On Wed, 23 Nov 2016, Borislav Petkov wrote: > On Wed, Nov 23, 2016 at 11:29:51AM -0200, Henrique de Moraes Holschuh wrote: > > 1. Assuming we can do it, always lock it when it is found to be unlocked > > at kernel boot. > > Because...?
Privacy, and the fact that /dev/cpu/msr exists and is enabled on almost all general-use distros. > > 2. Not attempt to change its state from disabled to enabled *unless* > > given a command line parameter authorizing it. A kconfig-based > > solution for default+command line override would also work well IMHO, > > if it makes more sense. > > You can't reenable it: Yeah, I just found the description for that thing in the IA32 manual. It can be disabled + unlocked, disabled + locked, or enabled + unlocked. Once locked, it will stay disabled until the next reboot. However, the manual makes it clear we are _not_ supposed to leave it enabled + unlocked. Apparently, we're supposed to do our business and disable+lock it (i.e. enable, read and store/process, disable+lock). Looks like it is supposed to be used in a way that protects privacy by making it very hard for general use software to depend on it existing and being enabled. -- Henrique Holschuh
