Re: [PATCH v8 2/4] virt: Add efi_secret module to expose confidential computing secrets

From: Gerd Hoffmann
Date: Tue Mar 01 2022 - 07:24:47 EST

Next message: Sudeep Holla: "Re: [PATCH v5] cpuidle: sunplus: Create cpuidle driver for sunplus sp7021"
Previous message: Xiaomeng Tong: "Re: [PATCH 5/6] net/core: remove iterator use outside the loop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 28, 2022 at 11:42:52AM +0000, Dov Murik wrote:
> The new efi_secret module exposes the confidential computing (coco)
> EFI secret area via securityfs interface.
>
> When the module is loaded (and securityfs is mounted, typically under
> /sys/kernel/security), a "secrets/coco" directory is created in
> securityfs. In it, a file is created for each secret entry. The name
> of each such file is the GUID of the secret entry, and its content is
> the secret data.
>
> This allows applications running in a confidential computing setting to
> read secrets provided by the guest owner via a secure secret injection
> mechanism (such as AMD SEV's LAUNCH_SECRET command).
>
> Removing (unlinking) files in the "secrets/coco" directory will zero out
> the secret in memory, and remove the filesystem entry. If the module is
> removed and loaded again, that secret will not appear in the filesystem.
>
> Signed-off-by: Dov Murik <dovmurik@xxxxxxxxxxxxx>

Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

Next message: Sudeep Holla: "Re: [PATCH v5] cpuidle: sunplus: Create cpuidle driver for sunplus sp7021"
Previous message: Xiaomeng Tong: "Re: [PATCH 5/6] net/core: remove iterator use outside the loop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]