Re: [PATCH] x86/msr: do not warn on writes to OC_MAILBOX
From: Matthew Garrett
Date: Tue Sep 08 2020 - 18:32:42 EST
On Tue, Sep 8, 2020 at 1:35 PM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> Undervolting is a bit different. It’s a genuinely useful configuration that can affect system stability. In general, I think it should be allowed, and it should have a real driver in tree.
Agree that this should be a proper driver rather than permitting
arbitrary poking (especially if this isn't an architecturally defined
MSR - there's no guarantee that it'll have the same functionality
everywhere).
> But this has a tricky interaction with lockdown. An interface that allows root to destabilize a system may well allow root to escalate privileges. But I think that making lockdown=integrity prevent tuning voltages and such would be quite obnoxious.
Indeed - plundervolt.com is a demonstration of this. Any realistic
attack involves being able to drop the voltage enough to interfere
with a calculation and then raise it again before everything else
falls over, so simply applying some rate limiting seems like it would
be sufficient.
> Should there perhaps be a separate lockdown bit for stability?
If it's a sysfs interface then I think it'd be easy enough for people
who care to just add an SELinux or Apparmor rule, tbh.