@@ -55,7 +55,8 @@ KCOV_INSTRUMENT := n
lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o \
file.o mem.o random.o randomalloc.o pci.o \
skip_spaces.o lib-cmdline.o lib-ctype.o \
- alignedmem.o relocate.o vsprintf.o
+ alignedmem.o relocate.o vsprintf.o \
+ confidential-computing.o
# include the stub's generic dependencies from lib/ when building for ARM/arm64
efi-deps-y := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c
new file mode 100644
@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Confidential computing secret area handling
+ *
+ * Copyright (C) 2021 IBM Corporation
+ * Author: Dov Murik <dovmurik@linux.ibm.com>
+ */
+
+#include <linux/efi.h>
+#include <linux/sizes.h>
+#include <asm/efi.h>
+
+#include "efistub.h"
+
+#define LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_TABLE_GUID \
+ EFI_GUID(0xadf956ad, 0xe98c, 0x484c, 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47)
+
+/**
+ * struct efi_confidential_computing_secret_table - EFI config table that
+ * points to the confidential computing secret area. The guid
+ * LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_TABLE_GUID holds this table.
+ * @base: Physical address of the EFI secret area
+ * @size: Size (in bytes) of the EFI secret area
+ */
+struct efi_confidential_computing_secret_table {
+ u64 base;
+ u64 size;
+} __attribute((packed));
+
+/*
+ * Create a copy of EFI's confidential computing secret area (if available) so
+ * that the secrets are accessible in the kernel after ExitBootServices.
+ */
+void efi_copy_confidential_computing_secret_area(void)
+{
+ efi_guid_t linux_secret_area_guid = LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_AREA_GUID;
+ efi_status_t status;
+ struct efi_confidential_computing_secret_table *secret_table;
+ struct linux_efi_confidential_computing_secret_area *secret_area;
+
+ secret_table = get_efi_config_table(LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_TABLE_GUID);
+ if (!secret_table)
+ return;
+
+ if (secret_table->size == 0 || secret_table->size >= SZ_4G)
+ return;
+
+ /* Allocate space for the secret area and copy it */
+ status = efi_bs_call(allocate_pool, EFI_LOADER_DATA,
+ sizeof(*secret_area) + secret_table->size, (void **)&secret_area);
+
+ if (status != EFI_SUCCESS) {
+ efi_err("Unable to allocate memory for confidential computing secret area copy\n");
+ return;
+ }
+
+ secret_area->size = secret_table->size;
+ memcpy(secret_area->area, (void *)(unsigned long)secret_table->base, secret_table->size);
+
+ status = efi_bs_call(install_configuration_table, &linux_secret_area_guid, secret_area);
+ if (status != EFI_SUCCESS)
+ goto err_free;
+
+ return;
+
+err_free:
+ efi_bs_call(free_pool, secret_area);
+}
@@ -205,6 +205,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
efi_retrieve_tpm2_eventlog();
+ efi_copy_confidential_computing_secret_area();
+
/* Ask the firmware to clear memory on unclean shutdown */
efi_enable_reset_attack_mitigation();
@@ -858,4 +858,6 @@ efi_enable_reset_attack_mitigation(void) { }
void efi_retrieve_tpm2_eventlog(void);
+void efi_copy_confidential_computing_secret_area(void);
+
#endif
@@ -793,6 +793,8 @@ unsigned long efi_main(efi_handle_t handle,
efi_retrieve_tpm2_eventlog();
+ efi_copy_confidential_computing_secret_area();
+
setup_graphics(boot_params);
setup_efi_pci(boot_params);
@@ -359,6 +359,8 @@ void efi_native_runtime_setup(void);
#define LINUX_EFI_MEMRESERVE_TABLE_GUID EFI_GUID(0x888eb0c6, 0x8ede, 0x4ff5, 0xa8, 0xf0, 0x9a, 0xee, 0x5c, 0xb9, 0x77, 0xc2)
#define LINUX_EFI_INITRD_MEDIA_GUID EFI_GUID(0x5568e427, 0x68fc, 0x4f3d, 0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68)
#define LINUX_EFI_MOK_VARIABLE_TABLE_GUID EFI_GUID(0xc451ed2b, 0x9694, 0x45d3, 0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89)
+#define LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_AREA_GUID \
+ EFI_GUID(0x940ed1e9, 0xd3da, 0x408b, 0xb3, 0x07, 0xe3, 0x2d, 0x25, 0x4a, 0x65, 0x16)
/* OEM GUIDs */
#define DELLEMC_EFI_RCI2_TABLE_GUID EFI_GUID(0x2d9f28a2, 0xa886, 0x456a, 0x97, 0xa8, 0xf1, 0x1e, 0xf2, 0x4f, 0xf4, 0x55)
@@ -1282,4 +1284,9 @@ static inline struct efi_mokvar_table_entry *efi_mokvar_entry_find(
}
#endif
+struct linux_efi_confidential_computing_secret_area {
+ u32 size;
+ u8 area[];
+};
+
#endif /* _LINUX_EFI_H */
Confidential computing hardware such as AMD SEV (Secure Encrypted Virtualization) allows a guest owner to inject secrets into the VMs memory without the host/hypervisor being able to read them. Firmware support for secret injection is available in OVMF, which reserves a memory area for secret injection and includes a pointer to it the in EFI config table entry LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_TABLE_GUID. However, OVMF doesn't force the guest OS to keep this memory area reserved. If EFI exposes such a table entry, efi/libstub will copy this area to a reserved memory for future use inside the kernel. A pointer to the new copy is kept in the EFI table under LINUX_EFI_CONFIDENTIAL_COMPUTING_SECRET_AREA_GUID. Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> --- drivers/firmware/efi/libstub/Makefile | 3 +- .../efi/libstub/confidential-computing.c | 68 +++++++++++++++++++ drivers/firmware/efi/libstub/efi-stub.c | 2 + drivers/firmware/efi/libstub/efistub.h | 2 + drivers/firmware/efi/libstub/x86-stub.c | 2 + include/linux/efi.h | 7 ++ 6 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 drivers/firmware/efi/libstub/confidential-computing.c