[PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode.

Matt Parnell mparnell at gmail.com
Mon Dec 2 20:39:41 UTC 2019


Agreed.

That said, if we don't mind working with what already exists, this
whitelist addition (I have trouble calling it a module) exists. I wonder
if it could be reshaped into something that ties in with the lockdown
functionality?

It looks like a mixture of commits from Intel engineers and Lawrence
Livermore engineers (GPLv3) :

https://github.com/LLNL/msr-safe

On 12/2/19 1:43 PM, Matthew Garrett wrote:
> On Fri, Nov 29, 2019 at 10:50 PM Matt Parnell <mparnell at gmail.com> wrote:
>> For Intel CPUs, some of the MDS mitigations utilize the new "flush" MSR, and
>> while this isn't something normally used in userspace, it does cause false
>> positives for the "Forshadow" vulnerability.
> The msr interface is pretty terrible - it exposes a consistent
> interface over very inconsistent CPUs. Where there's CPU functionality
> that's implemented via MSRs it makes sense to expose that over a
> separate kernel interface.



More information about the Linux-security-module-archive mailing list