• David Brazdil's avatar
    misc: open-dice: Add driver to expose DICE data to userspace · f396eded
    David Brazdil authored
    Open Profile for DICE is an open protocol for measured boot compatible
    with the Trusted Computing Group's Device Identifier Composition
    Engine (DICE) specification. The generated Compound Device Identifier
    (CDI) certificates represent the hardware/software combination measured
    by DICE, and can be used for remote attestation and sealing.
    
    Add a driver that exposes reserved memory regions populated by firmware
    with DICE CDIs and exposes them to userspace via a character device.
    
    Userspace obtains the memory region's size from read() and calls mmap()
    to create a mapping of the memory region in its address space. The
    mapping is not allowed to be write+shared, giving userspace a guarantee
    that the data were not overwritten by another process.
    
    Userspace can also call write(), which triggers a wipe of the DICE data
    by the driver. Because both the kernel and userspace mappings use
    write-combine semantics, all clients observe the memory as zeroed after
    the syscall has returned.
    
    Cc: Andrew Scull <ascull@google.com>
    Cc: Will Deacon <will@kernel.org>
    Acked-by: default avatarRob Herring <robh@kernel.org>
    Signed-off-by: default avatarDavid Brazdil <dbrazdil@google.com>
    Link: https://lore.kernel.org/r/20220126231237.529308-3-dbrazdil@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    f396eded
open-dice.c 5.38 KB