throttled icon indicating copy to clipboard operation
throttled copied to clipboard

Published 20 hours ago verified publisher icon erpalma

Linux 5.9+ limiting MSR writes, should we support MSR filters?

Open goodboy opened this issue 4 years ago • 8 comments

I'm pretty sure the kernel team has now limited write access of MSR registers as per:

  • https://www.phoronix.com/scan.php?page=news_item&px=Linux-Filter-Tightening-MSRs
  • https://github.com/torvalds/linux/search?q=MSR&type=commits

I haven't been able to get this (very very lovely service) script to work since a couple weeks ago.

I am seeing the dmesg warnings:

[  894.899410] msr: Write to unrecognized MSR 0x150 by python
               Please report to [email protected]

I also get the same read errors as in #216.

The part at the end of that article:

Ultimately they will likely transition to that as the default at a later time to ensure MSR writes from user-space do not happen. This behavior right now can be toggled via the msr.allow_writes= kernel module parameter with on/off/default. Should legitimate use-cases come up where writes to MSRs from user-space are still desired, they may add the infrastructure to selectively grant/deny access to specific MSRs and ensure they are sanitized by the kernel.

I honestly haven't dug into the commit list enough and am definitely no kernel expert so I'm just putting this up both as a question and a spot where others can come to report in if experiencing the same.

It'd be great to get a recipe going for how to get back to making this all work with newer kernels.

Thanks again to INTC for making all of this possible :smirk_cat:.

goodboy avatar Nov 13 '20 14:11 goodboy

@goodboy you need to addd msr.allow_writes=on to your kernel parameters and reboot: afater reboot it should show it as below:

cat /proc/cmdline
BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.8.18-300.fc33.x86_64 ... msr.allow_writes=on

the way to do it is depending on the distro, on fedora for example: sudo vim /etc/default/grub append msr.allow_writes=on" to the end of the GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora_localhost-live/root rhgb quiet" line and to apply it find the location of your grub.cfg file sudo find /boot -name grub.cfg and place the location after the -o like below (do not just copy-paste) sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg and reboot

mkogan1 avatar Nov 15 '20 14:11 mkogan1

@mkogan1 agreed, this is what I quoted in the article as the workaround but I'm wondering is there a plan to follow and work with:

Should legitimate use-cases come up where writes to MSRs from user-space are still desired, they may add the infrastructure to selectively grant/deny access to specific MSRs and ensure they are sanitized by the kernel.

I'm thinking if the kernel team thinks msr writes isn't the safest thing in the world then maybe projects like this should be mindful of that and try to find the safest way to allow users to work around hw manfs terrible firmware and limitations.

For example the new commit adding MSR filtering allows user space to set the rules:

To allow user space to specify which MSRs it wants to see handled by KVM, this patch introduces a new ioctl to push filter rules with bitmaps into KVM. Based on these bitmaps, KVM can then decide whether to reject MSR access. With the addition of KVM_CAP_X86_USER_SPACE_MSR it can also deflect the denied MSR events to user space to operate on.

goodboy avatar Nov 17 '20 16:11 goodboy

I confirm adding msr.allow_writes=on fixes the problem for me.

antenore avatar Dec 18 '20 06:12 antenore

Sorry, but does this mean that, for kernels >- 5.9, we need no longer add msr.allow_writes=on to the system's boot string?

LinuxOnTheDesktop avatar Feb 17 '21 02:02 LinuxOnTheDesktop

Exactly yes.

erpalma avatar Feb 17 '21 11:02 erpalma

Right. Thanks. So should this issue not be closed?

LinuxOnTheDesktop avatar Feb 17 '21 12:02 LinuxOnTheDesktop

Well, actually that's just a temporary workaround. We still need a proper solution.

erpalma avatar Feb 17 '21 18:02 erpalma

Fedora 34 brings new issues with MSR and I do not seem to be able to find a solution. At the moment none of the above mentioned kernel parameters seems to fix the issue. Kernel - 5.11.10-300.fc34.x86_64 throttled version - 0.8-3, installed from copr Secure boot setting in BIOS - Disabled lsm parameters:

lockdown,capability,yama,selinux

Systemctl status reported error:

Mar 29 13:35:34 fedora throttled[1161]: [E] Unable to write to MSR. Try to disable Secure Boot and check if your kernel does not restrict access to MSR. Mar 29 13:35:34 fedora systemd[1]: throttled.service: Main process exited, code=exited, status=1/FAILURE Mar 29 13:35:34 fedora systemd[1]: throttled.service: Failed with result 'exit-code'.

Attempted kernel parameters:

BOOT_IMAGE=(hd0,gpt4)/vmlinuz-5.11.10-300.fc34.x86_64 root=UUID=906d272f-a74d-4844-8ba3-03ea526bb9be ro rootflags=subvol=root rhgb quiet acpi_osi=!Linux-Lenovo-NV-HDMI-Audio lsm=capability,yama,selinux

BOOT_IMAGE=(hd0,gpt4)/vmlinuz-5.11.10-300.fc34.x86_64 root=UUID=906d272f-a74d-4844-8ba3-03ea526bb9be ro rootflags=subvol=root rhgb quiet acpi_osi=!Linux-Lenovo-NV-HDMI-Audio msr.allow_writes=on

II am using Lenovo T490 with both Manjaro Stable 21.0 and Fedora 34 Beta. On Manjaro with kernel 5.11, the kernel parameter msr.allow_writes=on works well. I have no clue why this is not the case with Fedora 34.

lakotamm avatar Mar 29 '21 11:03 lakotamm