x86/msr: Restrict MSR access when the kernel is locked down

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0014-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 3db2252b958d19fe7cf4de4e8e91f257da4e4409..5eed6530c2239fca3d2208b4af77ef6f0259f882 100644 (file)
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
        int err = 0;
        ssize_t bytes = 0;
 
+       if (kernel_is_locked_down("Direct MSR access")) {
+               pr_info("Direct access to MSR %x\n", reg);
+               return -EPERM;
+       }
+
        if (count % 8)
                return -EINVAL; /* Invalid chunk size */
 
@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
                        err = -EFAULT;
                        break;
                }
+               if (kernel_is_locked_down("Direct MSR access")) {
+                       pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
+                       err = -EPERM;
+                       break;
+               }
                err = wrmsr_safe_regs_on_cpu(cpu, regs);
                if (err)
                        break;