[RFC PATCH 0/3] Allow access to confidential computing secret area

Andi Kleen ak at linux.intel.com
Fri May 21 16:41:42 UTC 2021

> The SEV-SNP attestation approach is very similar to what Andi described
> for the TDX. However, in the case of legacy SEV and ES, the attestation
> verification is performed before the guest is booted. In this case, the
> hyervisor puts the secret provided by the guest owner (after the
> attestation) at a fixed location. Dov's driver is simply reading that
> fixed location and making it available through the simple text file.

That's the same as our SVKL model.

The (not yet posted) driver is here:


We opted to use ioctls, with the idea that it should be just read and 
cleared once to not let the secret lying around. Typically you would 
just use it to set up dmcrypt or similar once. I think read-and-clear 
with explicit operations is a better model than some virtual file 
because of the security properties.


More information about the Linux-security-module-archive mailing list