Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Matt Parnell <mparnell@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, matthew.garrett@nebula.com, keescook@chromium.org
Subject: [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode.
Date: Sat, 30 Nov 2019 00:49:48 -0600
Message-ID: <339ca47a-6ed1-4ab4-f8cf-7b205fa9f773@gmail.com> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 2587 bytes --]

From 452b8460e464422d268659a8abb93353a182f8c8 Mon Sep 17 00:00:00 2001
From: Matt Parnell <mparnell@gmail.com>
Date: Sat, 30 Nov 2019 00:44:09 -0600
Subject: [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even
 in confidentiality mode.

For Intel CPUs, some of the MDS mitigations utilize the new "flush" MSR, and
while this isn't something normally used in userspace, it does cause false
positives for the "Forshadow" vulnerability.

Additionally, Intel CPUs use MSRs for voltage and frequency controls,
which in
many cases is useful for undervolting to avoid excess heat.

Signed-off-by: Matt Parnell <mparnell@gmail.com>
---
 arch/x86/kernel/msr.c     |  5 ++++-
 security/lockdown/Kconfig | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 1547be359d7f..4adce59455c3 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const
char __user *buf,
     int err = 0;
     ssize_t bytes = 0;
 
+#if defined(LOCK_DOWN_DENY_RAW_MSR)
     err = security_locked_down(LOCKDOWN_MSR);
     if (err)
         return err;
-
+#endif
     if (count % 8)
         return -EINVAL;    /* Invalid chunk size */
 
@@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned
int ioc, unsigned long arg)
             err = -EFAULT;
             break;
         }
+#if defined(LOCK_DOWN_DENY_RAW_MSR)
         err = security_locked_down(LOCKDOWN_MSR);
         if (err)
             break;
+#endif
         err = wrmsr_safe_regs_on_cpu(cpu, regs);
         if (err)
             break;
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..f4fe72c4bf8f 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
      code to read confidential material held inside the kernel are
      disabled.
 
+config LOCK_DOWN_DENY_RAW_MSR
+    bool "Lock down and deny raw MSR access"
+    depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+    default y
+    help
+      Some Intel based systems require raw MSR access to use the flush
+      MSR for MDS mitigation confirmation. Raw access can also be used
+      to undervolt many Intel CPUs.
+
+      Say Y to prevent access or N to allow raw MSR access for such
+      cases.
+
 endchoice
-- 
2.24.0



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

             reply index

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-30  6:49 Matt Parnell [this message]
2019-11-30 18:36 ` Kees Cook
2019-11-30 19:09   ` Matt Parnell
2019-12-01 20:53     ` Matt Parnell
2019-12-02 18:29       ` Matt Parnell
2019-12-02 22:55         ` Jordan Glover
2019-12-02 23:13           ` Matt Parnell
2019-12-02 23:29           ` Matthew Garrett
2019-12-02 23:31             ` Matt Parnell
2019-12-03  2:13   ` Matt Parnell
2019-12-03  2:16     ` Matthew Garrett
2019-12-03  2:24       ` Matt Parnell
2019-12-03  2:50         ` Matt Parnell
2019-12-03  3:57           ` Matt Parnell
2019-12-02 19:43 ` Matthew Garrett
2019-12-02 20:39   ` Matt Parnell

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=339ca47a-6ed1-4ab4-f8cf-7b205fa9f773@gmail.com \
    --to=mparnell@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matthew.garrett@nebula.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git