virt: Add efi_secret module to expose confidential computing secretsThe new efi_secret module exposes the confidential computing (coco)EFI secret area via securityfs interface.When the module is
virt: Add efi_secret module to expose confidential computing secretsThe new efi_secret module exposes the confidential computing (coco)EFI secret area via securityfs interface.When the module is loaded (and securityfs is mounted, typically under/sys/kernel/security), a "secrets/coco" directory is created insecurityfs. In it, a file is created for each secret entry. The nameof each such file is the GUID of the secret entry, and its content isthe secret data.This allows applications running in a confidential computing setting toread secrets provided by the guest owner via a secure secret injectionmechanism (such as AMD SEV's LAUNCH_SECRET command).Removing (unlinking) files in the "secrets/coco" directory will zero outthe secret in memory, and remove the filesystem entry. If the module isremoved and loaded again, that secret will not appear in the filesystem.Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>Link: https://lore.kernel.org/r/20220412212127.154182-3-dovmurik@linux.ibm.comSigned-off-by: Ard Biesheuvel <ardb@kernel.org>
show more ...