summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Parnell2019-11-30 19:22:54 -0600
committerMatt Parnell2019-11-30 19:22:54 -0600
commite4beff9c2624943dd72ef7980fd2e0b19e2ba7d6 (patch)
treeb4afc9e09bc4f9e5d6ad7070261971645d48f5cf
parentfd87a84b18ff5afe300f8edf7348877058cd9e5e (diff)
downloadaur-e4beff9c2624943dd72ef7980fd2e0b19e2ba7d6.tar.gz
add patch to allow msrs in lockdown mode
-rw-r--r--.SRCINFO2
-rw-r--r--PKGBUILD10
-rw-r--r--allow-disable-msr-lockdown.patch70
-rw-r--r--linux-zen.install2
4 files changed, 81 insertions, 3 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 81b4e17e70c..85ca37ec093 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -13,9 +13,11 @@ pkgbase = linux-zen-git
source = linux-zen.conf
source = linux-zen.preset
source = git://github.com/damentz/zen-kernel.git#branch=5.4/master
+ source = allow-disable-msr-lockdown.patch
sha256sums = 6373073ad943e068478ef1373be4eb2a7e473da8743d946f1f50cd364685ab87
sha256sums = 18fe6b2664a9a740544c4cb990efe5ec933d6e64caf9e5d0a6ced92af0027c2d
sha256sums = SKIP
+ sha256sums = 2f4bedb64dde14045196702644f0c82ddb1271e3c5392657dd71c40af82ff3f1
pkgname = linux-zen-git
install = linux-zen.install
diff --git a/PKGBUILD b/PKGBUILD
index f91b8821098..69bc00ee8c6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,10 +17,13 @@ pkgrel=1
options=("!strip")
source=("linux-zen.conf"
"linux-zen.preset"
- 'git://github.com/damentz/zen-kernel.git#branch=5.4/master')
+ 'git://github.com/damentz/zen-kernel.git#branch=5.4/master'
+ 'allow-disable-msr-lockdown.patch')
sha256sums=('6373073ad943e068478ef1373be4eb2a7e473da8743d946f1f50cd364685ab87'
'18fe6b2664a9a740544c4cb990efe5ec933d6e64caf9e5d0a6ced92af0027c2d'
- 'SKIP')
+ 'SKIP'
+ '2f4bedb64dde14045196702644f0c82ddb1271e3c5392657dd71c40af82ff3f1')
+
_CORES=1
# compress the modules or not
@@ -97,6 +100,9 @@ build() {
fi
fi
+ msg "Allowing disable of MSR in lockdown mode to allow undervolting and prevent false positives for spectre-meltdown-checker..."
+ patch -Np1 -i "${srcdir}/allow-disable-msr-lockdown.patch"
+
msg2 "Updating output directory Makefile..."
make -C "${srcdir}/zen-kernel/" O="${srcdir}/build" outputmakefile
diff --git a/allow-disable-msr-lockdown.patch b/allow-disable-msr-lockdown.patch
new file mode 100644
index 00000000000..07eff98279f
--- /dev/null
+++ b/allow-disable-msr-lockdown.patch
@@ -0,0 +1,70 @@
+From 750fac45443c3bd472dd6e6c0fdca9cba08abfc4 Mon Sep 17 00:00:00 2001
+From: Matt Parnell <parwok@gmail.com>
+Date: Sat, 30 Nov 2019 19:05:19 -0600
+Subject: [PATCH] For Intel CPUs, some of the MDS mitigations utilize the new
+ "flush" MSR, and while this isn't something normally used in userspace, it
+ does cause false positives for the "Forshadow" vulnerability.
+
+Additionally, Intel CPUs use MSRs for voltage and frequency controls,
+which in
+many cases is useful for undervolting to avoid excess heat.
+
+Signed-off-by: Matt Parnell <mparnell@gmail.com>
+---
+ arch/x86/kernel/msr.c | 5 ++++-
+ security/lockdown/Kconfig | 12 ++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 1547be359d7f..4adce59455c3 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+ int err = 0;
+ ssize_t bytes = 0;
+
++#if defined(LOCK_DOWN_DENY_RAW_MSR)
+ err = security_locked_down(LOCKDOWN_MSR);
+ if (err)
+ return err;
+-
++#endif
+ if (count % 8)
+ return -EINVAL; /* Invalid chunk size */
+
+@@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+ err = -EFAULT;
+ break;
+ }
++#if defined(LOCK_DOWN_DENY_RAW_MSR)
+ err = security_locked_down(LOCKDOWN_MSR);
+ if (err)
+ break;
++#endif
+ err = wrmsr_safe_regs_on_cpu(cpu, regs);
+ if (err)
+ break;
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..2d51a9f20415 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+ code to read confidential material held inside the kernel are
+ disabled.
+
++config LOCK_DOWN_DENY_RAW_MSR
++ bool "Lock down and deny raw MSR access"
++ depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
++ default y
++ help
++ Some Intel based systems require raw MSR access to use the flush
++ MSR for MDS mitigation confirmation. Raw access can also be used
++ to undervolt many Intel CPUs.
++
++ Say Y to prevent access or N to allow raw MSR access for such
++ cases.
++
+ endchoice
+--
+2.24.0
+
diff --git a/linux-zen.install b/linux-zen.install
index 2136cc23f76..ac7a736d3b8 100644
--- a/linux-zen.install
+++ b/linux-zen.install
@@ -1,4 +1,4 @@
-_kernel_version=5.3.13-zen-g2d16ac72c450-dirty
+_kernel_version=5.4.1-zen-g3cd71df1c280-dirty
_r="\033[00;31m"
_y="\033[00;33m"