On non-x86 architectures, CONFIG_CPU_MITIGATIONS is currently controlled
indirectly via ARCH_CONFIGURES_CPU_MITIGATIONS, leaving no way for users
to disable mitigations at build time. This forces mitigations to be
enabled even in trusted or performance-critical environments where they
are unnecessary.

Introduce a user-visible Kconfig option for CONFIG_CPU_MITIGATIONS,
defaulting to 'y' for safety, but allowing it to be set to 'n' when
desired. This provides consistent configurability across all
architectures while preserving the default secure behavior.

Signed-off-by: Can Peng <pengcan@kylinos.cn>
---
 arch/Kconfig | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index d1b4ffd6e085..b0ef0cc412eb 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -14,7 +14,18 @@ config ARCH_CONFIGURES_CPU_MITIGATIONS
 
 if !ARCH_CONFIGURES_CPU_MITIGATIONS
 config CPU_MITIGATIONS
-	def_bool y
+	bool "Mitigations for CPU vulnerabilities"
+	default y
+	help
+	  Say Y here to enable options which enable mitigations for hardware
+	  vulnerabilities (usually related to speculative execution).
+	  Mitigations can be disabled or restricted to SMT systems at runtime
+	  via the "mitigations" kernel parameter.
+
+	  If you say N, all mitigations will be disabled.  This CANNOT be
+	  overridden at runtime.
+
+	  Say 'Y', unless you really know what you are doing.
 endif
 
 #
-- 
2.25.1