Software Tuning, Performance Optimization & Platform Monitoring
Discussion around monitoring and software tuning methodologies, Performance Monitoring Unit (PMU) of Intel microprocessors, and platform monitoring
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.

is MSR access in only-read mode safe?

hervem
Beginner
530 Views

Hello,

I developed a tool based on  (Linux) rdmsr to read some MSR registers (RAPL). And I would like to have this tool installed on large computing clusters.

I know that allowing read AND write of MSR registers for all the users is not safe, mainly due to the write capability.

I suppose that allowing only read (even for all users) is safe, but I failed to find literature on it.

Is there any? Is it obvious?

Thanks in advance for your help,

hervem

0 Kudos
2 Replies
McCalpinJohn
Black Belt
476 Views

"Safe" can mean several different things in this context....

Write access to MSRs can fairly easily crash a system.  Read access to MSRs should not be able to crash a system.

Read access to MSRs opens a fair number of security risks.

The project https://github.com/LLNL/msr-safe provides the ability grant different permissions to different MSRs.  Limiting the accessible MSRs to the ones of interest can reduce the uncertainty about security risks.  I have not deployed this package on production systems, but had no trouble getting it to work properly on a test cluster.

hervem
Beginner
428 Views

Thanks for your help.

I agree, msr-safe is a good candidate to limit the risks. I did not use it yet. 

BTW
In HPC context the users allocate usually nodes with exclusivity access (not shared).
NB : If the node is not allocated in an exclusive mode, you can have a look on what is running on the node (from yourself or not), with or without msr_read.

So safe could be understood as :
By using (only) msr_read, can we access information we should not access as a basic user (eg password, code&data of other users) ? or can we modify the cluster behavior ?
I would say NO, but perhaps I am wrong.

Reply