diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 49dcfb85e773..d264b267e88d 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -106,9 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	int err = 0;
 	ssize_t bytes = 0;
 
+#if defined(LOCK_DOWN_DENY_RAW_MSR)
 	err = security_locked_down(LOCKDOWN_MSR);
 	if (err)
 		return err;
+#endif
 
 	err = filter_write(reg);
 	if (err)
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..2d51a9f20415 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
 	 code to read confidential material held inside the kernel are
 	 disabled.
 
+config LOCK_DOWN_DENY_RAW_MSR
+    bool "Lock down and deny raw MSR access"
+    depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+    default y
+    help
+      Some Intel based systems require raw MSR access to use the flush
+      MSR for MDS mitigation confirmation. Raw access can also be used
+      to undervolt many Intel CPUs.
+
+      Say Y to prevent access or N to allow raw MSR access for such
+      cases.
+
 endchoice