From: Matt Parnell <mparnell@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-security-module@vger.kernel.org, dhowells@redhat.com,
matthew.garrett@nebula.com
Subject: Re: [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode.
Date: Mon, 2 Dec 2019 12:29:05 -0600 [thread overview]
Message-ID: <96625b06-3bba-6831-7127-22b690fccf1b@gmail.com> (raw)
In-Reply-To: <f988a531-a7f8-cef6-d3b4-6fbd89f5351f@gmail.com>
After doing some research it appears that for Intel chips, only a single
register needs to be writeable. I'm not sure about AMD etc.
intel-undervolt/blob/master/config.h:
#define MSR_ADDR_TEMPERATURE 0x1a2
#define MSR_ADDR_UNITS 0x606
#define MSR_ADDR_VOLTAGE 0x150
Perhaps add an MSR whitelist to allow writing, if
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=Y and
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=Y?
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is likely what prevents Apparmor or
some other LSM policy manager allow this behavior...
as an option at build time would be more sensible?
On 12/1/19 2:53 PM, Matt Parnell wrote:
> That is, I was intending to use lockdown from boot, which isn't
> changeable after the fact if I'm not mistaken. How possible is granular
> control of what is and is not locked down?
>
> On 11/30/19 1:09 PM, Matt Parnell wrote:
>> I can see how using a policy would be beneficial; I only did this
>> because as I understood it, policy wouldn't be able to change these
>> particular settings since anything attempting to do so would be from
>> userspace.
>>
>> On 11/30/19 12:36 PM, Kees Cook wrote:
>>> On Sat, Nov 30, 2019 at 12:49:48AM -0600, Matt Parnell wrote:
>>>> From 452b8460e464422d268659a8abb93353a182f8c8 Mon Sep 17 00:00:00 2001
>>>> From: Matt Parnell <mparnell@gmail.com>
>>>> Date: Sat, 30 Nov 2019 00:44:09 -0600
>>>> Subject: [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even
>>>> in confidentiality mode.
>>>>
>>>> For Intel CPUs, some of the MDS mitigations utilize the new "flush" MSR, and
>>>> while this isn't something normally used in userspace, it does cause false
>>>> positives for the "Forshadow" vulnerability.
>>>>
>>>> Additionally, Intel CPUs use MSRs for voltage and frequency controls,
>>>> which in
>>>> many cases is useful for undervolting to avoid excess heat.
>>>>
>>>> Signed-off-by: Matt Parnell <mparnell@gmail.com>
>>> I would expect this to just be implemented via LSM policy, not ifdefs
>>> and Kconfig?
>>>
>>> -Kees
>>>
>>>> ---
>>>> arch/x86/kernel/msr.c | 5 ++++-
>>>> security/lockdown/Kconfig | 12 ++++++++++++
>>>> 2 files changed, 16 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
>>>> index 1547be359d7f..4adce59455c3 100644
>>>> --- a/arch/x86/kernel/msr.c
>>>> +++ b/arch/x86/kernel/msr.c
>>>> @@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const
>>>> char __user *buf,
>>>> int err = 0;
>>>> ssize_t bytes = 0;
>>>>
>>>> +#if defined(LOCK_DOWN_DENY_RAW_MSR)
>>>> err = security_locked_down(LOCKDOWN_MSR);
>>>> if (err)
>>>> return err;
>>>> -
>>>> +#endif
>>>> if (count % 8)
>>>> return -EINVAL; /* Invalid chunk size */
>>>>
>>>> @@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned
>>>> int ioc, unsigned long arg)
>>>> err = -EFAULT;
>>>> break;
>>>> }
>>>> +#if defined(LOCK_DOWN_DENY_RAW_MSR)
>>>> err = security_locked_down(LOCKDOWN_MSR);
>>>> if (err)
>>>> break;
>>>> +#endif
>>>> err = wrmsr_safe_regs_on_cpu(cpu, regs);
>>>> if (err)
>>>> break;
>>>> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
>>>> index e84ddf484010..f4fe72c4bf8f 100644
>>>> --- a/security/lockdown/Kconfig
>>>> +++ b/security/lockdown/Kconfig
>>>> @@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
>>>> code to read confidential material held inside the kernel are
>>>> disabled.
>>>>
>>>> +config LOCK_DOWN_DENY_RAW_MSR
>>>> + bool "Lock down and deny raw MSR access"
>>>> + depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
>>>> + default y
>>>> + help
>>>> + Some Intel based systems require raw MSR access to use the flush
>>>> + MSR for MDS mitigation confirmation. Raw access can also be used
>>>> + to undervolt many Intel CPUs.
>>>> +
>>>> + Say Y to prevent access or N to allow raw MSR access for such
>>>> + cases.
>>>> +
>>>> endchoice
>>>> --
>>>> 2.24.0
>>>>
>>>>
>>>
next prev parent reply other threads:[~2019-12-02 18:29 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-30 6:49 [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode Matt Parnell
2019-11-30 18:36 ` Kees Cook
2019-11-30 19:09 ` Matt Parnell
2019-12-01 20:53 ` Matt Parnell
2019-12-02 18:29 ` Matt Parnell [this message]
2019-12-02 22:55 ` Jordan Glover
2019-12-02 23:13 ` Matt Parnell
2019-12-02 23:29 ` Matthew Garrett
2019-12-02 23:31 ` Matt Parnell
2019-12-03 2:13 ` Matt Parnell
2019-12-03 2:16 ` Matthew Garrett
2019-12-03 2:24 ` Matt Parnell
2019-12-03 2:50 ` Matt Parnell
2019-12-03 3:57 ` Matt Parnell
2019-12-02 19:43 ` Matthew Garrett
2019-12-02 20:39 ` Matt Parnell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96625b06-3bba-6831-7127-22b690fccf1b@gmail.com \
--to=mparnell@gmail.com \
--cc=dhowells@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.