On Wed, 2021-10-20 at 08:39 +0200, Greg KH wrote: > On Wed, Oct 20, 2021 at 06:14:06AM +0000, Dov Murik wrote: [...] > > + help > > + Copy memory reserved by EFI for Confidential Computing (coco) > > + injected secrets, if EFI exposes such a table entry. > > Why would you want to "copy" secret memory? > > This sounds really odd here, it sounds like you are opening up a > security hole. Are you sure this is the correct text that everyone > on the "COCO" group agrees with? The way this works is that EFI covers the secret area with a boot time handoff block, which means it gets destroyed as soon as ExitBootServices is called as a security measure ... if you do nothing the secret is shredded. This means you need to make a copy of it before that happens if there are secrets that need to live beyond the EFI boot stub. James
