Based on kernel version 6.11
. Page generated on 2024-09-24 08:21 EST
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | What: security/secrets/coco Date: February 2022 Contact: Dov Murik <dovmurik@linux.ibm.com> Description: Exposes confidential computing (coco) EFI secrets to userspace via securityfs. EFI can declare memory area used by confidential computing platforms (such as AMD SEV and SEV-ES) for secret injection by the Guest Owner during VM's launch. The secrets are encrypted by the Guest Owner and decrypted inside the trusted enclave, and therefore are not readable by the untrusted host. The efi_secret module exposes the secrets to userspace. Each secret appears as a file under <securityfs>/secrets/coco, where the filename is the GUID of the entry in the secrets table. This module is loaded automatically by the EFI driver if the EFI secret area is populated. Two operations are supported for the files: read and unlink. Reading the file returns the content of secret entry. Unlinking the file overwrites the secret data with zeroes and removes the entry from the filesystem. A secret cannot be read after it has been unlinked. For example, listing the available secrets:: # modprobe efi_secret # ls -l /sys/kernel/security/secrets/coco -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 -r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910 Reading the secret data by reading a file:: # cat /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 the-content-of-the-secret-data Wiping a secret by unlinking a file:: # rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 # ls -l /sys/kernel/security/secrets/coco -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 Note: The binary format of the secrets table injected by the Guest Owner is described in drivers/virt/coco/efi_secret/efi_secret.c under "Structure of the EFI secret area". |