From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web11.2776.1668493375348222511
 for <devel@edk2.groups.io>;
 Mon, 14 Nov 2022 22:22:55 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=LWArCMJr;
 spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: min.m.xu@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1668493375; x=1700029375;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=5tat64qyoBs7eRAZ08jgtoyi3h96u7nsY9jD8CC9wyw=;
  b=LWArCMJrR9c/pgEZgy96udrBaZJjuSXdKJaJ5+StvsHxw6d9qc65kS7h
   QYk5wpXeDoKIvMacRSJ32rxBCmVfK6O8cHCpkH6O3EWs7vxPg7sYlECIx
   chOazvlzXjszhmzlL5deiUioUmeeH4SvK1wrDKgVIJi4APkJRlvOyQTGE
   3XmTbt0yv/FSnFHf7BjUJIhvPxsLX4xPnOM8n0evdqR972CdFRFxq8oKq
   9or/TN2tZTwmxb5a9QI0by6guWmvWLhCq3DyyHdt5K3jgLBrM2iAKXzSQ
   P3v251qOMG3/nW2vdLsUYJ5ydwRXVl3eUSZYucWmVjiM7gpHn7JjP/Vcc
   A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10531"; a="292571914"
X-IronPort-AV: E=Sophos;i="5.96,165,1665471600"; 
   d="scan'208";a="292571914"
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Nov 2022 22:22:53 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10531"; a="589681158"
X-IronPort-AV: E=Sophos;i="5.96,165,1665471600"; 
   d="scan'208";a="589681158"
Received: from mxu9-mobl1.ccr.corp.intel.com ([10.238.3.55])
  by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Nov 2022 22:22:50 -0800
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min Xu <min.m.xu@intel.com>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Abner Chang <abner.chang@amd.com>,
	Daniel Schaefer <git@danielschaefer.me>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: [PATCH 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Date: Tue, 15 Nov 2022 14:22:32 +0800
Message-Id: <20221115062236.1744-1-min.m.xu@intel.com>
X-Mailer: git-send-email 2.29.2.windows.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).

>>From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits: 
1. Reduce the attack surface
2. Improve the boot performance

So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.

When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.

Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v1

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min M Xu (4):
  EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
  OvmfPkg: Add PCDs/GUID for NCCFV
  OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
  OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest

 EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
 EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
 EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 111 ++++++++++-----
 OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
 .../PeilessStartupInternal.h                  |   6 +
 .../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
 OvmfPkg/OvmfPkg.dec                           |   3 +
 8 files changed, 264 insertions(+), 58 deletions(-)

-- 
2.29.2.windows.2