[PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

Right now it is not possible to disable CPU vulnerabilities mitigations
at build time. Mitigation needs to be disabled passing kernel
parameters, such as 'mitigations=off'.

Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
allows the creation of kernel binaries that boots with the CPU
mitigations turned off by default, and does not require dealing kernel
parameters.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 kernel/cpu.c     |  7 +++++--
 security/Kconfig | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6c0a92ca6bb5..90afb29eb62f 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2727,8 +2727,11 @@ enum cpu_mitigations {
 	CPU_MITIGATIONS_AUTO_NOSMT,
 };
 
-static enum cpu_mitigations cpu_mitigations __ro_after_init =
-	CPU_MITIGATIONS_AUTO;
+#ifdef CONFIG_CPU_MITIGATIONS_DEFAULT_OFF
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_OFF;
+#else
+static enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
+#endif
 
 static int __init mitigations_parse_cmdline(char *arg)
 {
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..644f91b6c26a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -258,6 +258,17 @@ config LSM
 
 	  If unsure, leave this as the default.
 
+config CPU_MITIGATIONS_DEFAULT_OFF
+	bool "Disable mitigations for CPU vulnerabilities by default"
+	default n
+	help
+	  This option disables mitigations for CPU vulnerabilities by default.
+	  Disabling CPU mitigations improves system performance,
+	  but it may also expose users to several CPU vulnerabilities.
+	  This option has the same effect of passing `mitigations=off` kernel
+	  parameter. The CPU mitigations could be enabled back using the
+	  'mitigations' parameter.
+
 source "security/Kconfig.hardening"
 
 endmenu
-- 
2.30.2

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Fri, Feb 03, 2023 at 04:06:15AM -0800, Breno Leitao wrote:
> Right now it is not possible to disable CPU vulnerabilities mitigations
> at build time. Mitigation needs to be disabled passing kernel
> parameters, such as 'mitigations=off'.
> 
> Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
> sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
> allows the creation of kernel binaries that boots with the CPU
> mitigations turned off by default, and does not require dealing kernel
> parameters.

What's the real-life use case for this?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[David Laight]

From: Borislav Petkov
> Sent: 09 June 2023 18:34
> 
> On Fri, Feb 03, 2023 at 04:06:15AM -0800, Breno Leitao wrote:
> > Right now it is not possible to disable CPU vulnerabilities mitigations
> > at build time. Mitigation needs to be disabled passing kernel
> > parameters, such as 'mitigations=off'.
> >
> > Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
> > sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
> > allows the creation of kernel binaries that boots with the CPU
> > mitigations turned off by default, and does not require dealing kernel
> > parameters.
> 
> What's the real-life use case for this?

I can definitely justify compiling them all out.
For instance embedded systems with limited userspace and
(pretty much) everything running as root.

Compiling them out gives better code than patching them out
during boot.
I've stopped updating an LTS kernel because I really don't
want/need any of the mitigations - especially the ones
associated with 'ret' instructions.
They are far more pervasive than the ones for indirect jumps.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 11:22:15AM +0000, David Laight wrote:
> I can definitely justify compiling them all out.
> For instance embedded systems with limited userspace and
> (pretty much) everything running as root.

Nothing's stopping you from adding "mitigations=off" to your grub
config.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[David Laight]

From: Borislav Petkov
> Sent: 12 June 2023 12:52
> 
> On Mon, Jun 12, 2023 at 11:22:15AM +0000, David Laight wrote:
> > I can definitely justify compiling them all out.
> > For instance embedded systems with limited userspace and
> > (pretty much) everything running as root.
> 
> Nothing's stopping you from adding "mitigations=off" to your grub
> config.

I do (and I compile without page table separation),
but some of the run-time patched versions are not as 'good'
as compiling the code out.
It might just be some nops, but maybe it is worse.
This can be particularly true for new mitigations.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 12:16:19PM +0000, David Laight wrote:
> I do (and I compile without page table separation),
> but some of the run-time patched versions are not as 'good'
> as compiling the code out.
> It might just be some nops, but maybe it is worse.

"might", schmight, ... other statements without proof...

If you want me to take you seriously, explain in detail the problem.
Otherwise, I can keep on ignoring you.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Thomas Gleixner]

On Fri, Feb 03 2023 at 04:06, Breno Leitao wrote:
> Right now it is not possible to disable CPU vulnerabilities mitigations
> at build time. Mitigation needs to be disabled passing kernel
> parameters, such as 'mitigations=off'.
>
> Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
> sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
> allows the creation of kernel binaries that boots with the CPU
> mitigations turned off by default, and does not require dealing kernel
> parameters.

Why? What's the justification

Just because we do not have not enough kernel config items yet, does not
count.

Thanks,

        tglx

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

On Sun, Jun 11, 2023 at 12:37:34AM +0200, Thomas Gleixner wrote:
> On Fri, Feb 03 2023 at 04:06, Breno Leitao wrote:
> > Right now it is not possible to disable CPU vulnerabilities mitigations
> > at build time. Mitigation needs to be disabled passing kernel
> > parameters, such as 'mitigations=off'.
> >
> > Create a new config option (CONFIG_CPU_MITIGATIONS_DEFAULT_OFF) that
> > sets the global variable `cpu_mitigations` to OFF, instead of AUTO. This
> > allows the creation of kernel binaries that boots with the CPU
> > mitigations turned off by default, and does not require dealing kernel
> > parameters.
> 
> Why? What's the justification

There are two major justification from my point of view:

1) We keep consistency with other CONFIG options. Linux already has a
CONFIG option to enable/disable mitigations for speculations
(CONFIG_SPECULATION_MITIGATIONS), so, this will be a similar one.

2) There are companies that have different kernel flavours (different
CONFIG options basically), for different type of workloads, and a
machine can change their kernel flavors a few times a day.  I.e, for
a specifically workload, boots in flavor X since it works the best.
Mitigation enabled/disabled is key to some of these flavors.

I would like to see a flavor as self-contained in a binary that I can
mix and match. Right not they are not, since for some kernel
flavours, you need to add kernel command lines (mitigations=off), which
requires some hard logic, mainly when you are dealing with kexec and
grub.

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 05:54:56AM -0700, Breno Leitao wrote:
> 1) We keep consistency with other CONFIG options. Linux already has a
> CONFIG option to enable/disable mitigations for speculations
> (CONFIG_SPECULATION_MITIGATIONS), so, this will be a similar one.

So you can get what you want by disabling all those options there,
right?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

On Mon, Jun 12, 2023 at 03:32:30PM +0200, Borislav Petkov wrote:
> On Mon, Jun 12, 2023 at 05:54:56AM -0700, Breno Leitao wrote:
> > 1) We keep consistency with other CONFIG options. Linux already has a
> > CONFIG option to enable/disable mitigations for speculations
> > (CONFIG_SPECULATION_MITIGATIONS), so, this will be a similar one.
> 
> So you can get what you want by disabling all those options there,
> right?

This patch proposes creating CONFIG_CPU_MITIGATIONS_DEFAULT_OFF that
will turn all the mitigations off in a binary, which is the same as
passing mitigations=off in the command line when the kernel boots.

Setting CONFIG_SPECULATION_MITIGATIONS=n does *not* disable all the
mitigations, as, there are some mitigations that are *not* disabled when
you pass CONFIG_SPECULATION_MITIGATIONS=n. As an example (from my
memory - need to double check in 6.4), MDS and TAA mitigations are not
disabled when CONFIG_SPECULATION_MITIGATIONS=n. MDS and TAA mitigations
are disabled when `mitigations=off` parameter is passed, tho.

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 06:46:16AM -0700, Breno Leitao wrote:
> MDS and TAA mitigations are disabled when `mitigations=off` parameter
> is passed, tho.

So add them to that menu.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

On Mon, Jun 12, 2023 at 03:53:01PM +0200, Borislav Petkov wrote:
> On Mon, Jun 12, 2023 at 06:46:16AM -0700, Breno Leitao wrote:
> > MDS and TAA mitigations are disabled when `mitigations=off` parameter
> > is passed, tho.
> 
> So add them to that menu.

Sorry, to waht menu specifically?

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 07:16:18AM -0700, Breno Leitao wrote:
> Sorry, to waht menu specifically?

CONFIG_SPECULATION_MITIGATIONS

It even has the proper text in there, warning people.

menuconfig SPECULATION_MITIGATIONS
        bool "Mitigations for speculative execution vulnerabilities"
        default y
        help
          Say Y here to enable options which enable mitigations for
          speculative execution hardware vulnerabilities.

          If you say N, all mitigations will be disabled. You really
          should know what you are doing to say so.


