On Tue, Sep 8, 2020 at 1:35 PM Andy Lutomirski <l...@amacapital.net> wrote:
> Undervolting is a bit different. It’s a genuinely useful configuration that > can affect system stability. In general, I think it should be allowed, and > it should have a real driver in tree. Agree that this should be a proper driver rather than permitting arbitrary poking (especially if this isn't an architecturally defined MSR - there's no guarantee that it'll have the same functionality everywhere). > But this has a tricky interaction with lockdown. An interface that allows > root to destabilize a system may well allow root to escalate privileges. But > I think that making lockdown=integrity prevent tuning voltages and such would > be quite obnoxious. Indeed - plundervolt.com is a demonstration of this. Any realistic attack involves being able to drop the voltage enough to interfere with a calculation and then raise it again before everything else falls over, so simply applying some rate limiting seems like it would be sufficient. > Should there perhaps be a separate lockdown bit for stability? If it's a sysfs interface then I think it'd be easy enough for people who care to just add an SELinux or Apparmor rule, tbh.