From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.67329.1670912663724025865 for ; Mon, 12 Dec 2022 22:24:23 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=b7VWcupG; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670912663; x=1702448663; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=wObyaYp2RfY+lxtOrLr8cDt4l9ISYd4pnuh4E+TyH4U=; b=b7VWcupGwS5s0d8TR4uTw4nP5DoAXYPLvpxuHxLBRN2918APZgBws/n9 FH5kVZ6RNTfc84/vQtbAA4B4AYiKKkSkREWRBXdXeizOynEEmzK/N9Nqk jO9wDlyKXSpM5ybvjcM7xguS0dQDzu5wfSe66I88xaKYhp8+RMn7WW78v GUHp9Z8lHKg+gDFa5oJQC9JRerYe1zHtJ/QOZJn18p0T2OqYhJ4BaAw34 cZfJ1HdvDzln6zCOXFPpgynpK63aTK989/YXXGbCnBZKUZAK8prhto9xl HuuBuprEng0ofvHGD3PK2zm2UGw3Eckt1gOscEBubhPHJoCNwyxcq4v3x g==; X-IronPort-AV: E=McAfee;i="6500,9779,10559"; a="345116386" X-IronPort-AV: E=Sophos;i="5.96,240,1665471600"; d="scan'208";a="345116386" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Dec 2022 22:24:22 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10559"; a="679199472" X-IronPort-AV: E=Sophos;i="5.96,240,1665471600"; d="scan'208";a="679199472" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.249.170.38]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Dec 2022 22:24:19 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , Gerd Hoffmann , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky Subject: [PATCH V2 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Date: Tue, 13 Dec 2022 14:24:05 +0800 Message-Id: <20221213062409.932-1-min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 In current DXE FV there are 100+ drivers. Some of the drivers are not used in Td guest. (Such as USB support drivers, network related drivers, etc). >>From the security perspective if a driver is not used, we should prevent it from being loaded/started. There are 2 benefits: 1. Reduce the attack surface 2. Improve the boot performance So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which are not needed by a Confidential Computing guest are moved from DXEFV to NCCFV. When booting a CC guest only the drivers in DXEFV will be loaded and started. For a Non-CC guest both DXEFV and NCCFV drivers will be loaded and started. Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK. Patch#2 adds PCDs/GUID for NCCFV. Patch#3 moves cc-unused drivers to NCCFV. Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest. Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v2 v2 changes: - Move shell from DXEFV to NCCFV. - Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with the other ovmf build variants. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Gerd Hoffmann Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Signed-off-by: Min Xu Min M Xu (4): EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section OvmfPkg: Add PCDs/GUID for NCCFV OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest EmbeddedPkg/Include/Library/PrePiLib.h | 23 ++- EmbeddedPkg/Library/PrePiLib/FwVol.c | 42 ++++-- EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 2 +- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 +- OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++----- OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 134 +++++++++++++++++- .../PeilessStartupInternal.h | 6 + .../PeilessStartupLib/PeilessStartupLib.inf | 1 + OvmfPkg/OvmfPkg.dec | 3 + 9 files changed, 275 insertions(+), 59 deletions(-) -- 2.29.2.windows.2