cpu: Ignore "mitigations" kernel parameter if CPU_MITIGATIONS=n

Explicitly disallow enabling mitigations at runtime for kernels that were built with CONFIG_CPU_MITIGATIONS=n, as some architectures may omit code entirely if mitigations are disabled at compile time. E.g. on x86, a large pile of Kconfigs are buried behind CPU_MITIGATIONS, and trying to provide sane behavior for retroactively enabling mitigations is extremely difficult, bordering on impossible. E.g. page table isolation and call depth tracking require build-time support, BHI mitigations will still be off without additional kernel parameters, etc. [ bp: Touchups. ] Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Acked-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/r/20240420000556.2645001-3-seanjc@google.com
2024-04-19 17:05:55 -07:00 · 2024-04-19 17:05:55 -07:00 · ce0abef6a1
parent fe42754b94
commit ce0abef6a1
4 changed files with 30 additions and 6 deletions
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@ -3423,6 +3423,9 @@
 			arch-independent options, each of which is an
 			aggregation of existing arch-specific options.
 			Note, "mitigations" is supported if and only if the
 			kernel was built with CPU_MITIGATIONS=y.
 			off
 				Disable all optional CPU mitigations.  This
 				improves system performance, but it may also
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@ -2495,9 +2495,13 @@ menuconfig CPU_MITIGATIONS
 	help
 	  Say Y here to enable options which enable mitigations for hardware
 	  vulnerabilities (usually related to speculative execution).
 	  Mitigations can be disabled or restricted to SMT systems at runtime
 	  via the "mitigations" kernel parameter.
-	  If you say N, all mitigations will be disabled. You really
+	  If you say N, all mitigations will be disabled.  This CANNOT be
-	  should know what you are doing to say so.
+	  overridden at runtime.
 	  Say 'Y', unless you really know what you are doing.
 if CPU_MITIGATIONS
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@ -221,7 +221,18 @@ void cpuhp_report_idle_dead(void);
 static inline void cpuhp_report_idle_dead(void) { }
 #endif /* #ifdef CONFIG_HOTPLUG_CPU */
 #ifdef CONFIG_CPU_MITIGATIONS
 extern bool cpu_mitigations_off(void);
 extern bool cpu_mitigations_auto_nosmt(void);
 #else
 static inline bool cpu_mitigations_off(void)
 {
 	return true;
 }
 static inline bool cpu_mitigations_auto_nosmt(void)
 {
 	return false;
 }
 #endif
 #endif /* _LINUX_CPU_H_ */
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@ -3196,6 +3196,7 @@ void __init boot_cpu_hotplug_init(void)
 	this_cpu_write(cpuhp_state.target, CPUHP_ONLINE);
 }
 #ifdef CONFIG_CPU_MITIGATIONS
 /*
 * These are used for a global "mitigations=" cmdline option for toggling
 * optional CPU mitigations.
@ -3206,9 +3207,7 @@ enum cpu_mitigations {
 	CPU_MITIGATIONS_AUTO_NOSMT,
 };
-static enum cpu_mitigations cpu_mitigations __ro_after_init =
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
 	IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
 					     CPU_MITIGATIONS_OFF;
 static int __init mitigations_parse_cmdline(char *arg)
 {
@ -3224,7 +3223,6 @@ static int __init mitigations_parse_cmdline(char *arg)
 	return 0;
 }
 early_param("mitigations", mitigations_parse_cmdline);
 /* mitigations=off */
 bool cpu_mitigations_off(void)
@ -3239,3 +3237,11 @@ bool cpu_mitigations_auto_nosmt(void)
 	return cpu_mitigations == CPU_MITIGATIONS_AUTO_NOSMT;
 }
 EXPORT_SYMBOL_GPL(cpu_mitigations_auto_nosmt);
 #else
 static int __init mitigations_parse_cmdline(char *arg)
 {
 	pr_crit("Kernel compiled without mitigations, ignoring 'mitigations'; system may still be vulnerable\n");
 	return 0;
 }
 #endif
 early_param("mitigations", mitigations_parse_cmdline);