52 lines
2.2 KiB
Plaintext
52 lines
2.2 KiB
Plaintext
What: security/secrets/coco
|
|
Date: February 2022
|
|
Contact: Dov Murik <dovmurik@linux.ibm.com>
|
|
Description:
|
|
Exposes confidential computing (coco) EFI secrets to
|
|
userspace via securityfs.
|
|
|
|
EFI can declare memory area used by confidential computing
|
|
platforms (such as AMD SEV and SEV-ES) for secret injection by
|
|
the Guest Owner during VM's launch. The secrets are encrypted
|
|
by the Guest Owner and decrypted inside the trusted enclave,
|
|
and therefore are not readable by the untrusted host.
|
|
|
|
The efi_secret module exposes the secrets to userspace. Each
|
|
secret appears as a file under <securityfs>/secrets/coco,
|
|
where the filename is the GUID of the entry in the secrets
|
|
table. This module is loaded automatically by the EFI driver
|
|
if the EFI secret area is populated.
|
|
|
|
Two operations are supported for the files: read and unlink.
|
|
Reading the file returns the content of secret entry.
|
|
Unlinking the file overwrites the secret data with zeroes and
|
|
removes the entry from the filesystem. A secret cannot be read
|
|
after it has been unlinked.
|
|
|
|
For example, listing the available secrets::
|
|
|
|
# modprobe efi_secret
|
|
# ls -l /sys/kernel/security/secrets/coco
|
|
-r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
|
|
-r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
|
|
-r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
|
|
-r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910
|
|
|
|
Reading the secret data by reading a file::
|
|
|
|
# cat /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
|
|
the-content-of-the-secret-data
|
|
|
|
Wiping a secret by unlinking a file::
|
|
|
|
# rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
|
|
# ls -l /sys/kernel/security/secrets/coco
|
|
-r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
|
|
-r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
|
|
-r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
|
|
|
|
Note: The binary format of the secrets table injected by the
|
|
Guest Owner is described in
|
|
drivers/virt/coco/efi_secret/efi_secret.c under "Structure of
|
|
the EFI secret area".
|