From: Lenny Szubowicz lszubowi@redhat.com
redhat/configs: Enable CONFIG_EFI_SECRET module
Enable the efi_secret module to provide the contents of the EFI configuration table containing confidential computing (coco) secrets via /sys/kernel/security/secrets/coco/.
CONFIG_EFI_SECRET depends on CONFIG_EFI_COCO_SECRETS, which is similarly defined. However, drivers/virt/coco/efi_secret/Kconfig currently effectively limits CONFIG_EFI_SECRET to X86_64.
Signed-off-by: Lenny Szubowicz lszubowi@redhat.com
diff --git a/redhat/configs/common/generic/CONFIG_EFI_SECRET b/redhat/configs/common/generic/CONFIG_EFI_SECRET new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_EFI_SECRET @@ -0,0 +1 @@ +CONFIG_EFI_SECRET=m
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124
From: pbrobinson on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1154716...
LGTM
From: Justin M. Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1162366...
I am not quite sure the purpose of this MR. The config option is already turned on in RHEL and in Fedora, though in different places.
``` cat redhat/configs/ark/generic/x86/CONFIG_EFI_SECRET CONFIG_EFI_SECRET=m cat redhat/configs/fedora/generic/CONFIG_EFI_SECRET CONFIG_EFI_SECRET=m ```
This MR is not a clean-up as it does not delete either of these entries. It does not change the RHEL config in practice, because the option depends on X86_64 at this point.
From: pbrobinson on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1162383...
It would only have the effect of turning it on for ark/aarch64 which we should be doing, but it should clean up the others in the process.
From: Justin M. Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1162434...
Not until upstream changes (I expect them to, but it hasn't happened yet):
``` config EFI_SECRET tristate "EFI secret area securityfs support" depends on EFI && X86_64 ```
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1174329...
@lszubowi This MR is basically a noop for the kernel-ark project. The automated comment in redhat/centos-stream/src/kernel/centos-stream-9!1276 should not have been posted and we have now updated the script that does those checks so that it will not comment in these cases.
kernel-ark already sets `CONFIG_EFI_SECRET=m` under `ark/generic/x86/CONFIG_EFI_SECRET` so the generated config will be the same before and after this MR.
So IMHO this MR is not needed and should be closed.
From: Lenny Szubowicz on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2124#note_1174703...
@ptalbert you are correct about this MR being completely unnecessary and I will close it. I don't know how I missed the existing ark/generic/x86/CONFIG_EFI_SECRET. Thanks for the review.
kernel@lists.fedoraproject.org