[PATCH v8 2/4] virt: Add efi_secret module to expose confidential computing secrets
Gerd Hoffmann
kraxel at redhat.com
Tue Mar 1 12:24:31 UTC 2022
On Mon, Feb 28, 2022 at 11:42:52AM +0000, Dov Murik wrote:
> The new efi_secret module exposes the confidential computing (coco)
> EFI secret area via securityfs interface.
>
> When the module is loaded (and securityfs is mounted, typically under
> /sys/kernel/security), a "secrets/coco" directory is created in
> securityfs. In it, a file is created for each secret entry. The name
> of each such file is the GUID of the secret entry, and its content is
> the secret data.
>
> This allows applications running in a confidential computing setting to
> read secrets provided by the guest owner via a secure secret injection
> mechanism (such as AMD SEV's LAUNCH_SECRET command).
>
> Removing (unlinking) files in the "secrets/coco" directory will zero out
> the secret in memory, and remove the filesystem entry. If the module is
> removed and loaded again, that secret will not appear in the filesystem.
>
> Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel at redhat.com>
More information about the Linux-security-module-archive
mailing list