Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3719897img; Mon, 25 Mar 2019 16:43:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqwXKTKdg4Oz5rqqG1a5os6iyT70kfdyCwlvrDL6HQ2SDdEhUVxvg9phW5JT3wS4OO2adToW X-Received: by 2002:a63:6949:: with SMTP id e70mr25801783pgc.89.1553557385401; Mon, 25 Mar 2019 16:43:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553557385; cv=none; d=google.com; s=arc-20160816; b=fh5zEr2flHUZk93DT1WFElEZ50cw9c6JLT71bIuJbMT7gCdRTyb6FhUrHNJhw/vk/l 3NF7NFKAZnchXh1E7EN/JJ9q51XUVCaVgIe68KtlBGexqvTmkI0oLvmYXVeoM+1gV5K6 YA2nmTACOhNh2z4xM4m8lVWD92tfKBDTi9wRhuhSwMQsFLmVIopQLtOtn16G5rFkQfuK qDQtsvEYbeuzIDS6QbyOK+WLkQoxs/jccnnTZ8i1Ho105bTxqQsyeWlr+ftm/8wK9JOc Um4TYlp/+2BdJ8npzWFkhrnQ8skwp0DDuQlNXIJsWXxE7YeqPRk7okx8tP9AU2gGMI7K Rj2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=8lIFSI6BI8uhEGaX92ysOGPcNRow9REyS6laUZfcYsU=; b=i9FJrAdVxzjj6hP8dM3IvGFFWkbSlVT/mEDJaXQXE8LFOgiF0Dpui+Ty9ST+5nY4Fg Wg8Wn+aEjZiRHli+/mpI1M4iJGYyMCZz1EKcaAWpgJX9WLUdvuIBFDN76C81XQ98kUTh DJGd7GoCGPP5rjA927H0KXhSpl31RGknSyOhrtwGLdcLfB78OBHS6AgmJ5HWJyhkxUrH mDDNZwutfmfm/E6li8MmfNJkH2+d45sb2y0sHUHmRFaf7el9fY9TQGpL4M+gmScMyvgG W1ZhfNYWVysUtyJWbvClvJjrRiBPJyF41By25srKyDJlD6m81CmPwX99wXpP8iP6BeVQ neBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l93si16024384plb.331.2019.03.25.16.42.49; Mon, 25 Mar 2019 16:43:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727626AbfCYXkk (ORCPT + 99 others); Mon, 25 Mar 2019 19:40:40 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:47100 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726186AbfCYXkk (ORCPT ); Mon, 25 Mar 2019 19:40:40 -0400 Received: from p5492e2fc.dip0.t-ipconnect.de ([84.146.226.252] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1h8ZCk-0001Ad-Jc; Tue, 26 Mar 2019 00:40:34 +0100 Date: Tue, 26 Mar 2019 00:40:34 +0100 (CET) From: Thomas Gleixner To: Matthew Garrett cc: jmorris@namei.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Kees Cook , x86@kernel.org Subject: Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down In-Reply-To: <20190325220954.29054-13-matthewgarrett@google.com> Message-ID: References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-13-matthewgarrett@google.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Matthew, On Mon, 25 Mar 2019, Matthew Garrett wrote: > From: Matthew Garrett > > Writing to MSRs should not be allowed if the kernel is locked down, since > it could lead to execution of arbitrary code in kernel mode. Based on a > patch by Kees Cook. > > MSR accesses are logged for the purposes of building up a whitelist as per > Alan Cox's suggestion. > > Signed-off-by: Matthew Garrett > Signed-off-by: David Howells > Acked-by: Kees Cook > Reviewed-by: Thomas Gleixner I'm pretty sure, that I reviewed a different version of this, but due to the lack of: 1) A version indicator in the subject line, i.e. [PATCH v7 12/27] 2) A simple change indicator after the --- separator, e.g. v6 -> v7: Add MRS logging to dmesg ..... It's tedious to figure out what actually changed here. I just know for sure that the printk wasn't there before. It's not a huge effort adding such information, but it's very helpful for those who are supposed to look at your patches. Those people are drowned in patches so making it as easy as it goes would be very appreciated. > +++ b/arch/x86/kernel/msr.c > @@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, > int err = 0; > ssize_t bytes = 0; > > + if (kernel_is_locked_down("Direct MSR access")) { > + pr_info("Direct access to MSR %x\n", reg); I'm really not fond of this at all. /dev/msr should simply die. Maintaining a whitelist for this is a horrible idea as you will get a gazillion of excuses why access to a particular MSR is sane. And I'm neither interested in these discussions nor interested in adding the whitelist to this trainwreck, The right thing to do is to provide sane interfaces and that's where we are moving to. So simply blocking the access with locked down mode might be very helpful to accelerate that. Thanks, tglx