Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
mitigations are enabled by default, and force it on for all architectures
except x86. A recent commit to turn mitigations off by default if
SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
ends up being defined twice, and the default behavior would likely depend
on the arbitrary include order (if the two definitions diverged).
Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
architectures, and manually turned off, but there is no way to unselect a
Kconfig.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Reported-by: Michael Ellerman <mpe@ellerman.id.au>
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/Kconfig | 1 +
drivers/base/Kconfig | 3 +++
kernel/cpu.c | 4 ++--
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4474bf32d0a4..a0eca6313276 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2490,6 +2490,7 @@ config PREFIX_SYMBOLS
menuconfig SPECULATION_MITIGATIONS
bool "Mitigations for speculative execution vulnerabilities"
+ select CPU_MITIGATIONS
default y
help
Say Y here to enable options which enable mitigations for
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index 2b8fd6bb7da0..dab19f15fa57 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
config GENERIC_CPU_VULNERABILITIES
bool
+config CPU_MITIGATIONS
+ def_bool !X86
+
config SOC_BUS
bool
select GLOB
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 07ad53b7f119..bb0ff275fb46 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3207,8 +3207,8 @@ enum cpu_mitigations {
};
static enum cpu_mitigations cpu_mitigations __ro_after_init =
- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
- CPU_MITIGATIONS_OFF;
+ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
+ CPU_MITIGATIONS_OFF;
static int __init mitigations_parse_cmdline(char *arg)
{
--
2.44.0.683.g7961c838ac-googOn Tue, Apr 16, 2024 at 05:15:06PM -0700, Sean Christopherson wrote:
> Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
> mitigations are enabled by default, and force it on for all architectures
> except x86. A recent commit to turn mitigations off by default if
> SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
> completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
>
> Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
> code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
> ends up being defined twice, and the default behavior would likely depend
> on the arbitrary include order (if the two definitions diverged).
>
> Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
> architectures, and manually turned off, but there is no way to unselect a
> Kconfig.
>
> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> Reported-by: Michael Ellerman <mpe@ellerman.id.au>
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
> Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
It seems confusing to have two config options which have very similar
names and similar purposes (with subtle differences depending on the
arch).
How about we instead just get rid of the x86-specific
SPECULATION_MITIGATIONS and replace it with a menu which depends on
CPU_MITIGATIONS:
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4474bf32d0a4..85a4d57bce1e 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2488,17 +2488,8 @@ config PREFIX_SYMBOLS
def_bool y
depends on CALL_PADDING && !CFI_CLANG
-menuconfig SPECULATION_MITIGATIONS
- bool "Mitigations for speculative execution vulnerabilities"
- default y
- help
- Say Y here to enable options which enable mitigations for
- speculative execution hardware vulnerabilities.
-
- If you say N, all mitigations will be disabled. You really
- should know what you are doing to say so.
-
-if SPECULATION_MITIGATIONS
+menu "CPU speculative execution mitigation defaults"
+ depends on CPU_MITIGATIONS
config MITIGATION_PAGE_TABLE_ISOLATION
bool "Remove the kernel mapping in user mode"
@@ -2643,7 +2634,7 @@ config MITIGATION_SPECTRE_BHI
indirect branches.
See <file:Documentation/admin-guide/hw-vuln/spectre.rst>
-endif
+endmenu
config ARCH_HAS_ADD_PAGES
def_bool y
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index 2b8fd6bb7da0..70c1e7eb64f0 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -191,6 +191,16 @@ config GENERIC_CPU_AUTOPROBE
config GENERIC_CPU_VULNERABILITIES
bool
+config CPU_MITIGATIONS
+ bool "Mitigations for CPU speculative execution vulnerabilities"
+ default y
+ help
+ Say Y here to enable mitigations for CPU speculative execution
+ vulnerabilities.
+
+ If you say N, all mitigations will be disabled. You really
+ should know what you are doing to say so.
+
config SOC_BUS
bool
select GLOB
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 07ad53b7f119..bb0ff275fb46 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3207,8 +3207,8 @@ enum cpu_mitigations {
};
static enum cpu_mitigations cpu_mitigations __ro_after_init =
- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
- CPU_MITIGATIONS_OFF;
+ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
+ CPU_MITIGATIONS_OFF;
static int __init mitigations_parse_cmdline(char *arg)
{
Josh Poimboeuf <jpoimboe@kernel.org> writes:
> On Tue, Apr 16, 2024 at 05:15:06PM -0700, Sean Christopherson wrote:
>> Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
>> mitigations are enabled by default, and force it on for all architectures
>> except x86. A recent commit to turn mitigations off by default if
>> SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
>> completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
>>
>> Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
>> code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
>> ends up being defined twice, and the default behavior would likely depend
>> on the arbitrary include order (if the two definitions diverged).
>>
>> Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
>> architectures, and manually turned off, but there is no way to unselect a
>> Kconfig.
>>
>> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
>> Reported-by: Michael Ellerman <mpe@ellerman.id.au>
>> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
>> Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
>> Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Sean Christopherson <seanjc@google.com>
>
> It seems confusing to have two config options which have very similar
> names and similar purposes (with subtle differences depending on the
> arch).
I agree.
But can we please get Sean's fix into mainline before rc5.
cheers
On Fri, Apr 19, 2024, Josh Poimboeuf wrote:
> On Tue, Apr 16, 2024 at 05:15:06PM -0700, Sean Christopherson wrote:
> > Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
> > mitigations are enabled by default, and force it on for all architectures
> > except x86. A recent commit to turn mitigations off by default if
> > SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
> > completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
> >
> > Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
> > code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
> > ends up being defined twice, and the default behavior would likely depend
> > on the arbitrary include order (if the two definitions diverged).
> >
> > Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
> > architectures, and manually turned off, but there is no way to unselect a
> > Kconfig.
> >
> > Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> > Reported-by: Michael Ellerman <mpe@ellerman.id.au>
> > Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> > Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
> > Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
>
> It seems confusing to have two config options which have very similar
> names and similar purposes (with subtle differences depending on the
> arch).
>
> How about we instead just get rid of the x86-specific
> SPECULATION_MITIGATIONS and replace it with a menu which depends on
> CPU_MITIGATIONS:
Huh, didn't realize that was possible.
I agree that having two things for the same thing is confusing, though Boris'
idea to do s/SPECULATION_MITIGATIONS/X86_CPU_MITIGATIONS would help a fair bit
on that front.
My only hesitation is that x86's menu and the common config knob end up in
completely different locations. And AFAICT, the parser doesn't allow sourcing
menu entires from a different file:
init/Kconfig:1959: 'menu' in different file than 'menu'
e.g. we can't declare the menuconfig in common code and then include arch
definitions.
Regardless of whether or not we shuffle things around, CPU_MITIGATIONS really
should be in init/Kconfig, not drivers/base/Kconfig, e.g. so that if we make it
a user-selectable option, it shows up under "General setup" instead of being
buried two layers deep in drivers.
That makes it less hard to find CPU_MITIGATIONS, but I still find it cumbersome
to have to enable CPU_MITIGATIONS, and then go hunting for x86's menu.
On Fri, Apr 19, 2024 at 09:46:58AM -0700, Sean Christopherson wrote: > > It seems confusing to have two config options which have very similar > > names and similar purposes (with subtle differences depending on the > > arch). > > > > How about we instead just get rid of the x86-specific > > SPECULATION_MITIGATIONS and replace it with a menu which depends on > > CPU_MITIGATIONS: > > Huh, didn't realize that was possible. > > I agree that having two things for the same thing is confusing, though Boris' > idea to do s/SPECULATION_MITIGATIONS/X86_CPU_MITIGATIONS would help a fair bit > on that front. > > My only hesitation is that x86's menu and the common config knob end up in > completely different locations. I'm thinking this is a minor issue because CPU_MITIGATIONS is enabled by default, so it should almost always be enabled unless the user disables it, in which case they wouldn't be looking for the x86-specific mitigations anyway. Regardless it seems very common for a menu "depends on" to be in a different file. We could put CPU_MITIGATIONS in arch/Kconfig which is a fairly logical place for the dependency. -- Josh
On Fri, Apr 19, 2024, Josh Poimboeuf wrote: > On Fri, Apr 19, 2024 at 09:46:58AM -0700, Sean Christopherson wrote: > > > It seems confusing to have two config options which have very similar > > > names and similar purposes (with subtle differences depending on the > > > arch). > > > > > > How about we instead just get rid of the x86-specific > > > SPECULATION_MITIGATIONS and replace it with a menu which depends on > > > CPU_MITIGATIONS: > > > > Huh, didn't realize that was possible. > > > > I agree that having two things for the same thing is confusing, though Boris' > > idea to do s/SPECULATION_MITIGATIONS/X86_CPU_MITIGATIONS would help a fair bit > > on that front. > > > > My only hesitation is that x86's menu and the common config knob end up in > > completely different locations. > > I'm thinking this is a minor issue because CPU_MITIGATIONS is enabled by > default, so it should almost always be enabled unless the user disables > it, in which case they wouldn't be looking for the x86-specific > mitigations anyway. Yeah, this isn't a sticking point by any means. Oh, and another hiccup I almost forgot about (I just recalled Geert's report). Letting CPU_MITIGATIONS be disabled for every arch at compile time will obsolete a small amount of kernel code, e.g. arm64 explicitly says "disabled by command line option" in a few places. Those are easy enough to fixup though, but it's not clear that other architectures *want* to allow mitigations to be completely compiled out. x86 appears to be relatively unique in that it has a bajillion different things being mitigated. Rather than making CPU_MITIGATIONS configured for all architectures, what if use another Kconfig to tell common code that arch code has already defined CPU_MITIGATIONS? The big downside is that if another arch does end up letting the user disable CPU_MITIGATIONS, then we'll probably end up duplicating the help text. But again, it's not clear that any other arch wants to allow that, i.e. we can cross that bridge if we come to it. config ARCH_CONFIGURES_CPU_MITIGATIONS bool if !ARCH_CONFIGURES_CPU_MITIGATIONS config CPU_MITIGATIONS def_bool y endif > Regardless it seems very common for a menu "depends on" to be in a > different file. We could put CPU_MITIGATIONS in arch/Kconfig which is a > fairly logical place for the dependency. Yeah, arch/Kconfig is probably better than init/Kconfig. Given that it's late on Friday, I'll somewhat speculatively (ba-dump ching!) post a v2, and Cc Linus to explain the mess so that he can apply it directly if he thinks it's urgent enough to squeeze into -rc5, and if if my idea isn't completely off the rails.
