On Tue, Nov 02, 2021 at 08:25:06AM +0000, Dov Murik wrote: > The confidential computing secrets area is marked as EfiBootServicesData > region, which means it is released for the OS use when the OS EFI stub > calls ExitBootServices. However, its content is not erased, and > therefore the OS might unintentionally reuse this sensitive memory area > and expose the injected secrets. > > Erase the content of the secret area on ExitBootServices so that the > memory released to the OS contains zeros. If the OS needs to keep the > secrets for its own use, it must copy the secrets area to another memory > area before calling ExitBootServices (for example in efi/libstub in > Linux).
Acked-by: Gerd Hoffmann <[email protected]> take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83125): https://edk2.groups.io/g/devel/message/83125 Mute This Topic: https://groups.io/mt/86761563/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
