[PATCH v7 4/5] efi: Load efi_secret module if EFI secret area is populated

Gerd Hoffmann kraxel at redhat.com
Thu Feb 3 06:16:15 UTC 2022


  Hi,

> > I think the module should fail noisily.  See above for autoload.  In
> > case the module is loaded (either manually by the admin, or because
> > efi.coco_secret != EFI_INVALID_TABLE_ADDR) and it can't actually load
> > the secrets we want know why ...
> 
> Note that the AmdSev build of OVMF always publishes
> LINUX_EFI_COCO_SECRET_TABLE_GUID in the EFI table.  Even when
> LAUNCH_SECRET was not executed.  In such cases the secret area will be
> empty.

Hmm, ok.  Why?  I assume the secret area is filled by the host and ovmf
doesn't even look at it?

> If we keep only the 'efi.coco_secret != EFI_INVALID_TABLE_ADDR' check,
> we'll get errors from efi_secret for every VM launch that doesn't
> undergo LAUNCH_SECRET.  I don't think that's good.

Well, if that is a common case the module could either print nothing or
log KERN_INFO level instead of KERN_ERROR.

> If we *do* want to check that the area starts with
> EFI_SECRET_TABLE_HEADER_GUID (like I think we should), we need all the
> checks before that, like checking that the area is big enough, and that
> all the memremap()s succeed -- before actually comparing the
> header_guid.  The checks are basically prerequisites for calling
> efi_guidcmp() safely.

It is still not fully clear to me why you want do that check twice.

take care,
  Gerd



More information about the Linux-security-module-archive mailing list