~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/securityfs-secrets-coco

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/ABI/testing/securityfs-secrets-coco (Version linux-6.12-rc7) and /Documentation/ABI/testing/securityfs-secrets-coco (Version linux-5.19.17)


  1 What:           security/secrets/coco               1 What:           security/secrets/coco
  2 Date:           February 2022                       2 Date:           February 2022
  3 Contact:        Dov Murik <dovmurik@linux.ibm.c      3 Contact:        Dov Murik <dovmurik@linux.ibm.com>
  4 Description:                                        4 Description:
  5                 Exposes confidential computing      5                 Exposes confidential computing (coco) EFI secrets to
  6                 userspace via securityfs.           6                 userspace via securityfs.
  7                                                     7 
  8                 EFI can declare memory area us      8                 EFI can declare memory area used by confidential computing
  9                 platforms (such as AMD SEV and      9                 platforms (such as AMD SEV and SEV-ES) for secret injection by
 10                 the Guest Owner during VM's la     10                 the Guest Owner during VM's launch.  The secrets are encrypted
 11                 by the Guest Owner and decrypt     11                 by the Guest Owner and decrypted inside the trusted enclave,
 12                 and therefore are not readable     12                 and therefore are not readable by the untrusted host.
 13                                                    13 
 14                 The efi_secret module exposes      14                 The efi_secret module exposes the secrets to userspace.  Each
 15                 secret appears as a file under     15                 secret appears as a file under <securityfs>/secrets/coco,
 16                 where the filename is the GUID     16                 where the filename is the GUID of the entry in the secrets
 17                 table.  This module is loaded      17                 table.  This module is loaded automatically by the EFI driver
 18                 if the EFI secret area is popu     18                 if the EFI secret area is populated.
 19                                                    19 
 20                 Two operations are supported f     20                 Two operations are supported for the files: read and unlink.
 21                 Reading the file returns the c     21                 Reading the file returns the content of secret entry.
 22                 Unlinking the file overwrites      22                 Unlinking the file overwrites the secret data with zeroes and
 23                 removes the entry from the fil     23                 removes the entry from the filesystem.  A secret cannot be read
 24                 after it has been unlinked.        24                 after it has been unlinked.
 25                                                    25 
 26                 For example, listing the avail     26                 For example, listing the available secrets::
 27                                                    27 
 28                   # modprobe efi_secret            28                   # modprobe efi_secret
 29                   # ls -l /sys/kernel/security     29                   # ls -l /sys/kernel/security/secrets/coco
 30                   -r--r----- 1 root root 0 Jun     30                   -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
 31                   -r--r----- 1 root root 0 Jun     31                   -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
 32                   -r--r----- 1 root root 0 Jun     32                   -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
 33                   -r--r----- 1 root root 0 Jun     33                   -r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910
 34                                                    34 
 35                 Reading the secret data by rea     35                 Reading the secret data by reading a file::
 36                                                    36 
 37                   # cat /sys/kernel/security/s     37                   # cat /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
 38                   the-content-of-the-secret-da     38                   the-content-of-the-secret-data
 39                                                    39 
 40                 Wiping a secret by unlinking a     40                 Wiping a secret by unlinking a file::
 41                                                    41 
 42                   # rm /sys/kernel/security/se     42                   # rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
 43                   # ls -l /sys/kernel/security     43                   # ls -l /sys/kernel/security/secrets/coco
 44                   -r--r----- 1 root root 0 Jun     44                   -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
 45                   -r--r----- 1 root root 0 Jun     45                   -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
 46                   -r--r----- 1 root root 0 Jun     46                   -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
 47                                                    47 
 48                 Note: The binary format of the     48                 Note: The binary format of the secrets table injected by the
 49                 Guest Owner is described in        49                 Guest Owner is described in
 50                 drivers/virt/coco/efi_secret/e     50                 drivers/virt/coco/efi_secret/efi_secret.c under "Structure of
 51                 the EFI secret area".              51                 the EFI secret area".
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php