[PATCH 06/32] powerpc/configs/64s: Add secure boot options to defconfig

Andrew Donnellan ajd at linux.ibm.com
Mon Apr 17 15:06:44 AEST 2023

On Mon, 2023-04-17 at 13:38 +1000, Michael Ellerman wrote:
> > Can we add CONFIG_PPC_SECVAR_SYSFS=y as well?
> We can.
> But would it make more sense to just make PPC_SECVAR_SYSFS a hidden
> symbol? Is there really any reason someone would want to turn it off?

[+ Russell, Nayna, George]

I think it's conceivable that you may want to build a kernel that has
no ability for userspace to read/write to the key store at all as a
defence in depth measure in hardened environments, but I haven't
thought about this for more than 15 seconds, so opinions welcome.

Andrew Donnellan    OzLabs, ADL Canberra
ajd at linux.ibm.com   IBM Australia Limited

More information about the Linuxppc-dev mailing list