Sākums Izpētīt Palīdzība
Pierakstīties
samsung-sm8650
/
android_kernel_samsung_sm8650_ksu
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: 5c86c450e2
Atzari Tagi
android_kernel_...
/
Documentation
/
ABI
/
testing
/
securityfs-secrets-coco

securityfs-secrets-coco 2.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 
  1. What:		security/secrets/coco
    2. 

  2. Date:		February 2022
    3. 

  3. Contact:	Dov Murik <[email protected]>
    4. 

  4. Description:
    5. 

  5. 		Exposes confidential computing (coco) EFI secrets to
    6. 

  6. 		userspace via securityfs.
    7. 

  7. 

  8. 		EFI can declare memory area used by confidential computing
    9. 

  9. 		platforms (such as AMD SEV and SEV-ES) for secret injection by
    10. 

  10. 		the Guest Owner during VM's launch.  The secrets are encrypted
    11. 

  11. 		by the Guest Owner and decrypted inside the trusted enclave,
    12. 

  12. 		and therefore are not readable by the untrusted host.
    13. 

  13. 

  14. 		The efi_secret module exposes the secrets to userspace.  Each
    15. 

  15. 		secret appears as a file under <securityfs>/secrets/coco,
    16. 

  16. 		where the filename is the GUID of the entry in the secrets
    17. 

  17. 		table.  This module is loaded automatically by the EFI driver
    18. 

  18. 		if the EFI secret area is populated.
    19. 

  19. 

  20. 		Two operations are supported for the files: read and unlink.
    21. 

  21. 		Reading the file returns the content of secret entry.
    22. 

  22. 		Unlinking the file overwrites the secret data with zeroes and
    23. 

  23. 		removes the entry from the filesystem.  A secret cannot be read
    24. 

  24. 		after it has been unlinked.
    25. 

  25. 

  26. 		For example, listing the available secrets::
    27. 

  27. 

  28. 		  # modprobe efi_secret
    29. 

  29. 		  # ls -l /sys/kernel/security/secrets/coco
    30. 

  30. 		  -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
    31. 

  31. 		  -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
    32. 

  32. 		  -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
    33. 

  33. 		  -r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910
    34. 

  34. 

  35. 		Reading the secret data by reading a file::
    36. 

  36. 

  37. 		  # cat /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
    38. 

  38. 		  the-content-of-the-secret-data
    39. 

  39. 

  40. 		Wiping a secret by unlinking a file::
    41. 

  41. 

  42. 		  # rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
    43. 

  43. 		  # ls -l /sys/kernel/security/secrets/coco
    44. 

  44. 		  -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
    45. 

  45. 		  -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
    46. 

  46. 		  -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
    47. 

  47. 

  48. 		Note: The binary format of the secrets table injected by the
    49. 

  49. 		Guest Owner is described in
    50. 

  50. 		drivers/virt/coco/efi_secret/efi_secret.c under "Structure of
    51. 

  51. 		the EFI secret area".
    52.