On Wed, Oct 20, 2021 at 03:52:49PM +0300, Dov Murik wrote: > > > On 20/10/2021 15:11, Greg KH wrote: > > On Wed, Oct 20, 2021 at 08:00:28AM -0400, James Bottomley wrote: > >> On Wed, 2021-10-20 at 08:39 +0200, Greg KH wrote: > >>> On Wed, Oct 20, 2021 at 06:14:06AM +0000, Dov Murik wrote: > >> [...] > >>>> + help > >>>> + Copy memory reserved by EFI for Confidential Computing (coco) > >>>> + injected secrets, if EFI exposes such a table entry. > >>> > >>> Why would you want to "copy" secret memory? > >>> > >>> This sounds really odd here, it sounds like you are opening up a > >>> security hole. Are you sure this is the correct text that everyone > >>> on the "COCO" group agrees with? > >> > >> The way this works is that EFI covers the secret area with a boot time > >> handoff block, which means it gets destroyed as soon as > >> ExitBootServices is called as a security measure ... if you do nothing > >> the secret is shredded. This means you need to make a copy of it > >> before that happens if there are secrets that need to live beyond the > >> EFI boot stub. > > > > Ok, but "copy secrets" does sound really odd, so you all need a much > > better description here, and hopefully somewhere else in Documentation/ > > to describe exactly what this new API is and is to be used for. > > > > > So something like: > > > config EFI_COCO_SECRET > bool "Keep the EFI Confidential Computing secret area" > depends on EFI > help > Confidential Computing platforms (such as AMD SEV) allow for > secrets injection during guest VM launch. The secrets are > placed in a designated EFI memory area. EFI destorys > the confidential computing secret area when ExitBootServices > is called. That last sentence does not make much sense to me, sorry. > In order to use the secrets in the kernel, the secret area > must be copied to kernel-reserved memory (before it is erased). > > If you say Y here, the EFI stub will copy the EFI secret area (if > available) and reserve it for use inside the kernel. This will > allow the virt/coco/efi_secret module to access the secrets. Really this is about getting that data out to userspace, right? Should you mention that here? > and some new file like Documentation/security/coco/efi_secret.rst which > describes this whole protocol (from secret injection at VM launch > into an EFI page, through efistub and efi in linux, to the efi_secret > module which exposes the secrets). Yes, that would be good to have documented. thanks, greg k-h
