As per linux - Methods root can use to elevate itself to kernel mode - Information Security Stack Exchange, we should disable CPU MSRs.
MSRs are only exposed when the msr module is loaded so we can blacklist that module to prevent them from being abused.