x86/msr: Restrict MSR access when the kernel is locked down

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ef688804f80d33088fef15448996a97f69e2b193..dfb61d358196be5a2762e348d693134117b6f9a5 100644 (file)
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
        int err = 0;
        ssize_t bytes = 0;
 
+       if (kernel_is_locked_down("Direct MSR access")) {
+               pr_info("Direct access to MSR %x\n", reg);
+               return -EPERM;
+       }
+
        if (count % 8)
                return -EINVAL; /* Invalid chunk size */
 
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
                        err = -EFAULT;
                        break;
                }
+               if (kernel_is_locked_down("Direct MSR access")) {
+                       pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
+                       err = -EPERM;
+                       break;
+               }
                err = wrmsr_safe_regs_on_cpu(cpu, regs);
                if (err)
                        break;