From: "Artem S. Tashkinov" <aros@gmx.com>
To: x86@kernel.org
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-pm@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot
Date: Mon, 9 Mar 2026 12:24:03 +0000 [thread overview]
Message-ID: <2780abfc-39d1-4441-833c-65e66f747054@gmx.com> (raw)
Hello,
When Secure Boot is enabled and kernel lockdown is active, the x86 MSR
driver blocks all raw MSR access from user space via `/dev/cpu/*/msr`.
This effectively prevents legitimate use of documented CPU power and
thermal management interfaces such as RAPL power limits (PL1/PL2) and
the TCC/TjOffset control. These registers are part of Intel’s
**publicly** documented architectural interface and have been stable
across many generations of processors.
As a result, under Secure Boot Linux users lose the ability to read or
adjust **standard** power-management controls that remain available
through equivalent tooling on other operating systems.
The current all-or-nothing restriction appears broader than necessary
for the stated goal of protecting kernel integrity. MSRs associated with
power limits and TCC offset are not privileged debugging or microcode
interfaces but standard hardware configuration knobs intended for
platform power and thermal management.
It would be useful if the kernel either allowed access to a small
whitelist of such documented registers under lockdown or exposed a
mediated kernel interface for adjusting them. Without such a mechanism,
Secure Boot effectively disables legitimate and widely used
power/thermal tuning functionality on modern Intel laptops.
Most (if not all) Intel laptops don't expose or allow to configure
PL1/PL2 limits in BIOS/EFI either.
This is being tracked here:
https://bugzilla.kernel.org/show_bug.cgi?id=221192
Regards,
Artem
next reply other threads:[~2026-03-09 12:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 12:24 Artem S. Tashkinov [this message]
2026-03-09 15:13 ` Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot Rafael J. Wysocki
2026-03-11 12:18 ` bauen1
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2780abfc-39d1-4441-833c-65e66f747054@gmx.com \
--to=aros@gmx.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox