It's even better - you just need to change your boot parameters.
> This behavior right now can be toggled via the msr.allow_writes= kernel module paramrter with on/off/default. Should legitimate use-cases come up where writes to MSRs from user-space are still desired, they may add the infrastructure to selectively grant/deny access to specific MSRs and ensure they are sanitized by the kernel.
Similar hardware restrictions already exists in the kernel, for example, by default the kernel restricts access to I/O memory since it's a dangerous, low-level zone, but if you really need to for some reasons (e.g. reflash your BIOS), you can boot with "iomem=relaxed" to turn it off. Treating MSR registers in the same way is very reasonable.
Is there any clarification on how this MSR whitelisting will be implemented by end users? Or is there just going to be the global "allow_writes" parameters? I'd assume too that even with that parameter set to on, programs accessing the MSRs will still need the SYS_RAWIO capability.
> This behavior right now can be toggled via the msr.allow_writes= kernel module paramrter with on/off/default. Should legitimate use-cases come up where writes to MSRs from user-space are still desired, they may add the infrastructure to selectively grant/deny access to specific MSRs and ensure they are sanitized by the kernel.
Similar hardware restrictions already exists in the kernel, for example, by default the kernel restricts access to I/O memory since it's a dangerous, low-level zone, but if you really need to for some reasons (e.g. reflash your BIOS), you can boot with "iomem=relaxed" to turn it off. Treating MSR registers in the same way is very reasonable.