Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752513AbbF1PN2 (ORCPT <rfc822;w@1wt.eu>);
	Sun, 28 Jun 2015 11:13:28 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:48829 "EHLO
	out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752456AbbF1PNW (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 28 Jun 2015 11:13:22 -0400
X-Sasl-enc: a+I6KFqAAai9BdDaAC6ylCUEqewDc4b9ONVEJTVfP24l 1435504402
Date: Sun, 28 Jun 2015 12:13:17 -0300
From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
To: Prarit Bhargava <prarit@redhat.com>
Cc: Brian Gerst <brgerst@gmail.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        Len Brown <len.brown@intel.com>,
        Dasaratharaman Chandramouli 
	<dasaratharaman.chandramouli@intel.com>
Subject: Re: [PATCH] x86, msr: Allow read access to /dev/cpu/X/msr
Message-ID: <20150628151317.GC20989@khazad-dum.debian.net>
References: <1435341131-3279-1-git-send-email-prarit@redhat.com>
 <CAMzpN2j-0s9kNzuCwa9n2ZbxcveK=72r-SP=Ofhu+4uY8Us=_A@mail.gmail.com>
 <558DC388.5070602@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <558DC388.5070602@redhat.com>
X-GPG-Fingerprint1: 4096R/39CB4807 C467 A717 507B BAFE D3C1  6092 0BD9 E811
 39CB 4807
X-GPG-Fingerprint2: 1024D/1CDB0FE3 5422 5C61 F6B7 06FB 7E04  3738 EE25 DE3F
 1CDB 0FE3
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2113
Lines: 61

On Fri, 26 Jun 2015, Prarit Bhargava wrote:
> > The proper way to do this is to write a driver to only expose the MSRs
> > that the user tools need, and nothing else.
> 
> Will do -- At least I got everyone's attention with this :).

IMHO we need both a new driver that exposes semanthic functionality instead
of raw MSRs, and also to lock down the current MSR driver using processor
vendor, family and model-aware whitelists.

We have absolutely no idea of the real security impact of the CONFIG_X86_MSR
/dev/cpu/cpu#/msr driver, as that driver allows CAP_SYS_RAWIO userspace to
have complete access to all documented *and undocumented* MSRs.

Maybe we could build on the ideas and data already colleced by the msr-safe
LLNS code?

https://github.com/scalability-llnl/msr-safe
http://www.vi-hps.org/upload/program/espt-sc14/vi-hps-ESPT14-Shoga.pdf

At the very least, their work on building a list of safe MSRs should help...
Their code seems to be licensed under the GPLv3, which is a rather strange
choice of license for a kernel module.


A quick look using Debian's codesearch found these users of
/dev/cpu/cpu#/msr:

* cpufrequtils
* flashrom
* i7z
* intel-gpu-tools
* inteltool
* mcelog
* msrtool, msr-tools
* PAPI (can use msr_safe)
* powertop
* qemu
* slurm-llnl  (maybe this can also use msr_safe?)
* stressapptest
* turbostat
* wmlongrun, longrun
* x86info
* xserver-xorg-video-geode

As well as the other stuff that ships from the Linux kernel tree.

Looking at what they need the MSR access for (well, except for msrtools,
which is just a way for shell scripts to easily talk to the MSR driver)
might help define the problem space better.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/