Announcement

Collapse
No announcement yet.

Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time

    Phoronix: Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time

    A proposed Linux kernel patch would provide a new Kconfig build time option of "CONFIG_DEFAULT_CPU_MITIGATIONS_OFF" to build an insecure kernel if wanting to avoid the growing list of CPU security mitigations within the kernel and their associated performance overhead...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Been there, done that.
    But it's nice to have a knob.

    --- kernel/cpu.c~ 2023-01-24 07:24:44.000000000 +0100
    +++ kernel/cpu.c 2023-01-27 09:31:41.128476738 +0100
    @@ -2727,7 +2727,7 @@
    };

    static enum cpu_mitigations cpu_mitigations __ro_after_init =
    - CPU_MITIGATIONS_AUTO;
    + CPU_MITIGATIONS_OFF;

    static int __init mitigations_parse_cmdline(char *arg)
    {

    Comment


    • #3
      I'm sure Torvalds will be welcoming and appreciative towards this PR.

      Comment


      • #4
        Are boot arguments really that hard to set? Anyone who doesn’t know how probably shouldn’t be disabling the mitigations, anyway.

        Comment


        • #5
          Boot parameters are less work than building the kernel anew, I would say. However that way you could provide an "insecure" kernel as a package where you do not need to apply a patch but just set a config option (which would be guaranteed to work where a patch could need tweaking for each new kernel release).

          Comment


          • #6
            But what CONFIG_SPECULATION_MITIGATIONS is for?

            Comment


            • #7
              Originally posted by EphemeralEft View Post
              Are boot arguments really that hard to set? Anyone who doesn’t know how probably shouldn’t be disabling the mitigations, anyway.
              I have the opposite opinion. In the longer term, it might be better to also hardcode the desired mitigations instead of having n! different combination to be dynamically selected and therefore the size of the kernel increases.

              Comment


              • #8
                I propose for cpu manufacturers to produce cpus that don't need any mitigations...

                Comment


                • #9
                  I think this patch is complete nonsense. If you want to disable mitigations, just pass the boot parameter. It's not like the patch disables compiling in the mitigations to reduce code size, it just flips the default to insecure.

                  Comment


                  • #10
                    While this is a reasonable option to add, last time I checked it is actually possible to disable most mitigations at build time though flags, e.g. CONFIG_RETPOLINE.

                    Comment

                    Working...
                    X