Hi Linus,
Please pull the changes below. Note the conflict in drivers/virt/Kconfig and
Makefile: this is due to CoCo changes arriving via different trees, and the
resolution is obvious.
Thanks,
Ard.
The following changes since commit 3123109284176b1532874591f7c81f3837bbdc17:
Linux 5.18-rc1 (2022-04-03 14:08:21 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git tags/efi-next-for-v5.19
for you to fetch changes up to 3f68e69520d3d52d66a6ad872a75b7d8f2ea7665:
riscv/efi_stub: Add support for RISCV_EFI_BOOT_PROTOCOL (2022-05-19 10:22:17 +0200)
----------------------------------------------------------------
EFI updates for v5.19
- Allow runtime services to be re-enabled at boot on RT kernels.
- Provide access to secrets injected into the boot image by CoCo
hypervisors (COnfidential COmputing)
- Use DXE services on x86 to make the boot image executable after
relocation, if needed.
- Prefer mirrored memory for randomized allocations.
- Only randomize the placement of the kernel image on arm64 if the
loader has not already done so.
- Add support for obtaining the boot hartid from EFI on RISC-V.
----------------------------------------------------------------
Ard Biesheuvel (3):
efi: libstub: pass image handle to handle_kernel_image()
efi/arm64: libstub: run image in place if randomized by the loader
efi: stub: prefer mirrored memory for randomized allocations
Baskov Evgeniy (2):
efi: libstub: declare DXE services table
efi: libstub: ensure allocated memory to be executable
Dov Murik (4):
efi: Save location of EFI confidential computing area
virt: Add efi_secret module to expose confidential computing secrets
efi: Register efi_secret platform device if EFI secret area is declared
docs: security: Add secrets/coco documentation
Jan Kiszka (1):
efi: Add missing prototype for efi_capsule_setup_info
Javier Martinez Canillas (1):
efi: Allow to enable EFI runtime services by default on RT
Peter Jones (1):
efi: x86: Set the NX-compatibility flag in the PE header
Sunil V L (1):
riscv/efi_stub: Add support for RISCV_EFI_BOOT_PROTOCOL
Documentation/ABI/testing/securityfs-secrets-coco | 51 ++++
Documentation/security/index.rst | 1 +
Documentation/security/secrets/coco.rst | 103 +++++++
Documentation/security/secrets/index.rst | 9 +
arch/x86/boot/header.S | 4 +
arch/x86/include/asm/efi.h | 5 +
arch/x86/platform/efi/efi.c | 3 +
drivers/firmware/efi/Kconfig | 43 +++
drivers/firmware/efi/efi.c | 13 +-
drivers/firmware/efi/libstub/arm32-stub.c | 3 +-
drivers/firmware/efi/libstub/arm64-stub.c | 15 +-
drivers/firmware/efi/libstub/efi-stub.c | 2 +-
drivers/firmware/efi/libstub/efistub.h | 84 +++++-
drivers/firmware/efi/libstub/randomalloc.c | 11 +
drivers/firmware/efi/libstub/riscv-stub.c | 32 +-
drivers/firmware/efi/libstub/x86-stub.c | 119 +++++++-
drivers/virt/Kconfig | 3 +
drivers/virt/Makefile | 1 +
drivers/virt/coco/efi_secret/Kconfig | 16 +
drivers/virt/coco/efi_secret/Makefile | 2 +
drivers/virt/coco/efi_secret/efi_secret.c | 349 ++++++++++++++++++++++
include/linux/efi.h | 27 ++
22 files changed, 876 insertions(+), 20 deletions(-)
create mode 100644 Documentation/ABI/testing/securityfs-secrets-coco
create mode 100644 Documentation/security/secrets/coco.rst
create mode 100644 Documentation/security/secrets/index.rst
create mode 100644 drivers/virt/coco/efi_secret/Kconfig
create mode 100644 drivers/virt/coco/efi_secret/Makefile
create mode 100644 drivers/virt/coco/efi_secret/efi_secret.c
