From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web08.9285.1617975178436401516 for ; Fri, 09 Apr 2021 06:32:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XQ3KO5bw; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617975177; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jlu8QTVBMFQKqR09qHqPADXkhK5eTEru1KyPSzYmosc=; b=XQ3KO5bwYxUZdk+Mt+LLwo1PECOU0aowFa5rJfYTpcIuIAGPhXvhlPhN7infs/dbzXeN1O Mn6ZNfW6zEInAe6bCGJn1Jiis1p+MXZqvVGxH3d2mHUDj7kanH130UUvXsQch45O1aaqby oFeCpNucf78iZpEednNPcPVjlyTaIpc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-306-F9mQeJ3nPJ2U21U6anaTBQ-1; Fri, 09 Apr 2021 09:32:54 -0400 X-MC-Unique: F9mQeJ3nPJ2U21U6anaTBQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 434D910054F6; Fri, 9 Apr 2021 13:32:53 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-115-137.ams2.redhat.com [10.36.115.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 340375D9E3; Fri, 9 Apr 2021 13:32:51 +0000 (UTC) Subject: Re: [edk2-devel] [RFC PATCH 01/19] OvmfPkg: Reserve the Secrets and Cpuid page for the SEV-SNP guest To: "Xu, Min M" Cc: devel@edk2.groups.io, thomas.lendacky@amd.com, "jejb@linux.ibm.com" , Brijesh Singh , "Yao, Jiewen" , "Justen, Jordan L" , Ard Biesheuvel , Paolo Bonzini References: <20210324153215.17971-1-brijesh.singh@amd.com> <20210324153215.17971-2-brijesh.singh@amd.com> <719a63e555376ca65a7bbe0c7e23c20b6b631cd3.camel@linux.ibm.com> <9aa00ba0-def0-9a4e-1578-0b55b8047ebd@redhat.com> <2ff2c569-1032-3e5f-132a-159c47c9f067@amd.com> From: "Laszlo Ersek" Message-ID: <18180548-016d-4e37-68fd-050dfc3b4e77@redhat.com> Date: Fri, 9 Apr 2021 15:32:50 +0200 MIME-Version: 1.0 In-Reply-To: <2ff2c569-1032-3e5f-132a-159c47c9f067@amd.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Min, On 04/08/21 15:31, Lendacky, Thomas wrote: > On 4/8/21 1:24 AM, Xu, Min M wrote: >> Yes this is the root cause. TDX requires the startup mode to be 32-bit >> protected mode while the legacy VM startup mode is 16-bit real mode. >> Add more BITS directives can work round this. I have tried it and it works. >> >> So my initial solution is to use *jmp rel8* because it works in both 16-bit >> and 32-bit mode. But *jmp rel8* depends on the distance which should >> be less than 128 bytes. If more metadata is added in the ResetVector.asm >> then we have to use the BITS solution. > > To me, it sounds like the BITS solution should be the approach you use > from the start. BTW, have you considered using a separate ResetVector module for TDX? That would obviate this multi-mode trickery. (Most recently raised by Paolo.) I think TDX will need a separate platform DSC / FDF / fw binary anyway. I realize that's not a done deal yet; it may depend on who provides the firmware binary (guest owner or cloud owner) -- of course the guest owner will have to perform the attestation in either case, but the "provenance" question remains open, IIUC. And even if TDX gets its own firmware platform, it's a separate question whether the ResetVector module itself should be split. I'm inclined to think a separation at that level would make development and maintenance easier. (FWIW, Xen PVH has its own reset vector module, in OvmfPkg/XenResetVector.) Thanks Laszlo