On Mon, Feb 28, 2022 at 11:42:50AM +0000, Dov Murik wrote: > Confidential computing (coco) hardware such as AMD SEV (Secure Encrypted > Virtualization) allows guest owners to inject secrets into the VMs > memory without the host/hypervisor being able to read them. In SEV, > secret injection is performed early in the VM launch process, before the > guest starts running. > > OVMF already reserves designated area for secret injection (in its > AmdSev package; see edk2 commit 01726b6d23d4 "OvmfPkg/AmdSev: Expose the > Sev Secret area using a configuration table" [1]), but the secrets were > not available in the guest kernel. > > The patch series keeps the address of the EFI-provided memory for > injected secrets, and exposes the secrets to userspace via securityfs > using a new efi_secret kernel module. The module is autoloaded (by the > EFI driver) if the secret area is populated. Right, so this thing. Tom and I were talking about SEV* guest debugging today and I believe there might be another use case for this: SEV-ES guests cannot find out from an attestation report - like SNP guests can - whether they're being debugged or not so it would be very helpful if the fact that a -ES guest is being debugged, could be supplied through such a secrets blob. Because then, when I'm singlestepping the guest with gdb over the gdbstub, the guest could determine based on those guest-owner previously injected secrets whether it should allow debugging or not. And this is where your set comes in. However, I'm wondering if - instead of defining your own secrets structs etc - you could use the SNP confidential computing blob machinery the SNP set is adding. In particular: https://lore.kernel.org/all/20220307213356.2797205-30-brijesh.singh@xxxxxxx/ And you're adding another GUID but maybe you could simply use the SNP thing called EFI_CC_BLOB_GUID and mimick that layout. That should unify things more. And then guest kernel code could query the blob also for debugging policy and so on. Thoughts, opinions? -- Regards/Gruss, Boris. SUSE Software Solutions Germany GmbH, GF: Ivo Totev, HRB 36809, AG Nürnberg
