[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c0aed6a4-23e0-d947-5c17-26e580d5c40a@intel.com>
Date: Tue, 8 Aug 2023 17:13:12 -0700
From: Sohil Mehta <sohil.mehta@...el.com>
To: Jo Van Bulck <jo.vanbulck@...kuleuven.be>,
<linux-kernel@...r.kernel.org>, <dave.hansen@...ux.intel.com>,
<luto@...nel.org>, <peterz@...radead.org>, <mingo@...hat.com>
CC: <x86@...nel.org>, <bp@...en8.de>, <tglx@...utronix.de>,
<hpa@...or.com>
Subject: Re: [PATCH RESEND] x86/pti: Fix kernel warnings for pti= and nopti
cmdline options.
On 8/8/2023 12:56 PM, Jo Van Bulck wrote:
> -
> - if (cmdline_find_option_bool(boot_command_line, "nopti") ||
> - cpu_mitigations_off()) {
> + if (pti_mode == PTI_FORCE_OFF || cpu_mitigations_off()) {
Can mitigations be off through some other mechanisms such as kernel config?
Maybe split the mitigations_off check into a separate if and it's own
unique print message?
The existing code might have the same issue as well.
Also, with the separated check you can avoid the unnecessary re-setting
of pti_mode when pti_mode == PTI_FORCE_OFF is true.
> pti_mode = PTI_FORCE_OFF;> pti_print_if_insecure("disabled on command line.");
> return;
> }
>
> -autosel:
> - if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
> + if (pti_mode == PTI_AUTO && !boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
> return;
> -enable:
> +
> + if (pti_mode == PTI_FORCE_ON)
> + pti_print_if_secure("force enabled on command line.");
> setup_force_cpu_cap(X86_FEATURE_PTI);
> }
>
> +static int __init pti_parse_cmdline(char *arg)
> +{
> + if (!strcmp(arg, "off"))
> + pti_mode = PTI_FORCE_OFF;
> + else if (!strcmp(arg, "on"))
> + pti_mode = PTI_FORCE_ON;
> + else if (!strcmp(arg, "auto"))
> + pti_mode = PTI_AUTO;
> + else
> + return -EINVAL;
> + return 0;
> +}
> +early_param("pti", pti_parse_cmdline);
> +
> +static int __init pti_parse_cmdline_nopti(char *arg)
> +{
> + pti_mode = PTI_FORCE_OFF;
> + return 0;
> +}
> +early_param("nopti", pti_parse_cmdline_nopti);
> +
In the rare case that both pti= and nopti is set the existing code seems
to ignore the nopti option. Would the new implementation do the same?
Sohil
Powered by blists - more mailing lists