Re: [PATCH] x86/msr: do not warn on writes to OC_MAILBOX

From: Matthew Garrett
Date: Tue Sep 08 2020 - 18:32:42 EST

On Tue, Sep 8, 2020 at 1:35 PM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> Undervolting is a bit different. It’s a genuinely useful configuration that can affect system stability. In general, I think it should be allowed, and it should have a real driver in tree.

Agree that this should be a proper driver rather than permitting
arbitrary poking (especially if this isn't an architecturally defined
MSR - there's no guarantee that it'll have the same functionality

> But this has a tricky interaction with lockdown. An interface that allows root to destabilize a system may well allow root to escalate privileges. But I think that making lockdown=integrity prevent tuning voltages and such would be quite obnoxious.

Indeed - is a demonstration of this. Any realistic
attack involves being able to drop the voltage enough to interfere
with a calculation and then raise it again before everything else
falls over, so simply applying some rate limiting seems like it would
be sufficient.

> Should there perhaps be a separate lockdown bit for stability?

If it's a sysfs interface then I think it'd be easy enough for people
who care to just add an SELinux or Apparmor rule, tbh.