git.baikalelectronics.ru Git - kernel.git/commit

author	Dov Murik <dovmurik@linux.ibm.com>
	Tue, 12 Apr 2022 21:21:25 +0000 (21:21 +0000)
committer	Ard Biesheuvel <ardb@kernel.org>
	Wed, 13 Apr 2022 17:11:20 +0000 (19:11 +0200)
commit	db28aa4078ad8a9f5aa04c9d26147f3f0e2841e6
tree	a1d26bbdce9e16baeb030275c371903c42c1a5cd	tree \| snapshot
parent	e5e0a102a6bae16d0f0d72da008a354b040709e3	commit \| diff

virt: Add efi_secret module to expose confidential computing secrets

The new efi_secret module exposes the confidential computing (coco)
EFI secret area via securityfs interface.

When the module is loaded (and securityfs is mounted, typically under
/sys/kernel/security), a "secrets/coco" directory is created in
securityfs. In it, a file is created for each secret entry. The name
of each such file is the GUID of the secret entry, and its content is
the secret data.

This allows applications running in a confidential computing setting to
read secrets provided by the guest owner via a secure secret injection
mechanism (such as AMD SEV's LAUNCH_SECRET command).

Removing (unlinking) files in the "secrets/coco" directory will zero out
the secret in memory, and remove the filesystem entry. If the module is
removed and loaded again, that secret will not appear in the filesystem.

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Link: https://lore.kernel.org/r/20220412212127.154182-3-dovmurik@linux.ibm.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

Documentation/ABI/testing/securityfs-secrets-coco	[new file with mode: 0644]	blob
drivers/virt/Kconfig		diff \| blob \| history
drivers/virt/Makefile		diff \| blob \| history
drivers/virt/coco/efi_secret/Kconfig	[new file with mode: 0644]	blob
drivers/virt/coco/efi_secret/Makefile	[new file with mode: 0644]	blob
drivers/virt/coco/efi_secret/efi_secret.c	[new file with mode: 0644]	blob