Re: [RFC PATCH v2 2/3] efi: Reserve confidential computing secret area

From: Tom Lendacky
Date: Mon Jun 28 2021 - 16:40:16 EST


On 6/28/21 1:34 PM, Dov Murik wrote:
> When efi-stub copies an EFI-provided confidential computing secret area,
> reserve that memory block for future use within the kernel.
>
> Signed-off-by: Dov Murik <dovmurik@xxxxxxxxxxxxx>
> ---
> drivers/firmware/efi/Makefile | 2 +-
> drivers/firmware/efi/confidential-computing.c | 41 +++++++++++++++++++
> drivers/firmware/efi/efi.c | 5 +++
> include/linux/efi.h | 4 ++
> 4 files changed, 51 insertions(+), 1 deletion(-)
> create mode 100644 drivers/firmware/efi/confidential-computing.c
>
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index 4f647f1ee298..e9740bd16db0 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -551,6 +551,8 @@ extern struct efi {
> unsigned long tpm_log; /* TPM2 Event Log table */
> unsigned long tpm_final_log; /* TPM2 Final Events Log table */
> unsigned long mokvar_table; /* MOK variable config table */
> + unsigned long confidential_computing_secret; /* Confidential computing */
> + /* secret table */

If there is any possibility that someone could reuse a form of this
confidential computing secret table in a bare metal system, then this
table needs to be added to the efi_tables[] array in
arch/x86/platform/efi/efi.c. Otherwise, it will be mapped improperly on a
system with SME active.

Thanks,
Tom

>
> efi_get_time_t *get_time;
> efi_set_time_t *set_time;
> @@ -1190,6 +1192,8 @@ extern int efi_tpm_final_log_size;
>
> extern unsigned long rci2_table_phys;
>
> +extern int efi_confidential_computing_secret_area_reserve(void);
> +
> /*
> * efi_runtime_service() function identifiers.
> * "NONE" is used by efi_recover_from_page_fault() to check if the page
>