Please don't merge this. We're going in a different direction, see
https://edk2.groups.io/g/devel/message/83853 . Instead of letting the
guest kernel copy the secret content and OVMF will erase the original
(the patch below), we mark the area as "reserved" (in OVMF) and then the
OS doesn't
On Tue, Nov 02, 2021 at 08:25:06AM +, Dov Murik wrote:
> The confidential computing secrets area is marked as EfiBootServicesData
> region, which means it is released for the OS use when the OS EFI stub
> calls ExitBootServices. However, its content is not erased, and
> therefore the OS might
The confidential computing secrets area is marked as EfiBootServicesData
region, which means it is released for the OS use when the OS EFI stub
calls ExitBootServices. However, its content is not erased, and
therefore the OS might unintentionally reuse this sensitive memory area
and expose the