[RFC PATCH v2 2/3] efi: Reserve confidential computing secret area
Dov Murik
dovmurik at linux.ibm.com
Mon Jun 28 18:34:30 UTC 2021
When efi-stub copies an EFI-provided confidential computing secret area,
reserve that memory block for future use within the kernel.
Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
---
drivers/firmware/efi/Makefile | 2 +-
drivers/firmware/efi/confidential-computing.c | 41 +++++++++++++++++++
drivers/firmware/efi/efi.c | 5 +++
include/linux/efi.h | 4 ++
4 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644 drivers/firmware/efi/confidential-computing.c
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index 467e94259679..63f21f7351da 100644
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -12,7 +12,7 @@ KASAN_SANITIZE_runtime-wrappers.o := n
obj-$(CONFIG_ACPI_BGRT) += efi-bgrt.o
obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o tpm.o
-obj-$(CONFIG_EFI) += memmap.o
+obj-$(CONFIG_EFI) += memmap.o confidential-computing.o
ifneq ($(CONFIG_EFI_CAPSULE_LOADER),)
obj-$(CONFIG_EFI) += capsule.o
endif
diff --git a/drivers/firmware/efi/confidential-computing.c b/drivers/firmware/efi/confidential-computing.c
new file mode 100644
index 000000000000..e6bb4d1e8f17
--- /dev/null
+++ b/drivers/firmware/efi/confidential-computing.c
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Confidential computing secret area handling
+ *
+ * Copyright (C) 2021 IBM Corporation
+ * Author: Dov Murik <dovmurik at linux.ibm.com>
+ */
+
+#define pr_fmt(fmt) "efi: " fmt
+
+#include <linux/efi.h>
+#include <linux/init.h>
+#include <linux/memblock.h>
+#include <asm/early_ioremap.h>
+
+/*
+ * Reserve the confidential computing secret area memory
+ */
+int __init efi_confidential_computing_secret_area_reserve(void)
+{
+ struct linux_efi_confidential_computing_secret_area *secret_area;
+ unsigned long secret_area_size;
+
+ if (efi.confidential_computing_secret == EFI_INVALID_TABLE_ADDR)
+ return 0;
+
+ secret_area = early_memremap(efi.confidential_computing_secret, sizeof(*secret_area));
+ if (!secret_area) {
+ pr_err("Failed to map confidential computing secret area\n");
+ efi.confidential_computing_secret = EFI_INVALID_TABLE_ADDR;
+ return -ENOMEM;
+ }
+
+ secret_area_size = sizeof(*secret_area) + secret_area->size;
+ memblock_reserve(efi.confidential_computing_secret, secret_area_size);
+
+ pr_info("Reserved memory of EFI-provided confidential computing secret area");
+
+ early_memunmap(secret_area, sizeof(*secret_area));
+ return 0;
+}
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 4b7ee3fa9224..da36333e5c9f 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -526,6 +526,9 @@ static const efi_config_table_type_t common_tables[] __initconst = {
#ifdef CONFIG_LOAD_UEFI_KEYS
{LINUX_EFI_MOK_VARIABLE_TABLE_GUID, &efi.mokvar_table, "MOKvar" },
#endif
+ {LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_AREA_GUID,
+ &efi.confidential_computing_secret,
+ "ConfCompSecret"},
{},
};
@@ -613,6 +616,8 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables,
efi_tpm_eventlog_init();
+ efi_confidential_computing_secret_area_reserve();
+
if (mem_reserve != EFI_INVALID_TABLE_ADDR) {
unsigned long prsv = mem_reserve;
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 4f647f1ee298..e9740bd16db0 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -551,6 +551,8 @@ extern struct efi {
unsigned long tpm_log; /* TPM2 Event Log table */
unsigned long tpm_final_log; /* TPM2 Final Events Log table */
unsigned long mokvar_table; /* MOK variable config table */
+ unsigned long confidential_computing_secret; /* Confidential computing */
+ /* secret table */
efi_get_time_t *get_time;
efi_set_time_t *set_time;
@@ -1190,6 +1192,8 @@ extern int efi_tpm_final_log_size;
extern unsigned long rci2_table_phys;
+extern int efi_confidential_computing_secret_area_reserve(void);
+
/*
* efi_runtime_service() function identifiers.
* "NONE" is used by efi_recover_from_page_fault() to check if the page
--
2.25.1
More information about the Linux-security-module-archive
mailing list