[PATCH] cpu/bugs: Disable CPU mitigations at compilation time

LKML Archive mirror
 help / color / mirror / Atom feed

From: Breno Leitao <leitao@debian.org>
To: tglx@linutronix.de, bp@alien8.de,
	pawan.kumar.gupta@linux.intel.com, paul@paul-moore.com
Cc: leit@meta.com, x86@kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time
Date: Fri,  3 Feb 2023 04:06:15 -0800	[thread overview]
Message-ID: <20230203120615.1121272-1-leitao@debian.org> (raw)

Right now it is not possible to disable CPU vulnerabilities mitigations
at build time. Mitigation needs to be disabled passing kernel
parameters, such as 'mitigations=off'.

Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
allows the creation of kernel binaries that boots with the CPU
mitigations turned off by default, and does not require dealing kernel
parameters.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 kernel/cpu.c     |  7 +++++--
 security/Kconfig | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6c0a92ca6bb5..90afb29eb62f 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2727,8 +2727,11 @@ enum cpu_mitigations {
 	CPU_MITIGATIONS_AUTO_NOSMT,
 };
 
-static enum cpu_mitigations cpu_mitigations __ro_after_init =
-	CPU_MITIGATIONS_AUTO;
+#ifdef CONFIG_CPU_MITIGATIONS_DEFAULT_OFF
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_OFF;
+#else
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
+#endif
 
 static int __init mitigations_parse_cmdline(char *arg)
 {
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..644f91b6c26a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -258,6 +258,17 @@ config LSM
 
 	  If unsure, leave this as the default.
 
+config CPU_MITIGATIONS_DEFAULT_OFF
+	bool "Disable mitigations for CPU vulnerabilities by default"
+	default n
+	help
+	  This option disables mitigations for CPU vulnerabilities by default.
+	  Disabling CPU mitigations improves system performance,
+	  but it may also expose users to several CPU vulnerabilities.
+	  This option has the same effect of passing `mitigations=off` kernel
+	  parameter. The CPU mitigations could be enabled back using the
+	  'mitigations' parameter.
+
 source "security/Kconfig.hardening"
 
 endmenu
-- 
2.30.2

next             reply	other threads:[~2023-02-03 12:07 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-03 12:06 Breno Leitao [this message]
2023-06-09 17:33 ` [PATCH] cpu/bugs: Disable CPU mitigations at compilation time Borislav Petkov
2023-06-12 11:22   ` David Laight
2023-06-12 11:51     ` Borislav Petkov
2023-06-12 12:16       ` David Laight
2023-06-12 13:27         ` Borislav Petkov
2023-06-10 22:37 ` Thomas Gleixner
2023-06-12 12:54   ` Breno Leitao
2023-06-12 13:32     ` Borislav Petkov
2023-06-12 13:46       ` Breno Leitao
2023-06-12 13:53         ` Borislav Petkov
2023-06-12 14:16           ` Breno Leitao
2023-06-12 16:08             ` Borislav Petkov
2023-06-12 16:37               ` Breno Leitao
2023-06-12 17:05                 ` Borislav Petkov
2023-06-13 16:02                   ` Breno Leitao
2023-06-13 16:20                     ` Borislav Petkov
2023-06-12 17:26                 ` Thomas Gleixner
2023-06-12 18:06               ` Randy Dunlap
2023-06-12 18:13                 ` Borislav Petkov

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:6c0a92ca6bb dfblob:e6db09a779b dfblob:90afb29eb62
dfblob:644f91b6c26
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230203120615.1121272-1-leitao@debian.org \
    --to=leitao@debian.org \
    --cc=bp@alien8.de \
    --cc=leit@meta.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).