From 79be87ec5f2cb22a98ada179b3aa97dfd58299e0 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 21 Nov 2025 13:05:13 +0000
Subject: [PATCH] Move (optional) CPU MSR module disable list

---
 README.md                                     |  4 ++--
 ...ity-misc_disable.conf#security-misc-shared | 24 +++++++++----------
 ...umsr-by-security-misc#security-misc-shared | 10 ++++++++
 3 files changed, 24 insertions(+), 14 deletions(-)
 create mode 100755 usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared

diff --git a/README.md b/README.md
index 5ee8c50..1499540 100644
--- a/README.md
+++ b/README.md
@@ -344,6 +344,8 @@ Hardware modules:
 
 - Optional - Bluetooth: Disabled to reduce attack surface.
 
+- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
+
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 
 - GPS: Disable GPS-related modules such as those required for Global Navigation
@@ -373,8 +375,6 @@ Miscellaneous modules:
 
 - Amateur Radios: Disabled to reduce attack surface.
 
-- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
-
 - Floppy Disks: Disabled to reduce attack surface.
 
 - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
index 2fc6ce5..ce3adae 100644
--- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
+++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
@@ -41,6 +41,18 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
 
+## CPU Model-Specific Registers (MSRs):
+## Can disable CPU MSRs as they can be abused to write to arbitrary memory.
+##
+## https://en.wikipedia.org/wiki/Model-specific_register
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install msr /usr/bin/disabled-cpumsr-by-security-misc
+
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks.
 ##
@@ -251,18 +263,6 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
 
-## CPU Model-Specific Registers (MSRs):
-## Can disable CPU MSRs as they can be abused to write to arbitrary memory.
-##
-## https://en.wikipedia.org/wiki/Model-specific_register
-## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
-## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-## https://github.com/Kicksecure/security-misc/issues/215
-##
-#install intel_rapl_msr /usr/bin/disabled-miscellaneous-by-security-misc
-#install isst_if_mbox_msr /usr/bin/disabled-miscellaneous-by-security-misc
-#install msr /usr/bin/disabled-miscellaneous-by-security-misc
-
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
diff --git a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared
new file mode 100755
index 0000000..a6b0223
--- /dev/null
+++ b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1