Confidential Computing secrets
This document describes how Confidential Computing secret injection is handled from the firmware to the operating system, in the EFI driver and the efi_secret kernel module.
Introduction
Confidential Computing (coco) hardware such as AMD SEV (Secure Encrypted Virtualization) allows guest owners to inject secrets into the VMs memory without the host/hypervisor being able to read them. In SEV, secret injection is performed early in the VM launch process, before the guest starts running.
The efi_secret kernel module allows userspace applications to access these secrets via securityfs.
Secret data flow
The guest firmware may reserve a designated memory area for secret
injection, and publish its location (base GPA and length) in the EFI
configuration table under a LINUX_EFI_COCO_SECRET_AREA_GUID entry
(adf956ad-e98c-484c-ae11-b51c7d336447). This memory area should be
marked by the firmware as EFI_RESERVED_TYPE, and therefore the kernel
should not be use it for its own purposes.
During the VM’s launch, the virtual machine manager may inject a secret
to that area. In AMD SEV and SEV-ES this is performed using the
KVM_SEV_LAUNCH_SECRET command (see [sev]{.citation}). The
structure of the injected Guest Owner secret data should be a GUIDed
table of secret values; the binary format is described in
drivers/virt/coco/efi_secret/efi_secret.c under “Structure of the EFI
secret area”.
On kernel start, the kernel’s EFI driver saves the location of the
secret area (taken from the EFI configuration table) in the
efi.coco_secret field. Later it checks if the secret area is
populated: it maps the area and checks whether its content begins with
EFI_SECRET_TABLE_HEADER_GUID (1e74f542-71dd-4d66-963e-ef4287ff173b).
If the secret area is populated, the EFI driver will autoload the
efi_secret kernel module, which exposes the secrets to userspace
applications via securityfs. The details of the efi_secret filesystem
interface are in [secrets-coco-abi]{.citation}.
Application usage example
Consider a guest performing computations on encrypted files. The Guest Owner provides the decryption key (= secret) using the secret injection mechanism. The guest application reads the secret from the efi_secret filesystem and proceeds to decrypt the files into memory and then performs the needed computations on the content.
In this example, the host can’t read the files from the disk image because they are encrypted. Host can’t read the decryption key because it is passed using the secret injection mechanism (= secure channel). Host can’t read the decrypted content from memory because it’s a confidential (memory-encrypted) guest.
Here is a simple example for usage of the efi_secret module in a guest to which an EFI secret area with 4 secrets was injected during launch:
# ls -la /sys/kernel/security/secrets/coco
total 0
drwxr-xr-x 2 root root 0 Jun 28 11:54 .
drwxr-xr-x 3 root root 0 Jun 28 11:54 ..
-r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
-r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
-r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2
-r--r----- 1 root root 0 Jun 28 11:54 e6f5a162-d67f-4750-a67c-5d065f2a9910
# hd /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
00000000 74 68 65 73 65 2d 61 72 65 2d 74 68 65 2d 6b 61 |these-are-the-ka|
00000010 74 61 2d 73 65 63 72 65 74 73 00 01 02 03 04 05 |ta-secrets......|
00000020 06 07 |..|
00000022
# rm /sys/kernel/security/secrets/coco/e6f5a162-d67f-4750-a67c-5d065f2a9910
# ls -la /sys/kernel/security/secrets/coco
total 0
drwxr-xr-x 2 root root 0 Jun 28 11:55 .
drwxr-xr-x 3 root root 0 Jun 28 11:54 ..
-r--r----- 1 root root 0 Jun 28 11:54 736870e5-84f0-4973-92ec-06879ce3da0b
-r--r----- 1 root root 0 Jun 28 11:54 83c83f7f-1356-4975-8b7e-d3a0b54312c6
-r--r----- 1 root root 0 Jun 28 11:54 9553f55d-3da2-43ee-ab5d-ff17f78864d2References
See [sev-api-spec]{.citation} for more info regarding
SEV LAUNCH_SECRET operation.
::: {#citations}
[secrets-coco-abi]{#secrets-coco-abi .citation-label}
: Documentation/ABI/testing/securityfs-secrets-coco
[sev]{#sev .citation-label}
: Documentation/virt/kvm/x86/amd-memory-encryption.rst
[sev-api-spec]{#sev-api-spec .citation-label}
: https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf :::