summarylogtreecommitdiffstats
path: root/allow-disable-msr-lockdown.patch
diff options
context:
space:
mode:
Diffstat (limited to 'allow-disable-msr-lockdown.patch')
-rw-r--r--allow-disable-msr-lockdown.patch41
1 files changed, 4 insertions, 37 deletions
diff --git a/allow-disable-msr-lockdown.patch b/allow-disable-msr-lockdown.patch
index 07eff98279f5..83201cd1bbea 100644
--- a/allow-disable-msr-lockdown.patch
+++ b/allow-disable-msr-lockdown.patch
@@ -1,25 +1,8 @@
-From 750fac45443c3bd472dd6e6c0fdca9cba08abfc4 Mon Sep 17 00:00:00 2001
-From: Matt Parnell <parwok@gmail.com>
-Date: Sat, 30 Nov 2019 19:05:19 -0600
-Subject: [PATCH] For Intel CPUs, some of the MDS mitigations utilize the new
- "flush" MSR, and while this isn't something normally used in userspace, it
- does cause false positives for the "Forshadow" vulnerability.
-
-Additionally, Intel CPUs use MSRs for voltage and frequency controls,
-which in
-many cases is useful for undervolting to avoid excess heat.
-
-Signed-off-by: Matt Parnell <mparnell@gmail.com>
----
- arch/x86/kernel/msr.c | 5 ++++-
- security/lockdown/Kconfig | 12 ++++++++++++
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 1547be359d7f..4adce59455c3 100644
+index 49dcfb85e773..d264b267e88d 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
-@@ -80,10 +80,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+@@ -106,9 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
@@ -27,23 +10,10 @@ index 1547be359d7f..4adce59455c3 100644
err = security_locked_down(LOCKDOWN_MSR);
if (err)
return err;
--
+#endif
- if (count % 8)
- return -EINVAL; /* Invalid chunk size */
-@@ -135,9 +136,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- err = -EFAULT;
- break;
- }
-+#if defined(LOCK_DOWN_DENY_RAW_MSR)
- err = security_locked_down(LOCKDOWN_MSR);
- if (err)
- break;
-+#endif
- err = wrmsr_safe_regs_on_cpu(cpu, regs);
- if (err)
- break;
+ err = filter_write(reg);
+ if (err)
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..2d51a9f20415 100644
--- a/security/lockdown/Kconfig
@@ -65,6 +35,3 @@ index e84ddf484010..2d51a9f20415 100644
+ cases.
+
endchoice
---
-2.24.0
-