Re: [PATCH] x86/msr: do not warn on writes to OC_MAILBOX

From: Andy Lutomirski
Date: Tue Sep 08 2020 - 16:35:33 EST

> On Sep 8, 2020, at 12:30 PM, Borislav Petkov <bp@xxxxxxxxx> wrote:
> On Tue, Sep 08, 2020 at 12:18:38PM -0700, Sultan Alsawaf wrote:
>> I'd like to point out that on Intel's recent 14nm parts, undervolting
>> is not so much for squeezing every last drop of performance out of the
>> SoC as it is for necessity.
> <snip interesting examples>
> Sounds to me that this undervolting functionality should be part of
> the kernel and happen automatically. I have no clue, though, whether
> people who do it, just get lucky and undervolting doesn't cause any
> other hardware issues, or there's a real reason for this power madness
> and if not done, power-related failures happen only on some boxes so
> they decided to do them on all.
> Or maybe BIOS is nuts, which is not a stretch.
> Srinivas, what's the story here?

I have seriously mixed opinions about this.

First, there are really two separate issues here. One is undervolting these parts, and one is the MSR interface.

In my mind, the MSR part is an easy call. Userspace has no more business poking some undocumented mailbox MSR than it does poking any other MSR. We should not give special dispensation here. It should be allowed if the MSR restrictions are off, and otherwise we should warn or forbid it.

Undervolting is a bit different. It’s a genuinely useful configuration that can affect system stability. In general, I think it should be allowed, and it should have a real driver in tree.

But this has a tricky interaction with lockdown. An interface that allows root to destabilize a system may well allow root to escalate privileges. But I think that making lockdown=integrity prevent tuning voltages and such would be quite obnoxious.

Should there perhaps be a separate lockdown bit for stability?

I assume that Intel XTU and such work on Secure-Booted Windows.