Kernel panic is a software routine. It should be executed by the kernel
itself. The MCE handler decides whether the system should panic or not based on
the exception that happened. If you disable MCE and the aforementioned file is
the only place that is called upon identifying such exceptions, the panic will
not happen at all.
And by the way I agree with their concern regarding exposing log messages to
malicious processes. But I would expect them to refer to an study, blog post,
article, code example, etc, to show that how this concern can be valid in real
Thanks anyhow since we could be missing something in theory.
To verify, grepping the source code (or probably enough grepping the security-misc source code) for kernel parameters which should be used or not used would work (which I’ve just done but anyone else welcome to check this as well).
You could argue that the scope of security-misc should be limited and that cold boot attack defense should be a separate package instead. Then security-misc could disable kexec and cold boot attack defense could re-enable it.
That would allow cold boot attack defense to only be enabled on host operating systems. It would get installed on Kicksecure host operating systems by default but could be omitted in VMs (as it seems it’s not useful there except for development and testing).