From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 by mx.groups.io with SMTP id smtpd.web10.183457.1673911935704512234
 for <devel@edk2.groups.io>;
 Mon, 16 Jan 2023 15:32:16 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=YBQfFEFA;
 spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: min.m.xu@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1673911935; x=1705447935;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=WsXyr1ovBMuZoGkzKxZgV/n0HMa4qYGDAJo76SbABr0=;
  b=YBQfFEFA8Sk5VwyUab3slGVQjSyGfahMAcW26YtJEKdFuv4yZmPeCZ50
   rR63RH+tUeXnHX/erbb4j+Psr+nne7k/8kS4powzFbP60RZbWbFmH3rif
   fYul5T03Z1wAjjXN3SQSaXtSpnOzTqcu3VOAmODSdYyqce0DqXparCblV
   p5l2xgx7V96292x8/G80cCKuueNeUo8A/cRlEME0EaS2oYG10h4+SB0T5
   tJOSrY5ZiGzSzDjyXxRkqTL3hZ2tWrUl8T38i1rEsco/KPm5LH1RJtXRG
   wSj0AIBI5x6CWfwi4lhBMo2Y5uaReWjFhCMMjqOlr5imt7hFihwvPMpD3
   g==;
X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="312432435"
X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; 
   d="scan'208";a="312432435"
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 15:32:15 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="987930896"
X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; 
   d="scan'208";a="987930896"
Received: from huiyanxi-mobl.ccr.corp.intel.com (HELO mxu9-mobl1.ccr.corp.intel.com) ([10.254.211.139])
  by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 15:32:11 -0800
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min Xu <min.m.xu@intel.com>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Abner Chang <abner.chang@amd.com>,
	Daniel Schaefer <git@danielschaefer.me>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Date: Tue, 17 Jan 2023 07:31:54 +0800
Message-Id: <20230116233158.1268-1-min.m.xu@intel.com>
X-Mailer: git-send-email 2.29.2.windows.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).

>>From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits: 
1. Reduce the attack surface
2. Improve the boot performance

So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.

When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.

Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v3

v3 changes:
 - Rebase the code base to 7cd55f3009.

v2 changes:
 - Move shell from DXEFV to NCCFV.
 - Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with
   the other ovmf build variants.

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min M Xu (4):
  EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
  OvmfPkg: Add PCDs/GUID for NCCFV
  OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
  OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest

 EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
 EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
 EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  11 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 112 ++++++++++-----
 OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
 .../PeilessStartupInternal.h                  |   6 +
 .../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
 OvmfPkg/OvmfPkg.dec                           |   3 +
 9 files changed, 275 insertions(+), 59 deletions(-)

-- 
2.29.2.windows.2