On Mon, Feb 28, 2022 at 11:42:52AM +0000, Dov Murik wrote: > The new efi_secret module exposes the confidential computing (coco) > EFI secret area via securityfs interface. > > When the module is loaded (and securityfs is mounted, typically under > /sys/kernel/security), a "secrets/coco" directory is created in > securityfs. In it, a file is created for each secret entry. The name > of each such file is the GUID of the secret entry, and its content is > the secret data. > > This allows applications running in a confidential computing setting to > read secrets provided by the guest owner via a secure secret injection > mechanism (such as AMD SEV's LAUNCH_SECRET command). > > Removing (unlinking) files in the "secrets/coco" directory will zero out > the secret in memory, and remove the filesystem entry. If the module is > removed and loaded again, that secret will not appear in the filesystem. > > Signed-off-by: Dov Murik <dovmurik@xxxxxxxxxxxxx> Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
