There is no way to compile a kernel today with some of the speculative
mitigations disabled. Even if the kernel has
CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
MMIO are still enabled and can only be disabled using a kernel parameter.
This patchset creates a way to choose what to enable or disable, and,
get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
set, as the rest of other mitigations.
Also, we want to print a warning message letting users know that these
mitigations are disabled.
This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798
Breno Leitao (3):
x86/bugs: Create an option to disable MDS
x86/bugs: Create an option to disable TAA
x86/bugs: Create an option to disable MMIO vulnerability
arch/x86/Kconfig | 31 +++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++----
2 files changed, 50 insertions(+), 4 deletions(-)
--
2.34.1
Breno Leitao <[email protected]> writes:
> There is no way to compile a kernel today with some of the speculative
> mitigations disabled. Even if the kernel has
> CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
> MMIO are still enabled and can only be disabled using a kernel parameter.
>
> This patchset creates a way to choose what to enable or disable, and,
> get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
> set, as the rest of other mitigations.
>
> Also, we want to print a warning message letting users know that these
> mitigations are disabled.
>
> This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798
>
Isn't this all roughly equivalent to CONFIG_CMDLINE="mitigations=..." ?
-Andi
On Thu, Jun 15, 2023 at 10:21:55AM -0700, Andi Kleen wrote:
> Breno Leitao <[email protected]> writes:
>
> > There is no way to compile a kernel today with some of the speculative
> > mitigations disabled. Even if the kernel has
> > CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
> > MMIO are still enabled and can only be disabled using a kernel parameter.
> >
> > This patchset creates a way to choose what to enable or disable, and,
> > get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
> > set, as the rest of other mitigations.
> >
> > Also, we want to print a warning message letting users know that these
> > mitigations are disabled.
> >
> > This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798
> >
>
> Isn't this all roughly equivalent to CONFIG_CMDLINE="mitigations=..." ?
It is, indeed. But, the main motivation for this patchset it to solve a
consistency problem on our Kconfig. The user would image that all
speculative mitigations would be disabled if he passes
CONFIG_SPECULATION_MITIGATIONS=n, but that is not true. The user needs
something else, such as CONFIG_CMDLINE="mitigations=off" or "mds=off".
This patchset give more consistency to our Kconfig options, and the user
doesn't need to read between the lines.