-
David Brazdil authored
Open Profile for DICE is an open protocol for measured boot compatible with the Trusted Computing Group's Device Identifier Composition Engine (DICE) specification. The generated Compound Device Identifier (CDI) certificates represent the hardware/software combination measured by DICE, and can be used for remote attestation and sealing. Add a driver that exposes reserved memory regions populated by firmware with DICE CDIs and exposes them to userspace via a character device. Userspace obtains the memory region's size from read() and calls mmap() to create a mapping of the memory region in its address space. The mapping is not allowed to be write+shared, giving userspace a guarantee that the data were not overwritten by another process. Userspace can also call write(), which triggers a wipe of the DICE data by the driver. Because both the kernel and userspace mappings use write-combine semantics, all clients observe the memory as zeroed after the syscall has returned. Cc: Andrew Scull <ascull@google.com> Cc: Will Deacon <will@kernel.org> Acked-by: Rob Herring <robh@kernel.org> Signed-off-by: David Brazdil <dbrazdil@google.com> Link: https://lore.kernel.org/r/20220126231237.529308-3-dbrazdil@google.comSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f396eded