Message ID | 20220331215607.3182232-4-dovmurik@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Allow guest access to EFI confidential computing secret area | expand |
On 01/04/2022 0:56, Dov Murik wrote: > During efi initialization, check if coco_secret is defined in the EFI > configuration table; in such case, register platform device > "efi_secret". This allows udev to automatically load the efi_secret > module (platform driver), which in turn will populate the > <securityfs>/secrets/coco directory in guests into which secrets were > injected. > > Note that a declared address of an EFI secret area doesn't mean that > secrets where indeed injected to that area; if the secret area is not > populated, the driver will not load (but the platform device will still > be registered). > > Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> > --- > drivers/firmware/efi/efi.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index 378d044b2463..b92eabc554e6 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -425,6 +425,9 @@ static int __init efisubsys_init(void) > if (efi_enabled(EFI_DBG) && efi_enabled(EFI_PRESERVE_BS_REGIONS)) > efi_debugfs_init(); > > + if (efi.coco_secret != EFI_INVALID_TABLE_ADDR) > + platform_device_register_simple("efi_secret", 0, NULL, 0); These two lines should be wrapped by #ifdef CONFIG_EFI_COCO_SECRET . I'll fix that for the next round. -Dov > + > return 0; > > err_remove_group:
On Thu, Mar 31, 2022 at 09:56:06PM +0000, Dov Murik wrote: > During efi initialization, check if coco_secret is defined in the EFI > configuration table; in such case, register platform device > "efi_secret". This allows udev to automatically load the efi_secret > module (platform driver), which in turn will populate the > <securityfs>/secrets/coco directory in guests into which secrets were > injected. > > Note that a declared address of an EFI secret area doesn't mean that > secrets where indeed injected to that area; if the secret area is not > populated, the driver will not load (but the platform device will still > be registered). > > Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 378d044b2463..b92eabc554e6 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -425,6 +425,9 @@ static int __init efisubsys_init(void) if (efi_enabled(EFI_DBG) && efi_enabled(EFI_PRESERVE_BS_REGIONS)) efi_debugfs_init(); + if (efi.coco_secret != EFI_INVALID_TABLE_ADDR) + platform_device_register_simple("efi_secret", 0, NULL, 0); + return 0; err_remove_group:
During efi initialization, check if coco_secret is defined in the EFI configuration table; in such case, register platform device "efi_secret". This allows udev to automatically load the efi_secret module (platform driver), which in turn will populate the <securityfs>/secrets/coco directory in guests into which secrets were injected. Note that a declared address of an EFI secret area doesn't mean that secrets where indeed injected to that area; if the secret area is not populated, the driver will not load (but the platform device will still be registered). Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+)