lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Jun 2021 15:40:02 -0500
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Dov Murik <dovmurik@...ux.ibm.com>, linux-efi@...r.kernel.org
Cc:     Laszlo Ersek <lersek@...hat.com>,
        Ashish Kalra <ashish.kalra@....com>,
        Brijesh Singh <brijesh.singh@....com>,
        Ard Biesheuvel <ardb@...nel.org>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Andi Kleen <ak@...ux.intel.com>,
        "Dr. David Alan Gilbert" <dgilbert@...hat.com>,
        James Bottomley <jejb@...ux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@...ux.ibm.com>,
        Jim Cadden <jcadden@....com>, linux-coco@...ts.linux.dev,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 2/3] efi: Reserve confidential computing secret
 area

On 6/28/21 1:34 PM, Dov Murik wrote:
> When efi-stub copies an EFI-provided confidential computing secret area,
> reserve that memory block for future use within the kernel.
> 
> Signed-off-by: Dov Murik <dovmurik@...ux.ibm.com>
> ---
>  drivers/firmware/efi/Makefile                 |  2 +-
>  drivers/firmware/efi/confidential-computing.c | 41 +++++++++++++++++++
>  drivers/firmware/efi/efi.c                    |  5 +++
>  include/linux/efi.h                           |  4 ++
>  4 files changed, 51 insertions(+), 1 deletion(-)
>  create mode 100644 drivers/firmware/efi/confidential-computing.c
> 
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index 4f647f1ee298..e9740bd16db0 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -551,6 +551,8 @@ extern struct efi {
>  	unsigned long			tpm_log;		/* TPM2 Event Log table */
>  	unsigned long			tpm_final_log;		/* TPM2 Final Events Log table */
>  	unsigned long			mokvar_table;		/* MOK variable config table */
> +	unsigned long			confidential_computing_secret;	/* Confidential computing */
> +									/* secret table           */

If there is any possibility that someone could reuse a form of this
confidential computing secret table in a bare metal system, then this
table needs to be added to the efi_tables[] array in
arch/x86/platform/efi/efi.c. Otherwise, it will be mapped improperly on a
system with SME active.

Thanks,
Tom

>  
>  	efi_get_time_t			*get_time;
>  	efi_set_time_t			*set_time;
> @@ -1190,6 +1192,8 @@ extern int efi_tpm_final_log_size;
>  
>  extern unsigned long rci2_table_phys;
>  
> +extern int efi_confidential_computing_secret_area_reserve(void);
> +
>  /*
>   * efi_runtime_service() function identifiers.
>   * "NONE" is used by efi_recover_from_page_fault() to check if the page
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