-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

On Mon, Jun 12, 2023 at 06:08:07PM +0200, Borislav Petkov wrote:
> On Mon, Jun 12, 2023 at 07:16:18AM -0700, Breno Leitao wrote:
> > Sorry, to waht menu specifically?
> 
> CONFIG_SPECULATION_MITIGATIONS
> 
> It even has the proper text in there, warning people.
> 
> menuconfig SPECULATION_MITIGATIONS
>         bool "Mitigations for speculative execution vulnerabilities"
>         default y
>         help
>           Say Y here to enable options which enable mitigations for
>           speculative execution hardware vulnerabilities.

I am not sure if these bugs (MDS, TAA) are speculations related. Pawan
could help us here.

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 09:37:07AM -0700, Breno Leitao wrote:
> I am not sure if these bugs (MDS, TAA) are speculations related. Pawan
> could help us here.

"Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access..."

"TAA is a hardware vulnerability that allows unprivileged speculative
access to data which is available in various CPU..."

That's all in the tree.

Your grep no workie?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Breno Leitao]

On Mon, Jun 12, 2023 at 07:05:32PM +0200, Borislav Petkov wrote:
> On Mon, Jun 12, 2023 at 09:37:07AM -0700, Breno Leitao wrote:
> > I am not sure if these bugs (MDS, TAA) are speculations related. Pawan
> > could help us here.
> 
> "Microarchitectural Data Sampling is a hardware vulnerability which allows
> unprivileged speculative access..."
> 
> "TAA is a hardware vulnerability that allows unprivileged speculative
> access to data which is available in various CPU..."

 Is it OK if I send a patch that would disable these mitigations if
CONFIG_SPECULATION_MITIGATIONS is set to "no"?

Thank you!

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Tue, Jun 13, 2023 at 09:02:50AM -0700, Breno Leitao wrote:
>  Is it OK if I send a patch that would disable these mitigations if
> CONFIG_SPECULATION_MITIGATIONS is set to "no"?

Isn't this the direction we're going to?

So yes, I was suggesting exactly that - add those mitigations to that
submenu so that they can be controlled with config options too, like the
others.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Thomas Gleixner]

On Mon, Jun 12 2023 at 09:37, Breno Leitao wrote:
> On Mon, Jun 12, 2023 at 06:08:07PM +0200, Borislav Petkov wrote:
>> On Mon, Jun 12, 2023 at 07:16:18AM -0700, Breno Leitao wrote:
>> > Sorry, to waht menu specifically?
>> 
>> CONFIG_SPECULATION_MITIGATIONS
>> 
>> It even has the proper text in there, warning people.
>> 
>> menuconfig SPECULATION_MITIGATIONS
>>         bool "Mitigations for speculative execution vulnerabilities"
>>         default y
>>         help
>>           Say Y here to enable options which enable mitigations for
>>           speculative execution hardware vulnerabilities.
>
> I am not sure if these bugs (MDS, TAA) are speculations related. Pawan
> could help us here.

 https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html

might answer your question.

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Randy Dunlap]

On 6/12/23 09:08, Borislav Petkov wrote:
> On Mon, Jun 12, 2023 at 07:16:18AM -0700, Breno Leitao wrote:
>> Sorry, to waht menu specifically?
> 
> CONFIG_SPECULATION_MITIGATIONS
> 
> It even has the proper text in there, warning people.
> 
> menuconfig SPECULATION_MITIGATIONS
>         bool "Mitigations for speculative execution vulnerabilities"
>         default y
>         help
>           Say Y here to enable options which enable mitigations for
>           speculative execution hardware vulnerabilities.
> 
>           If you say N, all mitigations will be disabled. You really
>           should know what you are doing to say so.

I would say:                         doing to say No.

Was there a typo there?

thanks.
-- 
~Randy

Re: [PATCH] cpu/bugs: Disable CPU mitigations at compilation time

[Borislav Petkov]

On Mon, Jun 12, 2023 at 11:06:35AM -0700, Randy Dunlap wrote:
> >           If you say N, all mitigations will be disabled. You really
> >           should know what you are doing to say so.
> 
> I would say:                         doing to say No.
> 
> Was there a typo there?

I don't think so - it reads right to me this way too. Yours would simply
make it more explicit but the "so" is the "N" at the beginning of the
sentence:

"You really should know what you're doing to say so, i.e., the N".

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette