kernel: extend rh_waived to cope better with the CVE mitigations case

JIRA: https://issues.redhat.com/browse/RHEL-122981

This patch is a backport of the following RHEL-only commit:
commit 77bb95c34bd75769a4e4d1c706cee2521bf7c455
Author: Ricardo Robaina <rrobaina@redhat.com>
Date:   Thu Oct 23 13:17:35 2025 -0300

    kernel: extend rh_waived to cope better with the CVE mitigations case

    JIRA: https://issues.redhat.com/browse/RHEL-122979

    This patch is a backport of the following RHEL-only commit:
    commit 022786346d6e09c70b647046231e0ac5d4af6f57
    Author: Rafael Aquini <raquini@redhat.com>
    Date:   Mon Oct 20 17:13:33 2025 -0400

        kernel: extend rh_waived to cope better with the CVE mitigations case

        JIRA: https://issues.redhat.com/browse/RHEL-120391
        Upstream status: RHEL-only

        Introduce the concept of "Waived Items" to the rh_waived original
        machinery so we can leverage the mechanism to allow customers waiving
        off issues other then just features, like performance impacting CVE
        mitigations, through the same interface in a consistent manner.

        Signed-off-by: Rafael Aquini <raquini@redhat.com>

    Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>

Author: rprobaina

Documentation/admin-guide/kernel-parameters.txt

@@ -5735,12 +5735,15 @@
 			Set number of hash buckets for route cache
 
 	rh_waived=
-			Enable waived features in RHEL.
+			Enable waived items in RHEL.
 
-			Waived features are disabled by default in RHEL, this parameter
-			provides support to enable such features, as needed.
+			Some specific features, or security mitigations, can be
+			waived (toggled on/off) on demand in RHEL.  However,
+			waiving any of these items should be used judiciously,
+			as it generally means the system might end up being
+			considered insecure or even out-of-scope for support.
 
-			Format: <feat-1>,<feat-2>...<feat-n>
+			Format: <item-1>,<item-2>...<item-n>
 
 			Use 'rh_waived' to enable all waived features listed at
 			Documentation/admin-guide/rh-waived-features.rst

Documentation/admin-guide/rh-waived-features.rst

@@ -0,0 +1,29 @@
+.. _rh_waived_items:
+
+====================
+Red Hat Waived Items
+====================
+
+Waived Items is a mechanism offered by Red Hat which allows customers to "waive"
+and utilize features that are not enabled by default as these are considered as
+unmaintained, insecure, rudimentary, or deprecated, but are shipped with the
+RHEL kernel for customer's convinience only.
+Waived Items can range from features that can be enabled on demand to specific
+security mitigations that can be disabled on demand.
+
+To explicitly "waive" any of these items, RHEL offers the ``rh_waived``
+kernel boot parameter. To allow set of waived items, append
+``rh_waived=<item name>,...,<item name>`` to the kernel
+cmdline.
+Appending ``rh_waived=features`` will waive all features listed below,
+and appending ``rh_waived=cves`` will waive all security mitigations
+listed below.
+
+The waived items listed in the next session follow the pattern below:
+
+- item name
+        item description
+
+List of Red Hat Waived Items
+============================
+

Documentation/admin-guide/rh-waived-items.rst

@@ -9,11 +9,11 @@
 #ifndef _RH_WAIVED_H
 #define _RH_WAIVED_H
 
-enum rh_waived_feat {
-	/* RH_WAIVED_FEAT_ITEMS must always be the last item in the enum */
-	RH_WAIVED_FEAT_ITEMS,
+enum rh_waived_items {
+	/* RH_WAIVED_ITEMS must always be the last item in the enum */
+	RH_WAIVED_ITEMS,
 };
 
-bool is_rh_waived(enum rh_waived_feat feat);
+bool is_rh_waived(enum rh_waived_items feat);
 
 #endif /* _RH_WAIVED_H */

include/linux/rh_waived.h

@@ -17,72 +17,115 @@
 #include <linux/rh_waived.h>
 
 /*
- * RH_INSERT_WAIVED_FEAT
+ * * RH_INSERT_WAIVED_ITEM
  *   This macro is intended to be used to insert items into the
- *   rh_waived_feat_list array. It expects to get an item from
- *   enum rh_waived_feat as its first argument, and a string
+ *   rh_waived_list array. It expects to get an item from
+ *   enum rh_waived_items as its first argument, and a string
  *   holding the feature name as its second argument.
  *
  *   The feature name is also utilized as the token for the
  *   boot parameter parser.
  *
  *   Example usage:
- *   struct rh_waived_feat_item foo[RH_WAIVED_FEAT_ITEMS] = {
- *   	RH_INSERT_WAIVED_FEAT(FOO_FEAT, "foo_feat_short_str"),
+ *   struct rh_waived_item foo[RH_WAIVED_FEAT_ITEMS] = {
+ *     RH_INSERT_WAIVED_ITEM(FOO_FEAT, "foo_feat_short_str", "alias", RH_WAIVED_FEAT),
  *   };
  */
-#define RH_INSERT_WAIVED_FEAT(enum_item, name) \
-	[(enum_item)] = {.feat_name = (name), .enabled = 0,}
+#define RH_INSERT_WAIVED_ITEM(enum_item, item, item_alt, class)                \
+       [(enum_item)] = { .name = (item), .alias = (item_alt),          \
+                         .type = (class), .waived = 0, }
 
 /* Indicates if the rh_flag 'rh_waived' should be added. */
 bool __initdata add_rh_flag = false;
 
-struct rh_waived_feat_item {
-	char *feat_name;
-	unsigned int enabled;
+typedef enum {
+       RH_WAIVED_FEAT,
+       RH_WAIVED_CVE,
+       RH_WAIVED_ANY
+} rh_waived_t;
+
+struct rh_waived_item {
+       char *name, *alias;
+       rh_waived_t type;
+       unsigned int waived;
+
 };
 
-/* Always use the marco RH_INSERT_WAIVED_FEAT to insert items to this array. */
-struct rh_waived_feat_item rh_waived_feat_list[RH_WAIVED_FEAT_ITEMS] = {
+/* Always use the marco RH_INSERT_WAIVED to insert items to this array. */
+struct rh_waived_item rh_waived_list[RH_WAIVED_ITEMS] = {
 };
 
 /*
- * is_rh_waived() - Checks if a given waived feature has been enabled.
+ * is_rh_waived() - Checks if a given item has been marked as waived.
  *
- * @feat: waived feature.
+ * @item: waived item.
  */
-__inline__ bool is_rh_waived(enum rh_waived_feat feat)
+__inline__ bool is_rh_waived(enum rh_waived_items item)
 {
-	return !!rh_waived_feat_list[feat].enabled;
+	return !!rh_waived_list[item].waived;
 }
 EXPORT_SYMBOL(is_rh_waived);
 
-static int __init rh_waived_setup(char *s)
+static void __init rh_waived_parser(char *s, rh_waived_t type)
 {
 	int i;
 	char *token;
 
 	pr_info(KERN_CONT "rh_waived: ");
 
 	if (!s) {
-		for (i = 0; i < RH_WAIVED_FEAT_ITEMS; i++) {
-			rh_waived_feat_list[i].enabled = 1;
-			pr_info(KERN_CONT "%s%s", rh_waived_feat_list[i].feat_name,
-				i < RH_WAIVED_FEAT_ITEMS - 1 ? " " : "\n");
+		for (i = 0; i < RH_WAIVED_ITEMS; i++) {
+			if (type != RH_WAIVED_ANY && rh_waived_list[i].type != type)
+				continue;
+
+			rh_waived_list[i].waived = 1;
+			pr_info(KERN_CONT "%s%s", rh_waived_list[i].name,
+				i < RH_WAIVED_ITEMS - 1 ? " " : "\n");
 		}
+
+		add_rh_flag = true;
+		return;
 	}
 
 	while ((token = strsep(&s, ",")) != NULL) {
-		for (i = 0; i < RH_WAIVED_FEAT_ITEMS; i++) {
-			if (!strcmp(token, rh_waived_feat_list[i].feat_name)) {
-				rh_waived_feat_list[i].enabled = 1;
-				pr_info(KERN_CONT "%s%s", rh_waived_feat_list[i].feat_name,
-					i < RH_WAIVED_FEAT_ITEMS - 1 ? " " : "\n");
+		for (i = 0; i < RH_WAIVED_ITEMS; i++) {
+			char *alias = rh_waived_list[i].alias;
+
+			if (type != RH_WAIVED_ANY && rh_waived_list[i].type != type)
+				continue;
+
+			if (!strcmp(token, rh_waived_list[i].name) ||
+			    (alias && !strcmp(token, alias))) {
+				rh_waived_list[i].waived = 1;
+				pr_info(KERN_CONT "%s ", rh_waived_list[i].name);
 			}
 		}
 	}
 
+	pr_info(KERN_CONT "\n");
 	add_rh_flag = true;
+}
+
+static int __init rh_waived_setup(char *s)
+{
+	/*
+	 * originally, if no string was passed to the cmdline option
+	 * all listed features would be waived, so we keep that same
+	 * compromise with the new contract.
+	 */
+	if (!s || !strcmp(s, "features")) {
+		rh_waived_parser(NULL, RH_WAIVED_FEAT);
+		return 0;
+	}
+
+	/* waive all possible mitigations in the list */
+	if (!strcmp(s, "cves")) {
+		rh_waived_parser(NULL, RH_WAIVED_CVE);
+		return 0;
+	}
+
+	/* otherwise, just deal with the enumerated waive list */
+	rh_waived_parser(s, RH_WAIVED_ANY);
 
 	return 0;
 }