kconfig: allow setting default cpu mitigations

Allow the kernel builder to set the default cpu mitigation level.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>

2 files changed, 34 insertions, 0 deletions

diff --git a/kernel/Kconfig.preempt b/kernel/Kconfig.preempt
index 5876e30c5740..c34b775e844e 100644
--- a/kernel/Kconfig.preempt
+++ b/kernel/Kconfig.preempt
@@ -1,6 +1,34 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 choice
+	prompt "CPU Vulnerability Mitigation Defaults"
+	default CPU_MITIGATIONS_AUTO
+	help
+	  Set the level of CPU security vulnerability mitigations that are
+	  applied by default.  These can still be overridden by command line
+	  options at boot time.
+
+config CPU_MITIGATIONS_OFF
+	bool "No CPU mitigations"
+	help
+	  Disable all CPU mitigations.  This restores performance to pre-2018
+	  levels on old hardware but leaves your system at risk.
+
+config CPU_MITIGATIONS_AUTO
+	bool "Automatic CPU mitigations"
+	help
+	  Turn on whatever CPU mitigations are necessary for the booted CPUs.
+	  Leave SMT enabled.
+
+config CPU_MITIGATIONS_AUTO_NOSMT
+	bool "Automatic CPU mitigations, disable SMT"
+	help
+	  Turn on whatever CPU mitigations are necessary for the booted CPUs.
+	  Disable SMT unconditionally.
+
+endchoice
+
+choice
 	prompt "Preemption Model"
 	default PREEMPT_NONE
 
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 804b847912dc..902c734970ea 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2652,7 +2652,13 @@ enum cpu_mitigations {
 };
 
 static enum cpu_mitigations cpu_mitigations __ro_after_init =
+#ifdef CONFIG_CPU_MITIGATIONS_OFF
+	CPU_MITIGATIONS_OFF;
+#elif defined CONFIG_CPU_MITIGATIONS_AUTO
 	CPU_MITIGATIONS_AUTO;
+#elif defined CONFIG_CPU_MITIGATIONS_AUTO_NOSMT
+	CPU_MITIGATIONS_AUTO_NOSMT;
+#endif
 
 static int __init mitigations_parse_cmdline(char *arg)
 {