[PATCH v7 0/5] Allow guest access to EFI confidential computing secret area
Greg KH
gregkh at linuxfoundation.org
Wed Feb 2 07:05:23 UTC 2022
On Wed, Feb 02, 2022 at 06:54:43AM +0000, Matthew Garrett wrote:
> On Wed, Feb 02, 2022 at 07:10:02AM +0100, Greg KH wrote:
> > On Wed, Feb 02, 2022 at 04:01:57AM +0000, Matthew Garrett wrote:
> > > We're talking about things that have massively different semantics.
> >
> > I see lots of different platforms trying to provide access to their
> > "secure" firmware data to userspace in different ways. That feels to me
> > like they are the same thing that userspace would care about in a
> > unified way.
>
> EFI variables are largely for the OS to provide information to the
> firmware, while this patchset is to provide information from the
> firmware to the OS. I don't see why we'd expect to use the same userland
> tooling for both.
I totally agree, I'm not worried about EFI variables here, I don't know
why that came up.
> In the broader case - I don't think we *can* use the same userland
> tooling for everything. For example, the patches to add support for
> manipulating the Power secure boot keys originally attempted to make it
> look like efivars, but the underlying firmware semantics are
> sufficiently different that even exposing the same kernel interface
> wouldn't be a sufficient abstraction and userland would still need to
> behave differently. Exposing an interface that looks consistent but
> isn't is arguably worse for userland than exposing explicitly distinct
> interfaces.
So what does userspace really need here? Just the ability to find if
the platform has blobs that it cares about, and how to read/write them.
I see different platform patches trying to stick these blobs in
different locations and ways to access (securityfs, sysfs, char device
node), which seems crazy to me. Why can't we at least pick one way to
access these to start with, and then have the filesystem layout be
platform-specific as needed, which will give the correct hints to
userspace as to what it needs to do here?
thanks,
greg k-h
More information about the Linux-security-module-archive
mailing list