Linux Patches Look To Restrict Modules From Poking Certain Registers, Using Select Instructions

The Linux kernel was launched last year tighten the writing ability to select the CPU MSR from the user space. This restriction of user space access to selected registers is done in the name of security, as well as the reluctance of user space to accidentally or maliciously breach certain MSRs that can cause kernel behavior problems. There are now some still merged patches in the kernel space that would place some new restrictions on kernel modules around punching certain registers or using selected CPU instructions.

Originally written last April and now in line as part of its own branch, longtime kernel developer Peter Zijlstra has patches that place new constraints on kernel modules.

One change is yes disable some instructions for CPL0. What started with the desire to prohibit modules from tracking the global descriptor table (GDT) or returning to the user space, additional precautions are a mistake if a module tries to change the state of the registry or confuse the base of the FS / GS.

It is an additional patch detection of CRn and DRn manipulation. This job is to disable the writing of kernel modules to manage CRN / XCRn and debug DRn registers. It is desirable to use the right accessories, instead of directly tracking these control / debugging registers.

For now, these stickers are part of Zijlstra x86 / module code, but we’ll see if they move to the baseline soon enough, trying to impose clean behavior on the kernel module.