On Sat, Jan 30, 2021 at 12:35:10AM +0530, Sai Prakash Ranjan wrote: > Here the idea is to protect such important information from all users > including root users since root privileges does not have to mean full > control over the kernel [1] and root compromise does not have to be > the end of the world. And yet, your thing lacks: > +config EXCLUDE_KERNEL_HW_ITRACE > + bool "Exclude kernel mode hardware assisted instruction tracing" > + depends on PERF_EVENTS depends on SECURITY_LOCKDOWN or whatever the appropriate symbol is. > + help > + Exclude kernel mode instruction tracing by hardware tracing > + family such as ARM Coresight ETM, Intel PT and so on. > + > + This option allows to disable kernel mode instruction tracing > + offered by hardware assisted tracing for all users(including root) > + especially for production systems where only userspace tracing might > + be preferred for security reasons. Also, colour me unconvinced, pretty much all kernel level PMU usage can be employed to side-channel / infer crypto keys, why focus on ITRACE over others?
