[PATCH] cpu/bugs: Disable CPU mitigations at compilation time
From: Breno Leitao
Date: Fri Feb 03 2023 - 07:07:24 EST
Right now it is not possible to disable CPU vulnerabilities mitigations
at build time. Mitigation needs to be disabled passing kernel
parameters, such as 'mitigations=off'.
Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
allows the creation of kernel binaries that boots with the CPU
mitigations turned off by default, and does not require dealing kernel
parameters.
Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx>
---
kernel/cpu.c | 7 +++++--
security/Kconfig | 11 +++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6c0a92ca6bb5..90afb29eb62f 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2727,8 +2727,11 @@ enum cpu_mitigations {
CPU_MITIGATIONS_AUTO_NOSMT,
};
-static enum cpu_mitigations cpu_mitigations __ro_after_init =
- CPU_MITIGATIONS_AUTO;
+#ifdef CONFIG_CPU_MITIGATIONS_DEFAULT_OFF
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_OFF;
+#else
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
+#endif
static int __init mitigations_parse_cmdline(char *arg)
{
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..644f91b6c26a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -258,6 +258,17 @@ config LSM
If unsure, leave this as the default.
+config CPU_MITIGATIONS_DEFAULT_OFF
+ bool "Disable mitigations for CPU vulnerabilities by default"
+ default n
+ help
+ This option disables mitigations for CPU vulnerabilities by default.
+ Disabling CPU mitigations improves system performance,
+ but it may also expose users to several CPU vulnerabilities.
+ This option has the same effect of passing `mitigations=off` kernel
+ parameter. The CPU mitigations could be enabled back using the
+ 'mitigations' parameter.
+
source "security/Kconfig.hardening"
endmenu
--
2.30.2