[PATCH v9 3/4] efi: Register efi_secret platform device if EFI secret area is declared

Dov Murik dovmurik at linux.ibm.com
Fri Apr 1 05:15:03 UTC 2022



On 01/04/2022 0:56, Dov Murik wrote:
> During efi initialization, check if coco_secret is defined in the EFI
> configuration table; in such case, register platform device
> "efi_secret".  This allows udev to automatically load the efi_secret
> module (platform driver), which in turn will populate the
> <securityfs>/secrets/coco directory in guests into which secrets were
> injected.
> 
> Note that a declared address of an EFI secret area doesn't mean that
> secrets where indeed injected to that area; if the secret area is not
> populated, the driver will not load (but the platform device will still
> be registered).
> 
> Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
> ---
>  drivers/firmware/efi/efi.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 378d044b2463..b92eabc554e6 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -425,6 +425,9 @@ static int __init efisubsys_init(void)
>  	if (efi_enabled(EFI_DBG) && efi_enabled(EFI_PRESERVE_BS_REGIONS))
>  		efi_debugfs_init();
>  
> +	if (efi.coco_secret != EFI_INVALID_TABLE_ADDR)
> +		platform_device_register_simple("efi_secret", 0, NULL, 0);

These two lines should be wrapped by #ifdef CONFIG_EFI_COCO_SECRET .
I'll fix that for the next round.

-Dov

> +
>  	return 0;
>  
>  err_remove_group:



More information about the Linux-security-module-archive mailing list