[PATCH v7 0/5] Allow guest access to EFI confidential computing secret area
Matthew Garrett
mjg59 at srcf.ucam.org
Wed Feb 2 06:54:43 UTC 2022
On Wed, Feb 02, 2022 at 07:10:02AM +0100, Greg KH wrote:
> On Wed, Feb 02, 2022 at 04:01:57AM +0000, Matthew Garrett wrote:
> > We're talking about things that have massively different semantics.
>
> I see lots of different platforms trying to provide access to their
> "secure" firmware data to userspace in different ways. That feels to me
> like they are the same thing that userspace would care about in a
> unified way.
EFI variables are largely for the OS to provide information to the
firmware, while this patchset is to provide information from the
firmware to the OS. I don't see why we'd expect to use the same userland
tooling for both.
In the broader case - I don't think we *can* use the same userland
tooling for everything. For example, the patches to add support for
manipulating the Power secure boot keys originally attempted to make it
look like efivars, but the underlying firmware semantics are
sufficiently different that even exposing the same kernel interface
wouldn't be a sufficient abstraction and userland would still need to
behave differently. Exposing an interface that looks consistent but
isn't is arguably worse for userland than exposing explicitly distinct
interfaces.
More information about the Linux-security-module-archive
mailing list