aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/admin-guide/kernel-parameters.txt16
-rw-r--r--arch/x86/kernel/cpu/bugs.c11
-rw-r--r--arch/x86/mm/pti.c4
3 files changed, 23 insertions, 8 deletions
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 720ffa9c4e04..779ddeb2929c 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2514,15 +2514,20 @@
2514 http://repo.or.cz/w/linux-2.6/mini2440.git 2514 http://repo.or.cz/w/linux-2.6/mini2440.git
2515 2515
2516 mitigations= 2516 mitigations=
2517 Control optional mitigations for CPU vulnerabilities. 2517 [X86] Control optional mitigations for CPU
2518 This is a set of curated, arch-independent options, each 2518 vulnerabilities. This is a set of curated,
2519 of which is an aggregation of existing arch-specific 2519 arch-independent options, each of which is an
2520 options. 2520 aggregation of existing arch-specific options.
2521 2521
2522 off 2522 off
2523 Disable all optional CPU mitigations. This 2523 Disable all optional CPU mitigations. This
2524 improves system performance, but it may also 2524 improves system performance, but it may also
2525 expose users to several CPU vulnerabilities. 2525 expose users to several CPU vulnerabilities.
2526 Equivalent to: nopti [X86]
2527 nospectre_v2 [X86]
2528 spectre_v2_user=off [X86]
2529 spec_store_bypass_disable=off [X86]
2530 l1tf=off [X86]
2526 2531
2527 auto (default) 2532 auto (default)
2528 Mitigate all CPU vulnerabilities, but leave SMT 2533 Mitigate all CPU vulnerabilities, but leave SMT
@@ -2530,12 +2535,13 @@
2530 users who don't want to be surprised by SMT 2535 users who don't want to be surprised by SMT
2531 getting disabled across kernel upgrades, or who 2536 getting disabled across kernel upgrades, or who
2532 have other ways of avoiding SMT-based attacks. 2537 have other ways of avoiding SMT-based attacks.
2533 This is the default behavior. 2538 Equivalent to: (default behavior)
2534 2539
2535 auto,nosmt 2540 auto,nosmt
2536 Mitigate all CPU vulnerabilities, disabling SMT 2541 Mitigate all CPU vulnerabilities, disabling SMT
2537 if needed. This is for users who always want to 2542 if needed. This is for users who always want to
2538 be fully mitigated, even if it means losing SMT. 2543 be fully mitigated, even if it means losing SMT.
2544 Equivalent to: l1tf=flush,nosmt [X86]
2539 2545
2540 mminit_loglevel= 2546 mminit_loglevel=
2541 [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this 2547 [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 01874d54f4fd..435c078c2948 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -440,7 +440,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
440 char arg[20]; 440 char arg[20];
441 int ret, i; 441 int ret, i;
442 442
443 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) 443 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
444 cpu_mitigations_off())
444 return SPECTRE_V2_CMD_NONE; 445 return SPECTRE_V2_CMD_NONE;
445 446
446 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); 447 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
@@ -672,7 +673,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
672 char arg[20]; 673 char arg[20];
673 int ret, i; 674 int ret, i;
674 675
675 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { 676 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
677 cpu_mitigations_off()) {
676 return SPEC_STORE_BYPASS_CMD_NONE; 678 return SPEC_STORE_BYPASS_CMD_NONE;
677 } else { 679 } else {
678 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", 680 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
@@ -996,6 +998,11 @@ static void __init l1tf_select_mitigation(void)
996 if (!boot_cpu_has_bug(X86_BUG_L1TF)) 998 if (!boot_cpu_has_bug(X86_BUG_L1TF))
997 return; 999 return;
998 1000
1001 if (cpu_mitigations_off())
1002 l1tf_mitigation = L1TF_MITIGATION_OFF;
1003 else if (cpu_mitigations_auto_nosmt())
1004 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
1005
999 override_cache_bits(&boot_cpu_data); 1006 override_cache_bits(&boot_cpu_data);
1000 1007
1001 switch (l1tf_mitigation) { 1008 switch (l1tf_mitigation) {
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 4fee5c3003ed..5890f09bfc19 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -35,6 +35,7 @@
35#include <linux/spinlock.h> 35#include <linux/spinlock.h>
36#include <linux/mm.h> 36#include <linux/mm.h>
37#include <linux/uaccess.h> 37#include <linux/uaccess.h>
38#include <linux/cpu.h>
38 39
39#include <asm/cpufeature.h> 40#include <asm/cpufeature.h>
40#include <asm/hypervisor.h> 41#include <asm/hypervisor.h>
@@ -115,7 +116,8 @@ void __init pti_check_boottime_disable(void)
115 } 116 }
116 } 117 }
117 118
118 if (cmdline_find_option_bool(boot_command_line, "nopti")) { 119 if (cmdline_find_option_bool(boot_command_line, "nopti") ||
120 cpu_mitigations_off()) {
119 pti_mode = PTI_FORCE_OFF; 121 pti_mode = PTI_FORCE_OFF;
120 pti_print_if_insecure("disabled on command line."); 122 pti_print_if_insecure("disabled on command line.");
121 return; 123 return;
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-29 21:05:37 -0500