diff options
-rw-r--r-- | .SRCINFO | 2 | ||||
-rw-r--r-- | PKGBUILD | 10 | ||||
-rw-r--r-- | allow-disable-msr-lockdown.patch | 70 | ||||
-rw-r--r-- | linux-zen.install | 2 |
4 files changed, 81 insertions, 3 deletions
@@ -13,9 +13,11 @@ pkgbase = linux-zen-git source = linux-zen.conf source = linux-zen.preset source = git://github.com/damentz/zen-kernel.git#branch=5.4/master + source = allow-disable-msr-lockdown.patch sha256sums = 6373073ad943e068478ef1373be4eb2a7e473da8743d946f1f50cd364685ab87 sha256sums = 18fe6b2664a9a740544c4cb990efe5ec933d6e64caf9e5d0a6ced92af0027c2d sha256sums = SKIP + sha256sums = 2f4bedb64dde14045196702644f0c82ddb1271e3c5392657dd71c40af82ff3f1 pkgname = linux-zen-git install = linux-zen.install @@ -17,10 +17,13 @@ pkgrel=1 options=("!strip") source=("linux-zen.conf" "linux-zen.preset" - 'git://github.com/damentz/zen-kernel.git#branch=5.4/master') + 'git://github.com/damentz/zen-kernel.git#branch=5.4/master' + 'allow-disable-msr-lockdown.patch') sha256sums=('6373073ad943e068478ef1373be4eb2a7e473da8743d946f1f50cd364685ab87' '18fe6b2664a9a740544c4cb990efe5ec933d6e64caf9e5d0a6ced92af0027c2d' - 'SKIP') + 'SKIP' + '2f4bedb64dde14045196702644f0c82ddb1271e3c5392657dd71c40af82ff3f1') + _CORES=1 # compress the modules or not @@ -97,6 +100,9 @@ build() { fi fi + msg "Allowing disable of MSR in lockdown mode to allow undervolting and prevent false positives for spectre-meltdown-checker..." + patch -Np1 -i "${srcdir}/allow-disable-msr-lockdown.patch" + msg2 "Updating output directory Makefile..." make -C "${srcdir}/zen-kernel/" O="${srcdir}/build" outputmakefile diff --git a/allow-disable-msr-lockdown.patch b/allow-disable-msr-lockdown.patch new file mode 100644 index 000000000000..07eff98279f5 --- /dev/null +++ b/allow-disable-msr-lockdown.patch @@ -0,0 +1,70 @@ +From 750fac45443c3bd472dd6e6c0fdca9cba08abfc4 Mon Sep 17 00:00:00 2001 +From: Matt Parnell <parwok@gmail.com> +Date: Sat, 30 Nov 2019 19:05:19 -0600 +Subject: [PATCH] For Intel CPUs, some of the MDS mitigations utilize the new + "flush" MSR, and while this isn't something normally used in userspace, it + does cause false positives for the "Forshadow" vulnerability. + +Additionally, Intel CPUs use MSRs for voltage and frequency controls, +which in +many cases is useful for undervolting to avoid excess heat. + +Signed-off-by: Matt Parnell <mparnell@gmail.com> +--- + arch/x86/kernel/msr.c | 5 ++++- + security/lockdown/Kconfig | 12 ++++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 1547be359d7f..4adce59455c3 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++#if defined(LOCK_DOWN_DENY_RAW_MSR) + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; +- ++#endif + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EFAULT; + break; + } ++#if defined(LOCK_DOWN_DENY_RAW_MSR) + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; ++#endif + err = wrmsr_safe_regs_on_cpu(cpu, regs); + if (err) + break; +diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig +index e84ddf484010..2d51a9f20415 100644 +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + code to read confidential material held inside the kernel are + disabled. + ++config LOCK_DOWN_DENY_RAW_MSR ++ bool "Lock down and deny raw MSR access" ++ depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY ++ default y ++ help ++ Some Intel based systems require raw MSR access to use the flush ++ MSR for MDS mitigation confirmation. Raw access can also be used ++ to undervolt many Intel CPUs. ++ ++ Say Y to prevent access or N to allow raw MSR access for such ++ cases. ++ + endchoice +-- +2.24.0 + diff --git a/linux-zen.install b/linux-zen.install index 2136cc23f763..ac7a736d3b8d 100644 --- a/linux-zen.install +++ b/linux-zen.install @@ -1,4 +1,4 @@ -_kernel_version=5.3.13-zen-g2d16ac72c450-dirty +_kernel_version=5.4.1-zen-g3cd71df1c280-dirty _r="\033[00;31m" _y="\033[00;33m" |