Retpoline
+#### Mitigation D: GCC Retpoline
 
-SpectreV2 is mitigated in the kernel with the GCC "retpoline" compilation
-flag, which is enabled by default in GENERIC.
+Software mitigation. It is enabled by default in GENERIC. When enabled,
+the "swmitigated" sysctl is set to one.
 
 ### Mitigation E: Intel SSBD