archive mirror
 help / color / mirror / Atom feed
From: Breno Leitao <>
Subject: [RFC PATCH] cpu/bugs: Disable CPU mitigations at compilation time
Date: Thu,  2 Feb 2023 10:08:58 -0800	[thread overview]
Message-ID: <> (raw)

Right now it is not possible to disable CPU vulnerabilities mitigations
at build time. Mitigation needs to be disabled passing kernel
parameters, such as 'mitigations=off'.

This patch creates an easy way to disable mitigation during compilation
time (CONFIG_DEFAULT_CPU_MITIGATIONS_OFF), so, insecure kernel users don't
need to deal with kernel parameters when booting insecure kernels.

Signed-off-by: Breno Leitao <>
 kernel/cpu.c     |  5 +++++
 security/Kconfig | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6c0a92ca6bb5..497e9a3d3d77 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2727,8 +2727,13 @@ enum cpu_mitigations {
+static enum cpu_mitigations cpu_mitigations __ro_after_init =
 static enum cpu_mitigations cpu_mitigations __ro_after_init =
 static int __init mitigations_parse_cmdline(char *arg)
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..a70427dc6ace 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -258,6 +258,17 @@ config LSM
 	  If unsure, leave this as the default.
+	bool "Disable mitigations for CPU vulnerabilities by default"
+	default n
+	help
+	  This option disable mitigations for CPU vulnerabilities by default.
+	  This improves system performance, but it may also expose users
+	  to several CPU vulnerabilities.
+	  This has the same effect as passing `mitigations=off` kernel
+	  parameter. The mitigations could be enabled back passing the
+	  'mitigations' parameter.
 source "security/Kconfig.hardening"

             reply	other threads:[~2023-02-02 18:09 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-02 18:08 Breno Leitao [this message]
2023-02-02 21:44 ` [RFC PATCH] cpu/bugs: Disable CPU mitigations at compilation time Pawan Gupta
2023-02-03 12:04   ` Breno Leitao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).