| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9b9b682f-297e-9ebd-4d67-43c3ed9ad8c5@amd.com>
Date: Mon, 28 Jun 2021 15:40:02 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Dov Murik <dovmurik@...ux.ibm.com>, linux-efi@...r.kernel.org
Cc: Laszlo Ersek <lersek@...hat.com>,
Ashish Kalra <ashish.kalra@....com>,
Brijesh Singh <brijesh.singh@....com>,
Ard Biesheuvel <ardb@...nel.org>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Andi Kleen <ak@...ux.intel.com>,
"Dr. David Alan Gilbert" <dgilbert@...hat.com>,
James Bottomley <jejb@...ux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@...ux.ibm.com>,
Jim Cadden <jcadden@....com>, linux-coco@...ts.linux.dev,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 2/3] efi: Reserve confidential computing secret
area
On 6/28/21 1:34 PM, Dov Murik wrote:
> When efi-stub copies an EFI-provided confidential computing secret area,
> reserve that memory block for future use within the kernel.
>
> Signed-off-by: Dov Murik <dovmurik@...ux.ibm.com>
> ---
> drivers/firmware/efi/Makefile | 2 +-
> drivers/firmware/efi/confidential-computing.c | 41 +++++++++++++++++++
> drivers/firmware/efi/efi.c | 5 +++
> include/linux/efi.h | 4 ++
> 4 files changed, 51 insertions(+), 1 deletion(-)
> create mode 100644 drivers/firmware/efi/confidential-computing.c
>
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index 4f647f1ee298..e9740bd16db0 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -551,6 +551,8 @@ extern struct efi {
> unsigned long tpm_log; /* TPM2 Event Log table */
> unsigned long tpm_final_log; /* TPM2 Final Events Log table */
> unsigned long mokvar_table; /* MOK variable config table */
> + unsigned long confidential_computing_secret; /* Confidential computing */
> + /* secret table */
If there is any possibility that someone could reuse a form of this
confidential computing secret table in a bare metal system, then this
table needs to be added to the efi_tables[] array in
arch/x86/platform/efi/efi.c. Otherwise, it will be mapped improperly on a
system with SME active.
Thanks,
Tom
>
> efi_get_time_t *get_time;
> efi_set_time_t *set_time;
> @@ -1190,6 +1192,8 @@ extern int efi_tpm_final_log_size;
>
> extern unsigned long rci2_table_phys;
>
> +extern int efi_confidential_computing_secret_area_reserve(void);
> +
> /*
> * efi_runtime_service() function identifiers.
> * "NONE" is used by efi_recover_from_page_fault() to check if the page
>
Powered by blists - more mailing lists