From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web11.3667.1663744455649929180
 for <devel@edk2.groups.io>;
 Wed, 21 Sep 2022 00:14:16 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Q7b/DoDV;
 spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1663744454;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=RNOGJ/A8gJjbYK/ziQlbgZovQXm51X4anvpFz3yTLI0=;
	b=Q7b/DoDVUQbyOvI2kPrA6k9tO5IQBL2htKvrn0I7t65O5JOzmDDnGNdCcAbo0XEhfsDR6C
	pa4FVYmg7hgoBJSJNaTY/p7eZvyBOObMVc/xtgni3GtCaus69+kxoIKEiBSfa2T/QJmK8a
	8texxK/9m29lcRGeKVXhlQ+bRhR6igk=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-629-FchufoKNMgOLABcg8ZBnaw-1; Wed, 21 Sep 2022 03:14:11 -0400
X-MC-Unique: FchufoKNMgOLABcg8ZBnaw-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F03ED87B2A1;
	Wed, 21 Sep 2022 07:14:10 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.24])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B8FF440C6EC5;
	Wed, 21 Sep 2022 07:14:10 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id 50F731800081; Wed, 21 Sep 2022 09:14:09 +0200 (CEST)
Date: Wed, 21 Sep 2022 09:14:09 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Lu, Ken" <ken.lu@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>, "Xu, Min M" <min.m.xu@intel.com>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Aktas, Erdem" <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] measurement to command-line/initrd for loading kernel via -kernel option
Message-ID: <20220921071409.5oziya6kcfvkkkp7@sirius.home.kraxel.org>
References: <PH0PR11MB50644F564BA1A112DF60D44EC54B9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <CAMj1kXEVvOWPdVr6VrsCGR1LnVBZvepLcVOpBXqS6zGj-h23Qw@mail.gmail.com>
 <PH0PR11MB50640586CDB43B707746038BC54D9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <CAMj1kXG7OSn9ypnN4tZGPH-RhqCBZjYNy6xZ2XU2Bvpnq+0X+A@mail.gmail.com>
 <DM6PR11MB3674766FF339E5C4E3BB1551984C9@DM6PR11MB3674.namprd11.prod.outlook.com>
 <20220920132027.y4yz4ugghpilqplx@sirius.home.kraxel.org>
 <DM6PR11MB3674A579D2F63A8A26F4E1F1984C9@DM6PR11MB3674.namprd11.prod.outlook.com>
 <20220920141823.byhnbirfnl777jql@sirius.home.kraxel.org>
 <DM6PR11MB36749B88FC1F1B8413413861984C9@DM6PR11MB3674.namprd11.prod.outlook.com>
MIME-Version: 1.0
In-Reply-To: <DM6PR11MB36749B88FC1F1B8413413861984C9@DM6PR11MB3674.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Sep 20, 2022 at 02:30:01PM +0000, Lu, Ken wrote:
> > > So there are two types loaders:
> > > 1. QemuKernelLoaderFsDxe  -   this way just put kernel/initrd blob into a FS
> > for any future's usage, may be continue boot or not.
> > > 2. QemuLoadKernelImage,    -    this is consumed by TryRunningQemuKernel()
> > - standard Qemu direct boot path
> > 
> > Nope.  QemuLoadKernelImage loads the linux kernel from the virtual filesystem
> > created by QemuKernelLoaderFsDxe.  And for the initrd it'll just pass
> > 'inittd=initrd' and the stub loads it.
> > 
> > We have two variants:
> >   GenericQemuLoadImageLib - supports efi stub only
> >   X86QemuLoadImageLib     - has fallback code paths for the legacy
> >                             pre-efi-stub boot protocol (guess that
> >                             is the one grub has deprecated for 2.06).
> > 
> > So, yes, with the legacy protocol there is no stub which can measure things, but
> > for the snake of confidential computing we can completely ignore that.  Kernels
> > which are *that* old certainly will not have support for SEV / TDX ...
> > 
> 
> Thanks Hoffman. Hmm.. GenericQemuLoadImageLib sound like is used by ArmVirtQemu.dsc, OvmfXen.dsc, AmdSevX64.dsc,.....
> But X86QemuLoadImageLib is used by OvmfPkgX64.dsc and Intel TDX~~
> 
> Headache.... do you want use GenericQemuLoadImageLib to replace X86 one for OvmfPkgX64.dsc also?

I think most x86 should stick to X86QemuLoadImageLib for backward
compatibility reasons.

The AmdSevX64 and IntelTDX variants can most likely be switched over to
GenericQemuLoadImageLib without breaking stuff.  Linux kernels new
enough to support sev / tdx should not need the legacy support.

> But either in GenericQemuLoadImageLib, it can do measurement for command line and initrd, correct?

Yes, it could.  But why given that the linux kernel efi stub measures anyway?

take care,
  Gerd