[PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode.

Matthew Garrett mjg59 at google.com
Mon Dec 2 19:43:43 UTC 2019


On Fri, Nov 29, 2019 at 10:50 PM Matt Parnell <mparnell at gmail.com> wrote:
> For Intel CPUs, some of the MDS mitigations utilize the new "flush" MSR, and
> while this isn't something normally used in userspace, it does cause false
> positives for the "Forshadow" vulnerability.

The msr interface is pretty terrible - it exposes a consistent
interface over very inconsistent CPUs. Where there's CPU functionality
that's implemented via MSRs it makes sense to expose that over a
separate kernel interface.



More information about the Linux-security-module-archive mailing list