Instead of having to pass 'mitigations=off' on the kernel command line,
add a config option that has a similar effect.
Adding this makes it easier to disable mitigations in scenarios where
you cannot modify the command line or are unable to pass a command line
while booting.
Signed-off-by: Pranith Kumar <bobby.pr...@gmail.com>
---
kernel/cpu.c | 2 +-
security/Kconfig | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6ff2578ecf17..584eb39585d6 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2542,7 +2542,7 @@ early_param("mitigations", mitigations_parse_cmdline);
/* mitigations=off */
bool cpu_mitigations_off(void)
{
- return cpu_mitigations == CPU_MITIGATIONS_OFF;
+ return cpu_mitigations == CPU_MITIGATIONS_OFF ||
IS_ENABLED(CONFIG_DISABLE_MITIGATIONS);
}
EXPORT_SYMBOL_GPL(cpu_mitigations_off);
diff --git a/security/Kconfig b/security/Kconfig
index cd3cc7da3a55..90b8e9c89a6d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -65,6 +65,14 @@ config PAGE_TABLE_ISOLATION
See Documentation/x86/pti.rst for more details.
+config DISABLE_MITIGATIONS
+ bool "Disable kernel security mitigations"
+ default n
+ help
+ This turns off the kernel security mitigations. This is
+ equivalent to passing 'mitigations=off' on the kernel
+ command line.
+
config SECURITY_INFINIBAND
bool "Infiniband Security Hooks"
depends on SECURITY && INFINIBAND
--
2.27.0