On Tue, Apr 16, 2024 at 05:15:06PM -0700, Sean Christopherson wrote:
> Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
> mitigations are enabled by default, and force it on for all architectures
> except x86. A recent commit to turn mitigations off by default if
> SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
> completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
>
> Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
> code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
> ends up being defined twice, and the default behavior would likely depend
> on the arbitrary include order (if the two definitions diverged).
>
> Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
> architectures, and manually turned off, but there is no way to unselect a
> Kconfig.
>
> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> Reported-by: Michael Ellerman <mpe@ellerman.id.au>
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
> Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
> arch/x86/Kconfig | 1 +
> drivers/base/Kconfig | 3 +++
> kernel/cpu.c | 4 ++--
> 3 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 4474bf32d0a4..a0eca6313276 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2490,6 +2490,7 @@ config PREFIX_SYMBOLS
>
> menuconfig SPECULATION_MITIGATIONS
> bool "Mitigations for speculative execution vulnerabilities"
> + select CPU_MITIGATIONS
> default y
> help
> Say Y here to enable options which enable mitigations for
> diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> index 2b8fd6bb7da0..dab19f15fa57 100644
> --- a/drivers/base/Kconfig
> +++ b/drivers/base/Kconfig
> @@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
> config GENERIC_CPU_VULNERABILITIES
> bool
>
> +config CPU_MITIGATIONS
> + def_bool !X86
> +
> config SOC_BUS
> bool
> select GLOB
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index 07ad53b7f119..bb0ff275fb46 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -3207,8 +3207,8 @@ enum cpu_mitigations {
> };
>
> static enum cpu_mitigations cpu_mitigations __ro_after_init =
> - IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> - CPU_MITIGATIONS_OFF;
> + IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> + CPU_MITIGATIONS_OFF;
>
> static int __init mitigations_parse_cmdline(char *arg)
> {
> --
> 2.44.0.683.g7961c838ac-goog
Thanks, Sean!
Acked-by: Will Deacon <will@kernel.org>
Will
On Wed, Apr 17, 2024 at 2:15 AM Sean Christopherson <seanjc@google.com> wrote:
> Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
> mitigations are enabled by default, and force it on for all architectures
> except x86. A recent commit to turn mitigations off by default if
> SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
> completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
>
> Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
> code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
> ends up being defined twice, and the default behavior would likely depend
> on the arbitrary include order (if the two definitions diverged).
>
> Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
> architectures, and manually turned off, but there is no way to unselect a
> Kconfig.
>
> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> Reported-by: Michael Ellerman <mpe@ellerman.id.au>
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
> Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Sean Christopherson <seanjc@google.com> writes:
> Add a generic Kconfig, CPU_MITIGATIONS, to control whether or not CPU
> mitigations are enabled by default, and force it on for all architectures
> except x86. A recent commit to turn mitigations off by default if
> SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mitigations" is
> completely generic, where as SPECULATION_MITIGATIONS is x86 specific.
>
> Alternatively, SPECULATION_MITIGATIONS could simply be defined in common
> code, but that creates weirdness for x86 because SPECULATION_MITIGATIONS
> ends up being defined twice, and the default behavior would likely depend
> on the arbitrary include order (if the two definitions diverged).
>
> Ideally, CPU_MITIGATIONS would be unconditionally on by default for all
> architectures, and manually turned off, but there is no way to unselect a
> Kconfig.
>
> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> Reported-by: Michael Ellerman <mpe@ellerman.id.au>
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
> Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
Thanks for fixing it up.
Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
cheers
© 2016 - 2026 Red Hat, Inc.