Linux/Documentation/ABI/testing/securityfs-secrets-coco

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 What: security/secrets/coco 2 Date: February 2022 3 Contact: Dov Murik <dovmurik@linux.ibm.com> 4 Description: 5 Exposes confidential computing (coco) EFI secrets to 6 userspace via securityfs. 7 8 EFI can declare memory area used by confidential computing 9 platforms (such as AMD SEV and SEV-ES) for secret injection by 10 the Guest Owner during VM's launch. The secrets are encrypted 11 by the Guest Owner and decrypted inside the trusted enclave, 12 and therefore are not readable by the untrusted host. 13 14 The efi_secret module exposes the secrets to userspace. Each 15 secret appears as a file under <securityfs>/secrets/coco, 16 where the filename is the GUID of the entry in the secrets 17 table. This module is loaded automatically by the EFI driver 18 if the EFI secret area is populated. 19 20 Two operations are supported for the files: read and unlink. 21 Reading the file returns the content of secret entry. 22 Unlinking the file overwrites the secret data with zeroes and 23 removes the entry from the filesystem. A secret cannot be read 24 after it has been unlinked. 25 26 For example, listing the available secrets:: 27 28 # modprobe efi_secret 29 # ls -l /sys/kernel/security/secrets/coco 30 -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b 31 -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 32 -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 33 -r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910 34 35 Reading the secret data by reading a file:: 36 37 # cat /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 38 the-content-of-the-secret-data 39 40 Wiping a secret by unlinking a file:: 41 42 # rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 43 # ls -l /sys/kernel/security/secrets/coco 44 -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b 45 -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 46 -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 47 48 Note: The binary format of the secrets table injected by the 49 Guest Owner is described in 50 drivers/virt/coco/efi_secret/efi_secret.c under "Structure of 51 the EFI secret area".

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/Documentation/ABI/testing/securityfs-secrets-coco

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/securityfs-secrets-coco