It would be nice to have this upstreamed and combined with kernel lockdown

[ilikenwf]

Since lockdown was added in 5.4 (https://lwn.net/Articles/706637/) I feel that your module should be combined with it and hopefully upstreamed.

Unfortunately, if one uses the early lockdown option, LSM can't be used to allow access to desired MSRs, in my case, for undervolting.

msr-safe would be a perfect way to allow certain MSR's to be read and/or writeable from userspace with lockdown enabled, and from there apparmor or whatever can control access to /dev/msr past that point, allowing only whitelisted users/applications to touch the allowed registers.

[rountree]

Hi Matt,

Thanks for the suggestion. We tried to get msr-safe into the mainline kernel several years ago with the support of Red Hat and Intel. Ultimately, the LKML community wasn't comfortable giving that kind of access to userspace programs. Their position was that if we needed a specific driver for a specific task, we should write the driver and submit that. Allowing general whitelisted access would allow drivers to migrate out of the kernel and become opaque binary blobs in userspace. While I don't agree with that position, I do think it's reasonable, and I don't expect the lockdown efforts would have changed anyone's position.

Apologies for taking so long to write back; we're in our travel season here and just getting caught up.

[rountree]

No movement in several years from our colleagues at Intel and RedHat. Closing.