Move (optional) CPU MSR module disable list

README.md

@@ -344,6 +344,8 @@ Hardware modules:
 
 - Optional - Bluetooth: Disabled to reduce attack surface.
 
+- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
+
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 
 - GPS: Disable GPS-related modules such as those required for Global Navigation
@@ -373,8 +375,6 @@ Miscellaneous modules:
 
 - Amateur Radios: Disabled to reduce attack surface.
 
-- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
-
 - Floppy Disks: Disabled to reduce attack surface.
 
 - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause

etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared

@@ -41,6 +41,18 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
 
+## CPU Model-Specific Registers (MSRs):
+## Can disable CPU MSRs as they can be abused to write to arbitrary memory.
+##
+## https://en.wikipedia.org/wiki/Model-specific_register
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install msr /usr/bin/disabled-cpumsr-by-security-misc
+
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks.
 ##
@@ -251,18 +263,6 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
 
-## CPU Model-Specific Registers (MSRs):
-## Can disable CPU MSRs as they can be abused to write to arbitrary memory.
-##
-## https://en.wikipedia.org/wiki/Model-specific_register
-## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
-## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-## https://github.com/Kicksecure/security-misc/issues/215
-##
-#install intel_rapl_msr /usr/bin/disabled-miscellaneous-by-security-misc
-#install isst_if_mbox_msr /usr/bin/disabled-miscellaneous-by-security-misc
-#install msr /usr/bin/disabled-miscellaneous-by-security-misc
-
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc

usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1