From: bauen1 <j2468h@googlemail.com>
To: "Rafael J. Wysocki" <rafael@kernel.org>,
"Artem S. Tashkinov" <aros@gmx.com>
Cc: x86@kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-pm@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org,
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
"Zhang, Rui" <rui.zhang@intel.com>
Subject: Re: Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot
Date: Wed, 11 Mar 2026 13:18:36 +0100 [thread overview]
Message-ID: <e61419d0-4f7b-40f9-8e90-fbe5aaaa6dd8@gmail.com> (raw)
In-Reply-To: <CAJZ5v0hokpC_2E77nrm2KHeOdhhH6qvYsg3wCQpTEG=PCim=ww@mail.gmail.com>
On 3/9/26 4:13 PM, Rafael J. Wysocki wrote:
> On Mon, Mar 9, 2026 at 1:24 PM Artem S. Tashkinov <aros@gmx.com> wrote:
>>
>> Hello,
>>
>> When Secure Boot is enabled and kernel lockdown is active, the x86 MSR
>> driver blocks all raw MSR access from user space via `/dev/cpu/*/msr`.
>> This effectively prevents legitimate use of documented CPU power and
>> thermal management interfaces such as RAPL power limits (PL1/PL2) and
>> the TCC/TjOffset control. These registers are part of Intel’s
>> **publicly** documented architectural interface and have been stable
>> across many generations of processors.
>
> There is a power capping RAPL driver. What's the problem with it with
> Secure Boot enabled?
Hello,
I believe that the comment about Secure Boot might come from the partially
incorrect documentation of lockdown:
https://lore.kernel.org/linux-security-module/20260203195001.20131-1-hi@alyssa.is/
> -On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> -if the system boots in EFI Secure Boot mode.
> This is true for Fedora, where this page was sourced from, but I don't
> believe it has ever been true for the mainline kernel, because Linus
> rejected it.
>
>> As a result, under Secure Boot Linux users lose the ability to read or
>> adjust **standard** power-management controls that remain available
>> through equivalent tooling on other operating systems.
>
> The power capping RAPL driver is there, please use it. It is documented even.
>
> There is also a driver for TCC/TjOffset control, it is called intel_tcc_cooling.
>
> And there are utilities in user space (for example, Intel thermald)
> that use those interfaces.
>
>> The current all-or-nothing restriction appears broader than necessary
>> for the stated goal of protecting kernel integrity. MSRs associated with
>> power limits and TCC offset are not privileged debugging or microcode
>> interfaces but standard hardware configuration knobs intended for
>> platform power and thermal management.
>>
>> It would be useful if the kernel either allowed access to a small
>> whitelist of such documented registers under lockdown or exposed a
>> mediated kernel interface for adjusting them. Without such a mechanism,
>> Secure Boot effectively disables legitimate and widely used
>> power/thermal tuning functionality on modern Intel laptops.
>>
>> Most (if not all) Intel laptops don't expose or allow to configure
>> PL1/PL2 limits in BIOS/EFI either.
>
> Because it is not necessary to do so.
>
--
bauen1
prev parent reply other threads:[~2026-03-11 12:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 12:24 Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot Artem S. Tashkinov
2026-03-09 15:13 ` Rafael J. Wysocki
2026-03-11 12:18 ` bauen1 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e61419d0-4f7b-40f9-8e90-fbe5aaaa6dd8@gmail.com \
--to=j2468h@googlemail.com \
--cc=aros@gmx.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=rui.zhang@intel.com \
--cc=srinivas.pandruvada@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox