| .. SPDX-License-Identifier: GPL-2.0 |
| |
| ============================== |
| Confidential Computing secrets |
| ============================== |
| |
| This document describes how Confidential Computing secret injection is handled |
| from the firmware to the operating system, in the EFI driver and the efi_secret |
| kernel module. |
| |
| |
| Introduction |
| ============ |
| |
| Confidential Computing (coco) hardware such as AMD SEV (Secure Encrypted |
| Virtualization) allows guest owners to inject secrets into the VMs |
| memory without the host/hypervisor being able to read them. In SEV, |
| secret injection is performed early in the VM launch process, before the |
| guest starts running. |
| |
| The efi_secret kernel module allows userspace applications to access these |
| secrets via securityfs. |
| |
| |
| Secret data flow |
| ================ |
| |
| The guest firmware may reserve a designated memory area for secret injection, |
| and publish its location (base GPA and length) in the EFI configuration table |
| under a ``LINUX_EFI_COCO_SECRET_AREA_GUID`` entry |
| (``adf956ad-e98c-484c-ae11-b51c7d336447``). This memory area should be marked |
| by the firmware as ``EFI_RESERVED_TYPE``, and therefore the kernel should not |
| be use it for its own purposes. |
| |
| During the VM's launch, the virtual machine manager may inject a secret to that |
| area. In AMD SEV and SEV-ES this is performed using the |
| ``KVM_SEV_LAUNCH_SECRET`` command (see [sev]_). The strucutre of the injected |
| Guest Owner secret data should be a GUIDed table of secret values; the binary |
| format is described in ``drivers/virt/coco/efi_secret/efi_secret.c`` under |
| "Structure of the EFI secret area". |
| |
| On kernel start, the kernel's EFI driver saves the location of the secret area |
| (taken from the EFI configuration table) in the ``efi.coco_secret`` field. |
| Later it checks if the secret area is populated: it maps the area and checks |
| whether its content begins with ``EFI_SECRET_TABLE_HEADER_GUID`` |
| (``1e74f542-71dd-4d66-963e-ef4287ff173b``). If the secret area is populated, |
| the EFI driver will autoload the efi_secret kernel module, which exposes the |
| secrets to userspace applications via securityfs. The details of the |
| efi_secret filesystem interface are in [secrets-coco-abi]_. |
| |
| |
| Application usage example |
| ========================= |
| |
| Consider a guest performing computations on encrypted files. The Guest Owner |
| provides the decryption key (= secret) using the secret injection mechanism. |
| The guest application reads the secret from the efi_secret filesystem and |
| proceeds to decrypt the files into memory and then performs the needed |
| computations on the content. |
| |
| In this example, the host can't read the files from the disk image |
| because they are encrypted. Host can't read the decryption key because |
| it is passed using the secret injection mechanism (= secure channel). |
| Host can't read the decrypted content from memory because it's a |
| confidential (memory-encrypted) guest. |
| |
| Here is a simple example for usage of the efi_secret module in a guest |
| to which an EFI secret area with 4 secrets was injected during launch:: |
| |
| # ls -la /sys/kernel/security/secrets/coco |
| total 0 |
| drwxr-xr-x 2 root root 0 Jun 28 11:54 . |
| drwxr-xr-x 3 root root 0 Jun 28 11:54 .. |
| -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b |
| -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 |
| -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 |
| -r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910 |
| |
| # hd /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 |
| 00000000 74 68 65 73 65 2d 61 72 65 2d 74 68 65 2d 6b 61 |these-are-the-ka| |
| 00000010 74 61 2d 73 65 63 72 65 74 73 00 01 02 03 04 05 |ta-secrets......| |
| 00000020 06 07 |..| |
| 00000022 |
| |
| # rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910 |
| |
| # ls -la /sys/kernel/security/secrets/coco |
| total 0 |
| drwxr-xr-x 2 root root 0 Jun 28 11:55 . |
| drwxr-xr-x 3 root root 0 Jun 28 11:54 .. |
| -r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b |
| -r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6 |
| -r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2 |
| |
| |
| References |
| ========== |
| |
| See [sev-api-spec]_ for more info regarding SEV ``LAUNCH_SECRET`` operation. |
| |
| .. [sev] Documentation/virt/kvm/x86/amd-memory-encryption.rst |
| .. [secrets-coco-abi] Documentation/ABI/testing/securityfs-secrets-coco |
| .. [sev-api-spec] https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf |