x86/speculation: Support 'mitigations=' cmdline option

author Josh Poimboeuf <jpoimboe@redhat.com>

Fri, 12 Apr 2019 20:39:29 +0000 (15:39 -0500)

committer Thomas Gleixner <tglx@linutronix.de>

Wed, 17 Apr 2019 19:37:28 +0000 (21:37 +0200)
author Josh Poimboeuf <jpoimboe@redhat.com>
Fri, 12 Apr 2019 20:39:29 +0000 (15:39 -0500)
committer Thomas Gleixner <tglx@linutronix.de>
Wed, 17 Apr 2019 19:37:28 +0000 (21:37 +0200)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt

index 720ffa9c4e04b6ecfd468184f1284938f0cb6393..779ddeb2929cc0342b9905aeadbe49d6b3611416 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2514,15 +2514,20 @@
                         http://repo.or.cz/w/linux-2.6/mini2440.git
  
         mitigations=
-                       Control optional mitigations for CPU vulnerabilities.
-                       This is a set of curated, arch-independent options, each
-                       of which is an aggregation of existing arch-specific
-                       options.
+                       [X86] Control optional mitigations for CPU
+                       vulnerabilities.  This is a set of curated,
+                       arch-independent options, each of which is an
+                       aggregation of existing arch-specific options.
  
                         off
                                 Disable all optional CPU mitigations.  This
                                 improves system performance, but it may also
                                 expose users to several CPU vulnerabilities.
+                               Equivalent to: nopti [X86]
+                                              nospectre_v2 [X86]
+                                              spectre_v2_user=off [X86]
+                                              spec_store_bypass_disable=off [X86]
+                                              l1tf=off [X86]
  
                         auto (default)
                                 Mitigate all CPU vulnerabilities, but leave SMT
@@ -2530,12 +2535,13 @@
                                 users who don't want to be surprised by SMT
                                 getting disabled across kernel upgrades, or who
                                 have other ways of avoiding SMT-based attacks.
-                               This is the default behavior.
+                               Equivalent to: (default behavior)
  
                         auto,nosmt
                                 Mitigate all CPU vulnerabilities, disabling SMT
                                 if needed.  This is for users who always want to
                                 be fully mitigated, even if it means losing SMT.
+                               Equivalent to: l1tf=flush,nosmt [X86]
  
         mminit_loglevel=
                         [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c

index 01874d54f4fd955d4e16b8fcf0c76d81112eddb7..435c078c29483abcc9dcc4589a238477b98f7eb5 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -440,7 +440,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
         char arg[20];
         int ret, i;
  
-       if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
+       if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
+           cpu_mitigations_off())
                 return SPECTRE_V2_CMD_NONE;
  
         ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
@@ -672,7 +673,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
         char arg[20];
         int ret, i;
  
-       if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
+       if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
+           cpu_mitigations_off()) {
                 return SPEC_STORE_BYPASS_CMD_NONE;
         } else {
                 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
@@ -996,6 +998,11 @@ static void __init l1tf_select_mitigation(void)
         if (!boot_cpu_has_bug(X86_BUG_L1TF))
                 return;
  
+       if (cpu_mitigations_off())
+               l1tf_mitigation = L1TF_MITIGATION_OFF;
+       else if (cpu_mitigations_auto_nosmt())
+               l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
+
         override_cache_bits(&boot_cpu_data);
  
         switch (l1tf_mitigation) {
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c

index 4fee5c3003ed78ab9566fe92f09e0d14968c9865..5890f09bfc1959e6f3b48e72511e33d75c75b2c1 100644 (file)
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -35,6 +35,7 @@
  #include <linux/spinlock.h>
  #include <linux/mm.h>
  #include <linux/uaccess.h>
+#include <linux/cpu.h>
  
  #include <asm/cpufeature.h>
  #include <asm/hypervisor.h>
@@ -115,7 +116,8 @@ void __init pti_check_boottime_disable(void)
                 }
         }
  
-       if (cmdline_find_option_bool(boot_command_line, "nopti")) {
+       if (cmdline_find_option_bool(boot_command_line, "nopti") ||
+           cpu_mitigations_off()) {
                 pti_mode = PTI_FORCE_OFF;
                 pti_print_if_insecure("disabled on command line.");
                 return;
author	Josh Poimboeuf <jpoimboe@redhat.com>
	Fri, 12 Apr 2019 20:39:29 +0000 (15:39 -0500)
committer	Thomas Gleixner <tglx@linutronix.de>
	Wed, 17 Apr 2019 19:37:28 +0000 (21:37 +0200)
Documentation/admin-guide/kernel-parameters.txt		patch \| blob \| history
arch/x86/kernel/cpu/bugs.c		patch \| blob \| history
arch/x86/mm/pti.c		patch \| blob \| history