There is no way to compile a kernel today with some of the speculative
mitigations disabled. Even if the kernel has
CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
MMIO are still enabled and can only be disabled using a kernel parameter.

This patchset creates a way to choose what to enable or disable, and,
get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
set, as the rest of other mitigations.

Also, we want to print a warning message letting users know that these
mitigations are disabled.

This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798

Breno Leitao (3):
  x86/bugs: Create an option to disable MDS
  x86/bugs: Create an option to disable TAA
  x86/bugs: Create an option to disable MMIO vulnerability

 arch/x86/Kconfig           | 31 +++++++++++++++++++++++++++++++
 arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++----
 2 files changed, 50 insertions(+), 4 deletions(-)

-- 
2.34.1

Breno Leitao <leitao@debian.org> writes:

> There is no way to compile a kernel today with some of the speculative
> mitigations disabled. Even if the kernel has
> CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
> MMIO are still enabled and can only be disabled using a kernel parameter.
>
> This patchset creates a way to choose what to enable or disable, and,
> get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
> set, as the rest of other mitigations.
>
> Also, we want to print a warning message letting users know that these
> mitigations are disabled.
>
> This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798
>

Isn't this all roughly equivalent to CONFIG_CMDLINE="mitigations=..." ?

-Andi

On Thu, Jun 15, 2023 at 10:21:55AM -0700, Andi Kleen wrote:
> Breno Leitao <leitao@debian.org> writes:
> 
> > There is no way to compile a kernel today with some of the speculative
> > mitigations disabled. Even if the kernel has
> > CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
> > MMIO are still enabled and can only be disabled using a kernel parameter.
> >
> > This patchset creates a way to choose what to enable or disable, and,
> > get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
> > set, as the rest of other mitigations.
> >
> > Also, we want to print a warning message letting users know that these
> > mitigations are disabled.
> >
> > This is a follow up to this discussion: https://lkml.org/lkml/2023/6/12/798
> >
> 
> Isn't this all roughly equivalent to CONFIG_CMDLINE="mitigations=..." ?

It is, indeed. But, the main motivation for this patchset it to solve a
consistency problem on our Kconfig. The user would image that all
speculative mitigations would be disabled if he passes
CONFIG_SPECULATION_MITIGATIONS=n, but that is not true. The user needs
something else, such as CONFIG_CMDLINE="mitigations=off" or "mds=off".

This patchset give more consistency to our Kconfig options, and the user
doesn't need to read between the lines.

There is no way to compile a kernel today with some of the speculative
mitigations disabled. Even if the kernel has
CONFIG_SPECULATION_MITIGATIONS=n, some Intel mitigations, such as MDS, TAA,
MMIO are still enabled and can only be disabled using a kernel parameter.

This patchset creates a way to choose what to enable or disable, and,
get the mitigations disable if CONFIG_SPECULATION_MITIGATIONS is not
set, as the rest of other mitigations.

Also, we want to print a warning message letting users know that these
mitigations are disabled.

Breno Leitao (2):
  x86/speculation: Disable mitigations if CONFIG says so
  x86/speculation: Print error when mitigations are disabled

 arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

-- 
2.34.1