Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot

[Artem S. Tashkinov]

Hello,

When Secure Boot is enabled and kernel lockdown is active, the x86 MSR 
driver blocks all raw MSR access from user space via `/dev/cpu/*/msr`. 
This effectively prevents legitimate use of documented CPU power and 
thermal management interfaces such as RAPL power limits (PL1/PL2) and 
the TCC/TjOffset control. These registers are part of Intel’s 
**publicly** documented architectural interface and have been stable 
across many generations of processors.

As a result, under Secure Boot Linux users lose the ability to read or 
adjust **standard** power-management controls that remain available 
through equivalent tooling on other operating systems.

The current all-or-nothing restriction appears broader than necessary 
for the stated goal of protecting kernel integrity. MSRs associated with 
power limits and TCC offset are not privileged debugging or microcode 
interfaces but standard hardware configuration knobs intended for 
platform power and thermal management.

It would be useful if the kernel either allowed access to a small 
whitelist of such documented registers under lockdown or exposed a 
mediated kernel interface for adjusting them. Without such a mechanism, 
Secure Boot effectively disables legitimate and widely used 
power/thermal tuning functionality on modern Intel laptops.

Most (if not all) Intel laptops don't expose or allow to configure 
PL1/PL2 limits in BIOS/EFI either.

This is being tracked here: 
https://bugzilla.kernel.org/show_bug.cgi?id=221192

Regards,
Artem