[PATCH v8 2/4] virt: Add efi_secret module to expose confidential computing secrets

Gerd Hoffmann kraxel at redhat.com
Tue Mar 1 12:24:31 UTC 2022


On Mon, Feb 28, 2022 at 11:42:52AM +0000, Dov Murik wrote:
> The new efi_secret module exposes the confidential computing (coco)
> EFI secret area via securityfs interface.
> 
> When the module is loaded (and securityfs is mounted, typically under
> /sys/kernel/security), a "secrets/coco" directory is created in
> securityfs.  In it, a file is created for each secret entry.  The name
> of each such file is the GUID of the secret entry, and its content is
> the secret data.
> 
> This allows applications running in a confidential computing setting to
> read secrets provided by the guest owner via a secure secret injection
> mechanism (such as AMD SEV's LAUNCH_SECRET command).
> 
> Removing (unlinking) files in the "secrets/coco" directory will zero out
> the secret in memory, and remove the filesystem entry.  If the module is
> removed and loaded again, that secret will not appear in the filesystem.
> 
> Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>

Reviewed-by: Gerd Hoffmann <kraxel at redhat.com>



More information about the Linux-security-module-archive mailing list