Linux 5.19 Allows EFI Accessing VM Secrets For Confidential Computing / AMD SEV

The EFI changes for the Linux 5.19 kernel bring a few interesting changes, including the ability to access secrets injected into the boot image via Confidential Computing "CoCo" hypervisors.

With Linux 5.19 comes a new "efi_secret" module that exposes confidential computing EFI secret area (stored within a reserved area of the EFI reserved memory area) to the guest VM via the SecurityFS interface. When SecurityFS is enabled and this new efi_secret module, any secrets are accessible via the default/sys/kernel/security/coco/efi_secret directory. A file represents each secret entry. Privileged applications can read these secrets passed to the VM via the secure secret injection mechanism of capable hypervisors. AMD EPYC processors with Secure Encrypted Virtualization (SEV) for example can pass secrets using the "LAUNCH_SECRET" command.

Applications after reading these secret files can remove/unlink the files which will in turn cause them to zero out the secret in memory.

Linux 5.19 with the "efi_secret" kernel module will allow VMs to securely access secrets passed to it and backed by hardware security on the likes of AMD EPYC with SEV.

While this is initially tailored to AMD SEV for exposing confidential computing EFI secrets, the driver itself was written by an IBM engineer. More details on this new capability via the newly-added documentation.

In addition to the EFI secrets support, the other EFI changes for Linux 5.19 include the ability for EFI run-time services to be re-enabled at boot on real-time (RT) kernels, using DXE services on x86_64 to allow making the boot image executable after relocation if needed, and preferring mirrored memory for randomized allocations.