Re: [PATCH] x86/msr: do not warn on writes to OC_MAILBOX

[Matthew Garrett]

On Tue, Sep 8, 2020 at 1:35 PM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> Undervolting is a bit different. It’s a genuinely useful configuration that can affect system stability.  In general, I think it should be allowed, and it should have a real driver in tree.

Agree that this should be a proper driver rather than permitting
arbitrary poking (especially if this isn't an architecturally defined
MSR - there's no guarantee that it'll have the same functionality
everywhere).

> But this has a tricky interaction with lockdown.  An interface that allows root to destabilize a system may well allow root to escalate privileges.  But I think that making lockdown=integrity prevent tuning voltages and such would be quite obnoxious.

Indeed - plundervolt.com is a demonstration of this. Any realistic
attack involves being able to drop the voltage enough to interfere
with a calculation and then raise it again before everything else
falls over, so simply applying some rate limiting seems like it would
be sufficient.

> Should there perhaps be a separate lockdown bit for stability?

If it's a sysfs interface then I think it'd be easy enough for people
who care to just add an SELinux or Apparmor rule, tbh.