From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.38614.1639564082327435527 for ; Wed, 15 Dec 2021 02:28:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SrAa0H3j; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639564081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ayp0pPnEHn0jvNcVD/OhrntJN1lhacOq2XyF6E+pwfk=; b=SrAa0H3jlT8bU7wNOVn/5aCKzyBdaj7xDXvhK07n42MGLMEWTwGa2u1zcWxWsHU/iZ+a70 4LOTa6w7IwtzqbqSxvsI/KfwARe/Iz7vtgPgXMPudGhN9gol4xK7GsC7tFQ2WiKKgqcl6j hfjNSWuh+xYWkTmr07oNrg5k4APxUfI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-381-AD5Eb_ffPk-uzL7AIfaGog-1; Wed, 15 Dec 2021 05:27:58 -0500 X-MC-Unique: AD5Eb_ffPk-uzL7AIfaGog-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1F3491808320; Wed, 15 Dec 2021 10:27:56 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.14]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6580B10A3945; Wed, 15 Dec 2021 10:27:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id A7D6B180039F; Wed, 15 Dec 2021 11:27:53 +0100 (CET) Date: Wed, 15 Dec 2021 11:27:53 +0100 From: "Gerd Hoffmann" To: Min Xu Cc: devel@edk2.groups.io, Michael D Kinney , Brijesh Singh , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky Subject: Re: [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Message-ID: <20211215102753.m4bp56bdxzgmdzkr@sirius.home.kraxel.org> References: <20211214134126.869-1-min.m.xu@intel.com> <20211214134126.869-9-min.m.xu@intel.com> MIME-Version: 1.0 In-Reply-To: <20211214134126.869-9-min.m.xu@intel.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote: > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 > > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of > jumping to SecStartupPhase2 (), TdxStartup () is called. This function > brings up Tdx guest from SEC phase to DXE phase. > + #ifdef INTEL_TDX_FULL_FEATURE > + if (SecTdxIsEnabled ()) { > + TdxStartup (&SecCoreData); > + > + // > + // Never arrived here > + // > + ASSERT (FALSE); > + CpuDeadLoop (); > + } > + > + #endif Oh, wow. So you compile in PEI, then decide at runtime whenever you use it or not? No. Please don't. That's just silly. If you don't want use PEI, ok, fine, but please go the way then, remove PEI from the build and take the PEI-less code path in all cases. take care, Gerd