blob: 83201cd1bbead4d90233a13435a2ce271bb6763e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 49dcfb85e773..d264b267e88d 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -106,9 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
+#if defined(LOCK_DOWN_DENY_RAW_MSR)
err = security_locked_down(LOCKDOWN_MSR);
if (err)
return err;
+#endif
err = filter_write(reg);
if (err)
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..2d51a9f20415 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -44,4 +44,16 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
code to read confidential material held inside the kernel are
disabled.
+config LOCK_DOWN_DENY_RAW_MSR
+ bool "Lock down and deny raw MSR access"
+ depends on LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+ default y
+ help
+ Some Intel based systems require raw MSR access to use the flush
+ MSR for MDS mitigation confirmation. Raw access can also be used
+ to undervolt many Intel CPUs.
+
+ Say Y to prevent access or N to allow raw MSR access for such
+ cases.
+
endchoice
|