[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ce2badca-089d-34de-c929-075fe75fc0e9@intel.com>
Date: Tue, 30 May 2023 10:19:17 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Tim Wiederhake <twiederh@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, x86@...nel.org
Subject: Re: [PATCH v2] x86/msr: Allow unprivileged read access to some MSRs
On 5/30/23 03:23, Tim Wiederhake wrote:
> Expose some non-security sensitive MSRs through sysfs to allow access
> for unprivileged processes. This also helps other programs that are
> interested in IA32_EFER for x86-64-v1 detection.
Did you mean "sysfs" or "sysctl"?
I'm still on the fence about whether we should do this. This seems
_marginally_ better than the /dev approach.
But whatever we do we need some *VERY* explicit, tight rules about what
can be exposed via this interface in the future. We absolutely can't
have folks adding to this in the future without following those rules.
A lot of this is implicit in the implementation and even the ABI, but
let's say them out loud, please:
* The MSRs must be read-only. If they are read-write, the snapshot
can get out of date. This can be guaranteed by either:
* Never being written at runtime after they are snapshotted, or
preferably:
* Being defined to be read-only (wrmsr just doesn't work)
* The MSRs must be have the same exact value on all CPUs (because
there is only one file per MSR)
* The value must be static. Not only read-only from the software
point of view, but the hardware and hypervisor must also promise not
to change it.
The first two seem doable. I'm not sure how we deal with the third,
though, especially in the case of microcode updates or clever hypervisors.
Powered by blists - more mailing lists