Re: [PATCH RESEND] x86/pti: Fix kernel warnings for pti= and nopti cmdline options.
From: Sohil Mehta
Date: Tue Aug 08 2023 - 20:13:29 EST
On 8/8/2023 12:56 PM, Jo Van Bulck wrote:
> -
> - if (cmdline_find_option_bool(boot_command_line, "nopti") ||
> - cpu_mitigations_off()) {
> + if (pti_mode == PTI_FORCE_OFF || cpu_mitigations_off()) {
Can mitigations be off through some other mechanisms such as kernel config?
Maybe split the mitigations_off check into a separate if and it's own
unique print message?
The existing code might have the same issue as well.
Also, with the separated check you can avoid the unnecessary re-setting
of pti_mode when pti_mode == PTI_FORCE_OFF is true.
> pti_mode = PTI_FORCE_OFF;> pti_print_if_insecure("disabled on command line.");
> return;
> }
>
> -autosel:
> - if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
> + if (pti_mode == PTI_AUTO && !boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
> return;
> -enable:
> +
> + if (pti_mode == PTI_FORCE_ON)
> + pti_print_if_secure("force enabled on command line.");
> setup_force_cpu_cap(X86_FEATURE_PTI);
> }
>
> +static int __init pti_parse_cmdline(char *arg)
> +{
> + if (!strcmp(arg, "off"))
> + pti_mode = PTI_FORCE_OFF;
> + else if (!strcmp(arg, "on"))
> + pti_mode = PTI_FORCE_ON;
> + else if (!strcmp(arg, "auto"))
> + pti_mode = PTI_AUTO;
> + else
> + return -EINVAL;
> + return 0;
> +}
> +early_param("pti", pti_parse_cmdline);
> +
> +static int __init pti_parse_cmdline_nopti(char *arg)
> +{
> + pti_mode = PTI_FORCE_OFF;
> + return 0;
> +}
> +early_param("nopti", pti_parse_cmdline_nopti);
> +
In the rare case that both pti= and nopti is set the existing code seems
to ignore the nopti option. Would the new implementation do the same?
Sohil