Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-25 Thread joeyli
Hi David, On Mon, Oct 23, 2017 at 03:49:44PM +0100, David Howells wrote: > Alan Cox wrote: > > > There are a load of standard tools that use this so I think you are going > > to need a whitelist. Can you at least log *which* MSR in the failing case > > so a

Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-23 Thread David Howells
Alan Cox wrote: > There are a load of standard tools that use this so I think you are going > to need a whitelist. Can you at least log *which* MSR in the failing case > so a whitelist can be built over time ? Will the attached change work for you? David --- diff

Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-20 Thread joeyli
On Fri, Oct 20, 2017 at 09:48:16PM +0100, David Howells wrote: > Alan Cox wrote: > > > There are a load of standard tools that use this so I think you are going > > to need a whitelist. Can you at least log *which* MSR in the failing case > > so a whitelist can be

Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-20 Thread David Howells
Alan Cox wrote: > There are a load of standard tools that use this so I think you are going > to need a whitelist. Can you at least log *which* MSR in the failing case > so a whitelist can be built over time ? Probably. Is it just the file position for msr_write()?

Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-20 Thread Alan Cox
On Thu, 19 Oct 2017 15:52:04 +0100 David Howells wrote: > From: Matthew Garrett > > Writing to MSRs should not be allowed if the kernel is locked down, since > it could lead to execution of arbitrary code in kernel mode. Based on a > patch by

Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-20 Thread joeyli
On Thu, Oct 19, 2017 at 03:52:04PM +0100, David Howells wrote: > From: Matthew Garrett > > Writing to MSRs should not be allowed if the kernel is locked down, since > it could lead to execution of arbitrary code in kernel mode. Based on a > patch by Kees Cook. > >

[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down

2017-10-19 Thread David Howells
From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: