Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-27 17:04:35 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs on CPU MSRs

Browse source
This commit is contained in:
raja-grewal 2025-12-12 02:03:23 +00:00 committed by GitHub
parent ab2d44677a
commit fe1cfcd1a0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -383,7 +383,8 @@ Hardware modules:
- Optional - Bluetooth: Disabled to reduce attack surface.
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
- Optional - CPU MSRs: Disabled as can be abused to access other trust domains
and write to arbitrary memory.
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.

4
etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
View file

@ -42,9 +42,11 @@
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
## CPU Model-Specific Registers (MSRs):
## Can disable CPU MSRs as they can be abused to write to arbitrary memory.
## User-level read access to MSRs can allow malicious unprivileged applications to access other trust domains.
## MSRs can also be abused to write to arbitrary memory.
##
## https://en.wikipedia.org/wiki/Model-specific_register
## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html
## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215