From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752501AbdJTSKA (ORCPT ); Fri, 20 Oct 2017 14:10:00 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:54724 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751028AbdJTSJ6 (ORCPT ); Fri, 20 Oct 2017 14:09:58 -0400 Date: Fri, 20 Oct 2017 19:09:39 +0100 From: Alan Cox To: David Howells Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, matthew.garrett@nebula.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down Message-ID: <20171020190939.569cedd2@alans-desktop> In-Reply-To: <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk> Organization: Intel Corporation X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 19 Oct 2017 15:52:04 +0100 David Howells wrote: > From: Matthew Garrett > > Writing to MSRs should not be allowed if the kernel is locked down, since > it could lead to execution of arbitrary code in kernel mode. Based on a > patch by Kees Cook. There are a load of standard tools that use this so I think you are going to need a whitelist. Can you at least log *which* MSR in the failing case so a whitelist can be built over time ? Alan From mboxrd@z Thu Jan 1 00:00:00 1970 From: gnomes@lxorguk.ukuu.org.uk (Alan Cox) Date: Fri, 20 Oct 2017 19:09:39 +0100 Subject: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down In-Reply-To: <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk> Message-ID: <20171020190939.569cedd2@alans-desktop> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, 19 Oct 2017 15:52:04 +0100 David Howells wrote: > From: Matthew Garrett > > Writing to MSRs should not be allowed if the kernel is locked down, since > it could lead to execution of arbitrary code in kernel mode. Based on a > patch by Kees Cook. There are a load of standard tools that use this so I think you are going to need a whitelist. Can you at least log *which* MSR in the failing case so a whitelist can be built over time ? Alan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html