On Mon, 2023-04-17 at 13:38 +1000, Michael Ellerman wrote: > > Can we add CONFIG_PPC_SECVAR_SYSFS=y as well? > > We can. > > But would it make more sense to just make PPC_SECVAR_SYSFS a hidden > symbol? Is there really any reason someone would want to turn it off?
[+ Russell, Nayna, George] I think it's conceivable that you may want to build a kernel that has no ability for userspace to read/write to the key store at all as a defence in depth measure in hardened environments, but I haven't thought about this for more than 15 seconds, so opinions welcome. -- Andrew Donnellan OzLabs, ADL Canberra a...@linux.ibm.com IBM Australia Limited
