Re: [kernel-hardening] [PATCH 0/5] RFC: Public key encryption of dmesg by the kernel

From: Jann Horn
Date: Sat Dec 30 2017 - 16:43:15 EST


On Sat, Dec 30, 2017 at 6:57 PM, Dan Aloni <dan@xxxxxxxxxxxx> wrote:
> From: Dan Aloni <dan@xxxxxxxxxxxx>
>
> Hi All,
>
> There has been a lot of progress in recent times regarding the removal
> of sensitive information from dmesg (pointers, etc.), so I figured - why
> not encrypt it all? However, I have not found any existing discussions
> or references regarding this technical direction.
>
> I am not sure that desktop and power users would like to have their
> kernel message encrypted, but there are scenarios such as in mobile
> devices, where only the developers, makers of devices, may actually
> benefit from access to kernel prints messages, and the users may be
> more protected from exploits.

What is the benefit of your approach compared to setting
dmesg_restrict=1 or something like that and letting userland decide
who should get access to raw dmesg output and in what form?