Debian developer Breno Leitao has proposed a Linux kernel patch that would allow developers to disable CPU security mitigations at compilation.
CPU mitigations are an important cybersecurity measure, protecting users against Spectre, Meltdown, and other vulnerabilities. These protections come at a cost, however, and some users disable them to achieve maximum performance from their machines. Unfortunately, those users have no easy way to disable the mitigations at compile time, and have to rely on kernel parameters instead.
Leitao, who also serves as a kernel engineer at Meta, proposed the change on the kernel mailing list:
Right now it is not possible to disable CPU vulnerabilities mitigations at build time. Mitigation needs to be disabled passing kernel parameters, such as ‘mitigations=off’.
This patch creates an easy way to disable mitigation during compilation time (CONFIG_DEFAULT_CPU_MITIGATIONS_OFF), so, insecure kernel users don’t need to deal with kernel parameters when booting insecure kernels.
As Phoronix highlights, most users would do well to leave the CPU security mitigations in place. However, there may be cases where it is relatively safe to disable them, such as when a computer has no internet access.