Linux 5.19 Allows EFI Accessing VM Secrets For Confidential Computing / AMD SEV

Written by Michael Larabel in Linux Security on 29 May 2022 at 07:45 AM EDT. 3 Comments
LINUX SECURITY
The EFI changes for the Linux 5.19 kernel bring a few interesting changes, including the ability to access secrets injected into the boot image via Confidential Computing "CoCo" hypervisors.

With Linux 5.19 comes a new "efi_secret" module that exposes confidential computing EFI secret area (stored within a reserved area of the EFI reserved memory area) to the guest VM via the SecurityFS interface. When SecurityFS is enabled and this new efi_secret module, any secrets are accessible via the default/sys/kernel/security/coco/efi_secret directory. A file represents each secret entry. Privileged applications can read these secrets passed to the VM via the secure secret injection mechanism of capable hypervisors. AMD EPYC processors with Secure Encrypted Virtualization (SEV) for example can pass secrets using the "LAUNCH_SECRET" command.

Applications after reading these secret files can remove/unlink the files which will in turn cause them to zero out the secret in memory.


Linux 5.19 with the "efi_secret" kernel module will allow VMs to securely access secrets passed to it and backed by hardware security on the likes of AMD EPYC with SEV.


While this is initially tailored to AMD SEV for exposing confidential computing EFI secrets, the driver itself was written by an IBM engineer. More details on this new capability via the newly-added documentation.

In addition to the EFI secrets support, the other EFI changes for Linux 5.19 include the ability for EFI run-time services to be re-enabled at boot on real-time (RT) kernels, using DXE services on x86_64 to allow making the boot image executable after relocation if needed, and preferring mirrored memory for randomized allocations.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week