On Fri, Oct 16, 2020 at 03:36:12PM +0200, Antony Antony wrote: > redact XFRM SA secret in the netlink response to xfrm_get_sa() > or dumpall sa. > Enable this at build time and set kernel lockdown to confidentiality.
Wouldn't it be better to enable is at boot or runtime? This defaults to 'No' at build time, so distibutions will not compile it in. That means that noone who uses a kernel that comes with a Linux distribution can use that.
