Re: [PATCH v8 2/4] virt: Add efi_secret module to expose confidential computing secrets
From: Gerd Hoffmann
Date: Tue Mar 01 2022 - 07:24:47 EST
On Mon, Feb 28, 2022 at 11:42:52AM +0000, Dov Murik wrote:
> The new efi_secret module exposes the confidential computing (coco)
> EFI secret area via securityfs interface.
>
> When the module is loaded (and securityfs is mounted, typically under
> /sys/kernel/security), a "secrets/coco" directory is created in
> securityfs. In it, a file is created for each secret entry. The name
> of each such file is the GUID of the secret entry, and its content is
> the secret data.
>
> This allows applications running in a confidential computing setting to
> read secrets provided by the guest owner via a secure secret injection
> mechanism (such as AMD SEV's LAUNCH_SECRET command).
>
> Removing (unlinking) files in the "secrets/coco" directory will zero out
> the secret in memory, and remove the filesystem entry. If the module is
> removed and loaded again, that secret will not appear in the filesystem.
>
> Signed-off-by: Dov Murik <dovmurik@xxxxxxxxxxxxx>
Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>