[PATCH 06/32] powerpc/configs/64s: Add secure boot options to defconfig
Andrew Donnellan
ajd at linux.ibm.com
Mon Apr 17 15:06:44 AEST 2023
On Mon, 2023-04-17 at 13:38 +1000, Michael Ellerman wrote:
> > Can we add CONFIG_PPC_SECVAR_SYSFS=y as well?
>
> We can.
>
> But would it make more sense to just make PPC_SECVAR_SYSFS a hidden
> symbol? Is there really any reason someone would want to turn it off?
[+ Russell, Nayna, George]
I think it's conceivable that you may want to build a kernel that has
no ability for userspace to read/write to the key store at all as a
defence in depth measure in hardened environments, but I haven't
thought about this for more than 15 seconds, so opinions welcome.
--
Andrew Donnellan OzLabs, ADL Canberra
ajd at linux.ibm.com IBM Australia Limited
More information about the Linuxppc-dev
mailing list