[edk2-devel] [PATCH] OvmfPkg/AmdSev: Erase secret area content on ExitBootServices
Gerd Hoffmann
kraxel at redhat.com
Tue Nov 2 10:05:57 UTC 2021
On Tue, Nov 02, 2021 at 08:25:06AM +0000, Dov Murik wrote:
> The confidential computing secrets area is marked as EfiBootServicesData
> region, which means it is released for the OS use when the OS EFI stub
> calls ExitBootServices. However, its content is not erased, and
> therefore the OS might unintentionally reuse this sensitive memory area
> and expose the injected secrets.
>
> Erase the content of the secret area on ExitBootServices so that the
> memory released to the OS contains zeros. If the OS needs to keep the
> secrets for its own use, it must copy the secrets area to another memory
> area before calling ExitBootServices (for example in efi/libstub in
> Linux).
Acked-by: Gerd Hoffmann <kraxel at redhat.com>
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83125): https://edk2.groups.io/g/devel/message/83125
Mute This Topic: https://groups.io/mt/86761563/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list