Instead of having to pass 'mitigations=off' on the kernel command line, add a config option that has a similar effect.
Adding this makes it easier to disable mitigations in scenarios where you cannot modify the command line or are unable to pass a command line while booting. Signed-off-by: Pranith Kumar <bobby.pr...@gmail.com> --- kernel/cpu.c | 2 +- security/Kconfig | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/kernel/cpu.c b/kernel/cpu.c index 6ff2578ecf17..584eb39585d6 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -2542,7 +2542,7 @@ early_param("mitigations", mitigations_parse_cmdline); /* mitigations=off */ bool cpu_mitigations_off(void) { - return cpu_mitigations == CPU_MITIGATIONS_OFF; + return cpu_mitigations == CPU_MITIGATIONS_OFF || IS_ENABLED(CONFIG_DISABLE_MITIGATIONS); } EXPORT_SYMBOL_GPL(cpu_mitigations_off); diff --git a/security/Kconfig b/security/Kconfig index cd3cc7da3a55..90b8e9c89a6d 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -65,6 +65,14 @@ config PAGE_TABLE_ISOLATION See Documentation/x86/pti.rst for more details. +config DISABLE_MITIGATIONS + bool "Disable kernel security mitigations" + default n + help + This turns off the kernel security mitigations. This is + equivalent to passing 'mitigations=off' on the kernel + command line. + config SECURITY_INFINIBAND bool "Infiniband Security Hooks" depends on SECURITY && INFINIBAND -- 2.27.0