From: Andi Kleen <ak@linux.intel.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Dov Murik <dovmurik@linux.ibm.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>,
linux-efi@vger.kernel.org,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Jim Cadden <jcadden@ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Laszlo Ersek <lersek@redhat.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Ard Biesheuvel <ardb@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>
Subject: Re: [RFC PATCH 0/3] Allow access to confidential computing secret area
Date: Mon, 24 May 2021 09:31:29 -0700 [thread overview]
Message-ID: <81aa5e70-ab94-393c-92e1-fdac14708aff@linux.intel.com> (raw)
In-Reply-To: <YKuXI9TUBa3sjY3e@work-vm>
On 5/24/2021 5:08 AM, Dr. David Alan Gilbert wrote:
> * Andi K
> Is there any way we could merge these two so that the TDX/SVKL would
> look similar to SEV/ES to userspace? If we needed some initrd glue here
> for luks it would be great if we could have one piece of glue.
> [I'm not sure if the numbering/naming of the secrets, and their format
> are defined in the same way]
Maybe. There might well be differences in the contents as you say. So
far SVKL doesn't really exist yet, initially there will be the initrd
based agents. The agents definitely will need to know about TDX.
>
> Do you think the ioctl is preferable to read+ftruncate/unlink ?
> And if it was an ioctl, again could we get some standardisation here -
> i.e.
> maybe a /dev/confguest with a CONF_COMP_GET_KEY etc ?
The advantage of the two ioctls is that they are very simple. Anything
with a file system would be a lot more complicated. For security related
code simplicity is a virtue.
Also since it's a really simple read and clear model I don't expect the
value to be used widely, since it will be gone after boot anyways.
-andi
next prev parent reply other threads:[~2021-05-24 16:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-13 6:26 [RFC PATCH 0/3] Allow access to confidential computing secret area Dov Murik
2021-05-13 6:26 ` [RFC PATCH 3/3] virt: Add sev_secret module to expose confidential computing secrets Dov Murik
2021-05-14 13:01 ` [RFC PATCH 0/3] Allow access to confidential computing secret area Brijesh Singh
2021-05-20 10:38 ` Dov Murik
2021-05-20 10:56 ` Dr. David Alan Gilbert
2021-05-20 22:02 ` Andi Kleen
2021-05-21 15:56 ` Brijesh Singh
2021-05-21 16:03 ` James Bottomley
2021-05-21 16:21 ` Brijesh Singh
2021-05-21 16:41 ` Andi Kleen
2021-05-24 12:08 ` Dr. David Alan Gilbert
2021-05-24 15:35 ` James Bottomley
2021-05-24 16:31 ` Andi Kleen [this message]
2021-05-24 17:12 ` James Bottomley
2021-06-08 19:48 ` Dov Murik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=81aa5e70-ab94-393c-92e1-fdac14708aff@linux.intel.com \
--to=ak@linux.intel.com \
--cc=ardb@kernel.org \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=frankeh@us.ibm.com \
--cc=jcadden@ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=lersek@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rppt@linux.ibm.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=serge@hallyn.com \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).