summarylogtreecommitdiffstats
path: root/allow-disable-msr-lockdown.patch
diff options
context:
space:
mode:
authorMatt Parnell2019-11-30 19:22:54 -0600
committerMatt Parnell2019-11-30 19:22:54 -0600
commite4beff9c2624943dd72ef7980fd2e0b19e2ba7d6 (patch)
treeb4afc9e09bc4f9e5d6ad7070261971645d48f5cf /allow-disable-msr-lockdown.patch
parentfd87a84b18ff5afe300f8edf7348877058cd9e5e (diff)
downloadaur-e4beff9c2624943dd72ef7980fd2e0b19e2ba7d6.tar.gz
add patch to allow msrs in lockdown mode
Diffstat (limited to 'allow-disable-msr-lockdown.patch')
-rw-r--r--allow-disable-msr-lockdown.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/allow-disable-msr-lockdown.patch b/allow-disable-msr-lockdown.patch
new file mode 100644
index 00000000000..07eff98279f
--- /dev/null
+++ b/allow-disable-msr-lockdown.patch
@@ -0,0 +1,70 @@
+From 750fac45443c3bd472dd6e6c0fdca9cba08abfc4 Mon Sep 17 00:00:00 2001
+From: Matt Parnell <parwok@gmail.com>
+Date: Sat, 30 Nov 2019 19:05:19 -0600
+Subject: [PATCH] For Intel CPUs, some of the MDS mitigations utilize the new
+ "flush" MSR, and while this isn't something normally used in userspace, it
+ does cause false positives for the "Forshadow" vulnerability.
+
+Additionally, Intel CPUs use MSRs for voltage and frequency controls,
+which in
+many cases is useful for undervolting to avoid excess heat.
+
+Signed-off-by: Matt Parnell <mparnell@gmail.com>
+---
+ arch/x86/kernel/msr.c | 5 ++++-
+ security/lockdown/Kconfig | 12 ++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 1547be359d7f..4adce59455c3 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+ int err = 0;
+ ssize_t bytes = 0;
+
++#if defined(LOCK_DOWN_DENY_RAW_MSR)
+ err = security_locked_down(LOCKDOWN_MSR);
+ if (err)
+ return err;
+-
++#endif
+ if (count % 8)
+ return -EINVAL; /* Invalid chunk size */
+
+@@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+ err = -EFAULT;
+ break;
+ }
++#if defined(LOCK_DOWN_DENY_RAW_MSR)
+ err = security_locked_down(LOCKDOWN_MSR);
+ if (err)
+ break;
++#endif
+ err = wrmsr_safe_regs_on_cpu(cpu, regs);
+ if (err)
+ break;
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..2d51a9f20415 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+ code to read confidential material held inside the kernel are
+ disabled.
+
++config LOCK_DOWN_DENY_RAW_MSR
++ bool "Lock down and deny raw MSR access"
++ depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
++ default y
++ help
++ Some Intel based systems require raw MSR access to use the flush
++ MSR for MDS mitigation confirmation. Raw access can also be used
++ to undervolt many Intel CPUs.
++
++ Say Y to prevent access or N to allow raw MSR access for such
++ cases.
++
+ endchoice
+--
+2.24.0
+