diff --git a/sys/arm64/arm64/cpu_errata.c b/sys/arm64/arm64/cpu_errata.c
--- a/sys/arm64/arm64/cpu_errata.c
+++ b/sys/arm64/arm64/cpu_errata.c
@@ -66,6 +66,7 @@
 		.midr_value = 0,
 		.quirk_install = install_psci_bp_hardening,
 	},
+	/* Spectre-V4 */
 	{
 		.midr_mask = 0,
 		.midr_value = 0,
@@ -113,9 +114,15 @@
 	PCPU_SET(bp_harden, smccc_arch_workaround_1);
 }
 
+/* Spectre Variant 4 */
 static void
-install_ssbd_workaround(u_int midr __unused)
+install_ssbd_workaround(u_int midr)
 {
+	static const u_int safe_list[] = {
+		CPU_ID_RAW(CPU_IMPL_ARM, CPU_PART_CORTEX_A35, 0, 0),
+		CPU_ID_RAW(CPU_IMPL_ARM, CPU_PART_CORTEX_A53, 0, 0),
+		CPU_ID_RAW(CPU_IMPL_ARM, CPU_PART_CORTEX_A55, 0, 0),
+	};
 	char *env;
 
 	if (PCPU_GET(cpuid) == 0) {
@@ -129,9 +136,19 @@
 		}
 	}
 
+	/* This is a known safe CPU */
+	for (int i = 0; i < nitems(safe_list); i++) {
+		if ((midr & (CPU_IMPL_MASK | CPU_PART_MASK)) == safe_list[i])
+			return;
+	}
+
 	/* Enable the workaround on this CPU if it's enabled in the firmware */
-	if (smccc_arch_features(SMCCC_ARCH_WORKAROUND_2) != SMCCC_RET_SUCCESS)
+	if (smccc_arch_features(SMCCC_ARCH_WORKAROUND_2) != SMCCC_RET_SUCCESS) {
+		if (ssbd_method == SSBD_FORCE_ON)
+			printf("WARNING: kern.cfg.ssbd=force-on "
+			    "with no firmware support\n");
 		return;
+	}
 
 	switch(ssbd_method) {
 	case SSBD_FORCE_ON: