* [PATCH V3 1/4] EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
2023-01-16 23:31 [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Min Xu
@ 2023-01-16 23:31 ` Min Xu
2023-01-16 23:31 ` [PATCH V3 2/4] OvmfPkg: Add PCDs/GUID for NCCFV Min Xu
` (3 subsequent siblings)
4 siblings, 0 replies; 17+ messages in thread
From: Min Xu @ 2023-01-16 23:31 UTC (permalink / raw)
To: devel
Cc: Min M Xu, Leif Lindholm, Ard Biesheuvel, Abner Chang,
Daniel Schaefer, Gerd Hoffmann, Erdem Aktas, James Bottomley,
Jiewen Yao, Tom Lendacky
From: Min M Xu <min.m.xu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
EmbeddedPkg/PrePiLib provides the service of finding sections based on
the input SectionType. But sometimes there maybe multiple sections
with the same SectionType. FFS_CHECK_SECTION_HOOK is a hook which can
be called to do additional check.
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
EmbeddedPkg/Include/Library/PrePiLib.h | 23 +++++++++++---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 42 ++++++++++++++++++-------
EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 2 +-
3 files changed, 49 insertions(+), 18 deletions(-)
diff --git a/EmbeddedPkg/Include/Library/PrePiLib.h b/EmbeddedPkg/Include/Library/PrePiLib.h
index 3741b08c4478..f60b6678185a 100644
--- a/EmbeddedPkg/Include/Library/PrePiLib.h
+++ b/EmbeddedPkg/Include/Library/PrePiLib.h
@@ -52,11 +52,23 @@ FfsFindNextFile (
IN OUT EFI_PEI_FILE_HANDLE *FileHandle
);
+/**
+ * This is a hook which is used to check if the section is the target one.
+ *
+ */
+typedef
+EFI_STATUS
+(EFIAPI *FFS_CHECK_SECTION_HOOK)(
+ IN EFI_COMMON_SECTION_HEADER *Section
+ );
+
/**
This service enables discovery sections of a given type within a valid FFS file.
+ Caller also can provide a SectionCheckHook to do additional checking.
- @param SearchType The value of the section type to find.
- @param FfsFileHeader A pointer to the file header that contains the set of sections to
+ @param SectionType The value of the section type to find.
+ @param SectionCheckHook A hook which can check if the section is the target one.
+ @param FileHeader A pointer to the file header that contains the set of sections to
be searched.
@param SectionData A pointer to the discovered section, if successful.
@@ -67,9 +79,10 @@ FfsFindNextFile (
EFI_STATUS
EFIAPI
FfsFindSectionData (
- IN EFI_SECTION_TYPE SectionType,
- IN EFI_PEI_FILE_HANDLE FileHandle,
- OUT VOID **SectionData
+ IN EFI_SECTION_TYPE SectionType,
+ IN FFS_CHECK_SECTION_HOOK SectionCheckHook,
+ IN EFI_PEI_FILE_HANDLE FileHandle,
+ OUT VOID **SectionData
);
/**
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index 0a6d6925b7ea..778d8b13c33b 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -264,16 +264,18 @@ FindFileEx (
Go through the file to search SectionType section,
when meeting an encapsuled section.
- @param SectionType - Filter to find only section of this type.
- @param Section - From where to search.
- @param SectionSize - The file size to search.
- @param OutputBuffer - Pointer to the section to search.
+ @param SectionType - Filter to find only section of this type.
+ @param SectionCheckHook - A hook which can check if the section is the target one.
+ @param Section - From where to search.
+ @param SectionSize - The file size to search.
+ @param OutputBuffer - Pointer to the section to search.
@retval EFI_SUCCESS
**/
EFI_STATUS
FfsProcessSection (
IN EFI_SECTION_TYPE SectionType,
+ IN FFS_CHECK_SECTION_HOOK SectionCheckHook,
IN EFI_COMMON_SECTION_HEADER *Section,
IN UINTN SectionSize,
OUT VOID **OutputBuffer
@@ -292,7 +294,9 @@ FfsProcessSection (
UINT32 AuthenticationStatus;
CHAR8 *CompressedData;
UINT32 CompressedDataLength;
+ BOOLEAN Found;
+ Found = FALSE;
*OutputBuffer = NULL;
ParsedLength = 0;
Status = EFI_NOT_FOUND;
@@ -302,13 +306,23 @@ FfsProcessSection (
}
if (Section->Type == SectionType) {
- if (IS_SECTION2 (Section)) {
- *OutputBuffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER2));
+ if (SectionCheckHook != NULL) {
+ Found = SectionCheckHook (Section) == EFI_SUCCESS;
} else {
- *OutputBuffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER));
+ Found = TRUE;
}
- return EFI_SUCCESS;
+ if (Found) {
+ if (IS_SECTION2 (Section)) {
+ *OutputBuffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER2));
+ } else {
+ *OutputBuffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER));
+ }
+
+ return EFI_SUCCESS;
+ } else {
+ goto CheckNextSection;
+ }
} else if ((Section->Type == EFI_SECTION_COMPRESSION) || (Section->Type == EFI_SECTION_GUID_DEFINED)) {
if (Section->Type == EFI_SECTION_COMPRESSION) {
if (IS_SECTION2 (Section)) {
@@ -415,6 +429,7 @@ FfsProcessSection (
} else {
return FfsProcessSection (
SectionType,
+ SectionCheckHook,
DstBuffer,
DstBufferSize,
OutputBuffer
@@ -422,6 +437,7 @@ FfsProcessSection (
}
}
+CheckNextSection:
if (IS_SECTION2 (Section)) {
SectionLength = SECTION2_SIZE (Section);
} else {
@@ -456,9 +472,10 @@ FfsProcessSection (
EFI_STATUS
EFIAPI
FfsFindSectionData (
- IN EFI_SECTION_TYPE SectionType,
- IN EFI_PEI_FILE_HANDLE FileHandle,
- OUT VOID **SectionData
+ IN EFI_SECTION_TYPE SectionType,
+ IN FFS_CHECK_SECTION_HOOK SectionCheckHook,
+ IN EFI_PEI_FILE_HANDLE FileHandle,
+ OUT VOID **SectionData
)
{
EFI_FFS_FILE_HEADER *FfsFileHeader;
@@ -478,6 +495,7 @@ FfsFindSectionData (
return FfsProcessSection (
SectionType,
+ SectionCheckHook,
Section,
FileSize,
SectionData
@@ -799,7 +817,7 @@ FfsProcessFvFile (
//
// Find FvImage in FvFile
//
- Status = FfsFindSectionData (EFI_SECTION_FIRMWARE_VOLUME_IMAGE, FvFileHandle, (VOID **)&FvImageHandle);
+ Status = FfsFindSectionData (EFI_SECTION_FIRMWARE_VOLUME_IMAGE, NULL, FvFileHandle, (VOID **)&FvImageHandle);
if (EFI_ERROR (Status)) {
return Status;
}
diff --git a/EmbeddedPkg/Library/PrePiLib/PrePiLib.c b/EmbeddedPkg/Library/PrePiLib/PrePiLib.c
index a0c5d02debd0..3b6fc4f0eba8 100644
--- a/EmbeddedPkg/Library/PrePiLib/PrePiLib.c
+++ b/EmbeddedPkg/Library/PrePiLib/PrePiLib.c
@@ -131,7 +131,7 @@ LoadDxeCoreFromFfsFile (
VOID *Hob;
EFI_FV_FILE_INFO FvFileInfo;
- Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle, &PeCoffImage);
+ Status = FfsFindSectionData (EFI_SECTION_PE32, NULL, FileHandle, &PeCoffImage);
if (EFI_ERROR (Status)) {
return Status;
}
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH V3 2/4] OvmfPkg: Add PCDs/GUID for NCCFV
2023-01-16 23:31 [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Min Xu
2023-01-16 23:31 ` [PATCH V3 1/4] EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section Min Xu
@ 2023-01-16 23:31 ` Min Xu
2023-01-16 23:31 ` [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf Min Xu
` (2 subsequent siblings)
4 siblings, 0 replies; 17+ messages in thread
From: Min Xu @ 2023-01-16 23:31 UTC (permalink / raw)
To: devel
Cc: Min M Xu, Gerd Hoffmann, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky
From: Min M Xu <min.m.xu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
NCCFV refers to Non-Confidential-Computing-FV. It includes the DXE phase
drivers which are only loaded/started in non-cc guest. Hence the
PCDs / GUID for NCCFV are defined in OvmfPkg.dec.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/OvmfPkg.dec | 3 +++
1 file changed, 3 insertions(+)
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index e07546f4a701..1b521f2604ff 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -156,6 +156,7 @@
gUefiOvmfPkgPlatformInfoGuid = {0xdec9b486, 0x1f16, 0x47c7, {0x8f, 0x68, 0xdf, 0x1a, 0x41, 0x88, 0x8b, 0xa5}}
gVMMBootOrderGuid = {0x668f4529, 0x63d0, 0x4bb5, {0xb6, 0x5d, 0x6f, 0xbb, 0x9d, 0x36, 0xa4, 0x4a}}
gUefiOvmfPkgTdxAcpiHobGuid = {0x6a0c5870, 0xd4ed, 0x44f4, {0xa1, 0x35, 0xdd, 0x23, 0x8b, 0x6f, 0x0c, 0x8d}}
+ gEfiNonCcFvGuid = {0xae047c6d, 0xbce9, 0x426c, {0xae, 0x03, 0xa6, 0x8e, 0x3b, 0x8a, 0x04, 0x88}}
[Ppis]
# PPI whose presence in the PPI database signals that the TPM base address
@@ -192,6 +193,8 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize|0x0|UINT32|1
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|0x0|UINT32|0x15
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize|0x0|UINT32|0x16
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvBase|0x0|UINT32|0x6a
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvSize|0x0|UINT32|0x6b
## This flag is used to control the destination port for PlatformDebugLibIoPort
gUefiOvmfPkgTokenSpaceGuid.PcdDebugIoPort|0x402|UINT16|4
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
2023-01-16 23:31 [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Min Xu
2023-01-16 23:31 ` [PATCH V3 1/4] EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section Min Xu
2023-01-16 23:31 ` [PATCH V3 2/4] OvmfPkg: Add PCDs/GUID for NCCFV Min Xu
@ 2023-01-16 23:31 ` Min Xu
2023-01-17 10:56 ` Gerd Hoffmann
2023-01-16 23:31 ` [PATCH V3 4/4] OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest Min Xu
2023-01-17 10:58 ` [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Gerd Hoffmann
4 siblings, 1 reply; 17+ messages in thread
From: Min Xu @ 2023-01-16 23:31 UTC (permalink / raw)
To: devel
Cc: Min M Xu, Gerd Hoffmann, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky
From: Min M Xu <min.m.xu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related drivers,
etc).
>From the security perspective if a driver is not used, we'd should prevent
it from being loaded / started. There are 2 benefits:
1. Reduce the attack surface
2. Improve the boot performance
So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which
are not needed by a Confidential Computing guest are moved from DXEFV
to NCCFV.
The following patch will find NCCFV for non-cc guest and build FVHob
so that NCCFV drivers can be loaded / started in DXE phase.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 ++-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++++++++++++-----------
2 files changed, 83 insertions(+), 40 deletions(-)
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 81511e3556a6..0f1e970fbbb3 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -31,6 +31,11 @@
#
DEFINE SECURE_BOOT_ENABLE = FALSE
+ #
+ # Shell can be useful for debugging but should not be enabled for production
+ #
+ DEFINE BUILD_SHELL = TRUE
+
#
# Device drivers
#
@@ -204,7 +209,9 @@
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
+!if $(BUILD_SHELL) == TRUE
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+!endif
ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
@@ -720,12 +727,13 @@
MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
-!if $(TOOL_CHAIN_TAG) != "XCODE5"
+!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
!endif
+!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
<LibraryClasses>
ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf
@@ -744,6 +752,7 @@
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
+!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
index a57bbcee8986..73dffc104301 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
@@ -97,10 +97,14 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCp
0x010000|0x010000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
-0x100000|0xC00000
+0x100000|0x700000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
FV = DXEFV
+0x800000|0x500000
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvSize
+FV = NCCFV
+
##########################################################################################
# Set the SEV-ES specific work area PCDs
#
@@ -183,7 +187,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF UefiCpuPkg/CpuDxe/CpuDxe.inf
@@ -201,17 +204,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
-INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
-!if $(PVSCSI_ENABLE) == TRUE
-INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
-!endif
-!if $(MPT_SCSI_ENABLE) == TRUE
-INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf
-!endif
-!if $(LSI_SCSI_ENABLE) == TRUE
-INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf
-!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -222,19 +214,14 @@ INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDx
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
INF MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
INF MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
-INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
INF MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
-INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
INF MdeModulePkg/Application/UiApp/UiApp.inf
INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
-INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
-INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
-INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf
INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@@ -242,34 +229,94 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
INF OvmfPkg/SioBusDxe/SioBusDxe.inf
INF MdeModulePkg/Bus/Pci/PciSioSerialDxe/PciSioSerialDxe.inf
-INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf
INF MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf
INF OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf
INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
+
+INF FatPkg/EnhancedFatDxe/Fat.inf
+INF OvmfPkg/TdxDxe/TdxDxe.inf
+
+INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+
+#
+# Variable driver stack (non-SMM)
+#
+INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
+INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
+INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+
+#
+# EFI_CC_MEASUREMENT_PROTOCOL
+#
+INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
+
+################################################################################
+
+[FV.NCCFV]
+FvForceRebase = FALSE
+FvNameGuid = AE047C6D-BCE9-426C-AE03-A68E3B8A0488
+BlockSize = 0x10000
+FvAlignment = 16
+ERASE_POLARITY = 1
+MEMORY_MAPPED = TRUE
+STICKY_WRITE = TRUE
+LOCK_CAP = TRUE
+LOCK_STATUS = TRUE
+WRITE_DISABLED_CAP = TRUE
+WRITE_ENABLED_CAP = TRUE
+WRITE_STATUS = TRUE
+WRITE_LOCK_CAP = TRUE
+WRITE_LOCK_STATUS = TRUE
+READ_DISABLED_CAP = TRUE
+READ_ENABLED_CAP = TRUE
+READ_STATUS = TRUE
+READ_LOCK_CAP = TRUE
+READ_LOCK_STATUS = TRUE
+
+#
+# DXE Phase modules
+#
+INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+!if $(PVSCSI_ENABLE) == TRUE
+INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+!endif
+!if $(MPT_SCSI_ENABLE) == TRUE
+INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf
+!endif
+!if $(LSI_SCSI_ENABLE) == TRUE
+INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf
+!endif
+INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
+INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf
INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
-
-INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
-!if $(TOOL_CHAIN_TAG) != "XCODE5"
+!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
+!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
+!endif
INF MdeModulePkg/Logo/LogoDxe.inf
-INF OvmfPkg/TdxDxe/TdxDxe.inf
-
#
# Usb Support
#
@@ -285,20 +332,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
-INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
-
-#
-# Variable driver stack (non-SMM)
-#
-INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
-INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
-INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
-
-#
-# EFI_CC_MEASUREMENT_PROTOCOL
-#
-INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
################################################################################
@@ -329,6 +362,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
# compression operation in order to achieve better overall compression.
#
SECTION FV_IMAGE = DXEFV
+ SECTION FV_IMAGE = NCCFV
}
}
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
2023-01-16 23:31 ` [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf Min Xu
@ 2023-01-17 10:56 ` Gerd Hoffmann
2023-01-17 13:07 ` Min Xu
0 siblings, 1 reply; 17+ messages in thread
From: Gerd Hoffmann @ 2023-01-17 10:56 UTC (permalink / raw)
To: Min Xu; +Cc: devel, Erdem Aktas, James Bottomley, Jiewen Yao, Tom Lendacky
Hi,
> -INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
If you move the gfx console driver you can move the gfx hardware drivers
too:
OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
take care,
Gerd
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
2023-01-17 10:56 ` Gerd Hoffmann
@ 2023-01-17 13:07 ` Min Xu
2023-01-18 7:54 ` Gerd Hoffmann
0 siblings, 1 reply; 17+ messages in thread
From: Min Xu @ 2023-01-17 13:07 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: devel@edk2.groups.io, Aktas, Erdem, James Bottomley, Yao, Jiewen,
Tom Lendacky
On January 17, 2023 6:57 PM, Gerd Hoffmann wrote:
>
> > -INF
> MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDx
> e.inf
>
> If you move the gfx console driver you can move the gfx hardware drivers
> too:
>
> OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
> OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
> OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
>
Do you mean these 3 gfx hardware drivers should be in NCCFV as GraphicsConsoleDxe is? They're are all in NCCFV.
https://github.com/mxu9/edk2/blob/Separate-Fv.v3/OvmfPkg/IntelTdx/IntelTdxX64.fdf#L298
https://github.com/mxu9/edk2/blob/Separate-Fv.v3/OvmfPkg/IntelTdx/IntelTdxX64.fdf#L330-L333
Thanks
Min
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
2023-01-17 13:07 ` Min Xu
@ 2023-01-18 7:54 ` Gerd Hoffmann
0 siblings, 0 replies; 17+ messages in thread
From: Gerd Hoffmann @ 2023-01-18 7:54 UTC (permalink / raw)
To: Xu, Min M
Cc: devel@edk2.groups.io, Aktas, Erdem, James Bottomley, Yao, Jiewen,
Tom Lendacky
On Tue, Jan 17, 2023 at 01:07:53PM +0000, Xu, Min M wrote:
> On January 17, 2023 6:57 PM, Gerd Hoffmann wrote:
> >
> > > -INF
> > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDx
> > e.inf
> >
> > If you move the gfx console driver you can move the gfx hardware drivers
> > too:
> >
> > OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
> > OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
> > OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
> >
> Do you mean these 3 gfx hardware drivers should be in NCCFV as GraphicsConsoleDxe is? They're are all in NCCFV.
> https://github.com/mxu9/edk2/blob/Separate-Fv.v3/OvmfPkg/IntelTdx/IntelTdxX64.fdf#L298
> https://github.com/mxu9/edk2/blob/Separate-Fv.v3/OvmfPkg/IntelTdx/IntelTdxX64.fdf#L330-L333
Good. I missed them being moved down, but sees this was not needed in
the first place ;)
take care,
Gerd
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH V3 4/4] OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest
2023-01-16 23:31 [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Min Xu
` (2 preceding siblings ...)
2023-01-16 23:31 ` [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf Min Xu
@ 2023-01-16 23:31 ` Min Xu
2023-01-17 10:58 ` [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Gerd Hoffmann
4 siblings, 0 replies; 17+ messages in thread
From: Min Xu @ 2023-01-16 23:31 UTC (permalink / raw)
To: devel
Cc: Min M Xu, Gerd Hoffmann, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky
From: Min M Xu <min.m.xu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
As described in BZ#4152, NCCFV includes the DXE phase drivers for non-cc
guest. PeilessStartupLib is updated to find NCCFV for non-cc guest.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 134 +++++++++++++++++-
.../PeilessStartupInternal.h | 6 +
.../PeilessStartupLib/PeilessStartupLib.inf | 1 +
3 files changed, 140 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
index 6e79c3084672..4b1fefd452dc 100644
--- a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
+++ b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
@@ -22,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/ReportStatusCodeLib.h>
#define STACK_SIZE 0x20000
+extern EFI_GUID gEfiNonCcFvGuid;
/**
Transfers control to DxeCore.
@@ -136,6 +137,133 @@ FindDxeCore (
return Status;
}
+/**
+ * This is a FFS_CHECK_SECTION_HOOK which is defined by caller to check
+ * if the section is an EFI_SECTION_FIRMWARE_VOLUME_IMAGE and if it is
+ * a NonCc FV.
+ *
+ * @param Section The section in which we're checking for the NonCc FV.
+ * @return EFI_STATUS The section is the NonCc FV.
+ */
+EFI_STATUS
+EFIAPI
+CheckSectionHookForDxeNonCc (
+ IN EFI_COMMON_SECTION_HEADER *Section
+ )
+{
+ VOID *Buffer;
+ EFI_STATUS Status;
+ EFI_FV_INFO FvImageInfo;
+
+ if (Section->Type != EFI_SECTION_FIRMWARE_VOLUME_IMAGE) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (IS_SECTION2 (Section)) {
+ Buffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER2));
+ } else {
+ Buffer = (VOID *)((UINT8 *)Section + sizeof (EFI_COMMON_SECTION_HEADER));
+ }
+
+ ZeroMem (&FvImageInfo, sizeof (FvImageInfo));
+ Status = FfsGetVolumeInfo ((EFI_PEI_FV_HANDLE)(UINTN)Buffer, &FvImageInfo);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Cannot get volume info! %r\n", Status));
+ return Status;
+ }
+
+ return CompareGuid (&FvImageInfo.FvName, &gEfiNonCcFvGuid) ? EFI_SUCCESS : EFI_NOT_FOUND;
+}
+
+/**
+ * Find the NonCc FV.
+ *
+ * @param FvInstance The FvInstance number.
+ * @return EFI_STATUS Successfuly find the NonCc FV.
+ */
+EFI_STATUS
+EFIAPI
+FindDxeNonCc (
+ IN INTN FvInstance
+ )
+{
+ EFI_STATUS Status;
+ EFI_PEI_FV_HANDLE VolumeHandle;
+ EFI_PEI_FILE_HANDLE FileHandle;
+ EFI_PEI_FV_HANDLE FvImageHandle;
+ EFI_FV_INFO FvImageInfo;
+ UINT32 FvAlignment;
+ VOID *FvBuffer;
+
+ FileHandle = NULL;
+
+ //
+ // Caller passed in a specific FV to try, so only try that one
+ //
+ Status = FfsFindNextVolume (FvInstance, &VolumeHandle);
+ ASSERT (Status == EFI_SUCCESS);
+
+ Status = FfsFindNextFile (EFI_FV_FILETYPE_FIRMWARE_VOLUME_IMAGE, VolumeHandle, &FileHandle);
+ ASSERT (FileHandle != NULL);
+
+ //
+ // Find FvImage in FvFile
+ //
+ Status = FfsFindSectionData (EFI_SECTION_FIRMWARE_VOLUME_IMAGE, CheckSectionHookForDxeNonCc, FileHandle, (VOID **)&FvImageHandle);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ //
+ // Collect FvImage Info.
+ //
+ ZeroMem (&FvImageInfo, sizeof (FvImageInfo));
+ Status = FfsGetVolumeInfo (FvImageHandle, &FvImageInfo);
+ ASSERT_EFI_ERROR (Status);
+
+ //
+ // FvAlignment must be more than 8 bytes required by FvHeader structure.
+ //
+ FvAlignment = 1 << ((FvImageInfo.FvAttributes & EFI_FVB2_ALIGNMENT) >> 16);
+ if (FvAlignment < 8) {
+ FvAlignment = 8;
+ }
+
+ //
+ // Check FvImage
+ //
+ if ((UINTN)FvImageInfo.FvStart % FvAlignment != 0) {
+ FvBuffer = AllocateAlignedPages (EFI_SIZE_TO_PAGES ((UINT32)FvImageInfo.FvSize), FvAlignment);
+ if (FvBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ CopyMem (FvBuffer, FvImageInfo.FvStart, (UINTN)FvImageInfo.FvSize);
+ //
+ // Update FvImageInfo after reload FvImage to new aligned memory
+ //
+ FfsGetVolumeInfo ((EFI_PEI_FV_HANDLE)FvBuffer, &FvImageInfo);
+ }
+
+ //
+ // Inform HOB consumer phase, i.e. DXE core, the existence of this FV
+ //
+ BuildFvHob ((EFI_PHYSICAL_ADDRESS)(UINTN)FvImageInfo.FvStart, FvImageInfo.FvSize);
+
+ //
+ // Makes the encapsulated volume show up in DXE phase to skip processing of
+ // encapsulated file again.
+ //
+ BuildFv2Hob (
+ (EFI_PHYSICAL_ADDRESS)(UINTN)FvImageInfo.FvStart,
+ FvImageInfo.FvSize,
+ &FvImageInfo.FvName,
+ &(((EFI_FFS_FILE_HEADER *)FileHandle)->Name)
+ );
+
+ return Status;
+}
+
/**
This function finds DXE Core in the firmware volume and transfer the control to
DXE core.
@@ -168,10 +296,14 @@ DxeLoadCore (
return Status;
}
+ if (!TdIsEnabled ()) {
+ FindDxeNonCc (FvInstance);
+ }
+
//
// Load the DXE Core from a Firmware Volume.
//
- Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle, &PeCoffImage);
+ Status = FfsFindSectionData (EFI_SECTION_PE32, NULL, FileHandle, &PeCoffImage);
if (EFI_ERROR (Status)) {
return Status;
}
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
index 09cac3e26c67..f56bc3578e5e 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
@@ -21,6 +21,12 @@ DxeLoadCore (
IN INTN FvInstance
);
+EFI_STATUS
+EFIAPI
+FindDxeNonCc (
+ IN INTN FvInstance
+ );
+
VOID
EFIAPI
TransferHobList (
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index def50b4b019e..5c6eb1597bea 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -67,6 +67,7 @@
gEfiMemoryTypeInformationGuid
gPcdDataBaseHobGuid
gCcEventEntryHobGuid
+ gEfiNonCcFvGuid
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdCfvBase
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-16 23:31 [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Min Xu
` (3 preceding siblings ...)
2023-01-16 23:31 ` [PATCH V3 4/4] OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest Min Xu
@ 2023-01-17 10:58 ` Gerd Hoffmann
2023-01-18 3:05 ` Yao, Jiewen
4 siblings, 1 reply; 17+ messages in thread
From: Gerd Hoffmann @ 2023-01-17 10:58 UTC (permalink / raw)
To: Min Xu
Cc: devel, Leif Lindholm, Ard Biesheuvel, Abner Chang,
Daniel Schaefer, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky
On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
>
> In current DXE FV there are 100+ drivers. Some of the drivers are not
> used in Td guest. (Such as USB support drivers, network related
> drivers, etc).
>
> From the security perspective if a driver is not used, we should prevent
> it from being loaded/started. There are 2 benefits:
> 1. Reduce the attack surface
> 2. Improve the boot performance
>
> So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> and NCCFV. All the drivers which are not needed by a Confidential
> Computing guest are moved from DXEFV to NCCFV.
>
> When booting a CC guest only the drivers in DXEFV will be loaded and
> started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> loaded and started.
>
> Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> Patch#2 adds PCDs/GUID for NCCFV.
> Patch#3 moves cc-unused drivers to NCCFV.
> Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
series:
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
take care,
Gerd
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-17 10:58 ` [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Gerd Hoffmann
@ 2023-01-18 3:05 ` Yao, Jiewen
2023-01-18 11:07 ` Ard Biesheuvel
0 siblings, 1 reply; 17+ messages in thread
From: Yao, Jiewen @ 2023-01-18 3:05 UTC (permalink / raw)
To: Gerd Hoffmann, Xu, Min M
Cc: devel@edk2.groups.io, Leif Lindholm, Ard Biesheuvel, Abner Chang,
Daniel Schaefer, Aktas, Erdem, James Bottomley, Tom Lendacky
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Merged https://github.com/tianocore/edk2/pull/3916
> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 17, 2023 6:58 PM
> To: Xu, Min M <min.m.xu@intel.com>
> Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>; Aktas,
> Erdem <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>;
> Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>
> Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
>
> On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> >
> > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > used in Td guest. (Such as USB support drivers, network related
> > drivers, etc).
> >
> > From the security perspective if a driver is not used, we should prevent
> > it from being loaded/started. There are 2 benefits:
> > 1. Reduce the attack surface
> > 2. Improve the boot performance
> >
> > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > and NCCFV. All the drivers which are not needed by a Confidential
> > Computing guest are moved from DXEFV to NCCFV.
> >
> > When booting a CC guest only the drivers in DXEFV will be loaded and
> > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > loaded and started.
> >
> > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> > Patch#2 adds PCDs/GUID for NCCFV.
> > Patch#3 moves cc-unused drivers to NCCFV.
> > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
>
> series:
> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
>
> take care,
> Gerd
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 3:05 ` Yao, Jiewen
@ 2023-01-18 11:07 ` Ard Biesheuvel
2023-01-18 12:07 ` [edk2-devel] " Yao, Jiewen
2023-01-19 1:50 ` Min Xu
0 siblings, 2 replies; 17+ messages in thread
From: Ard Biesheuvel @ 2023-01-18 11:07 UTC (permalink / raw)
To: Yao, Jiewen, Xu, Min M
Cc: Gerd Hoffmann, devel@edk2.groups.io, Leif Lindholm,
Ard Biesheuvel, Abner Chang, Daniel Schaefer, Aktas, Erdem,
James Bottomley, Tom Lendacky
This series has broken the ArmVirtQemuKernel build (see below).
Please fix or revert.
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
In function ‘RelocatePeCoffImage’:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
error: too few arguments to function ‘FfsFindSectionData’
158 | Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
&SectionData);
| ^~~~~~~~~~~~~~~~~~
In file included from
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
note: declared here
81 | FfsFindSectionData (
| ^~~~~~~~~~~~~~~~~~
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
error: too few arguments to function ‘FfsFindSectionData’
160 | Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
&SectionData);
| ^~~~~~~~~~~~~~~~~~
In file included from
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
note: declared here
81 | FfsFindSectionData (
| ^~~~~~~~~~~~~~~~~~
make: *** [GNUmakefile:397:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/Build/ArmVirtQemuKernel-AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable/OUTPUT/PrePi.obj]>
Error 1
On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
>
> Merged https://github.com/tianocore/edk2/pull/3916
>
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Tuesday, January 17, 2023 6:58 PM
> > To: Xu, Min M <min.m.xu@intel.com>
> > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>; Ard
> > Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>; Aktas,
> > Erdem <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > <thomas.lendacky@amd.com>
> > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
> >
> > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > >
> > > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > > used in Td guest. (Such as USB support drivers, network related
> > > drivers, etc).
> > >
> > > From the security perspective if a driver is not used, we should prevent
> > > it from being loaded/started. There are 2 benefits:
> > > 1. Reduce the attack surface
> > > 2. Improve the boot performance
> > >
> > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > > and NCCFV. All the drivers which are not needed by a Confidential
> > > Computing guest are moved from DXEFV to NCCFV.
> > >
> > > When booting a CC guest only the drivers in DXEFV will be loaded and
> > > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > > loaded and started.
> > >
> > > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> > > Patch#2 adds PCDs/GUID for NCCFV.
> > > Patch#3 moves cc-unused drivers to NCCFV.
> > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> >
> > series:
> > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> >
> > take care,
> > Gerd
>
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 11:07 ` Ard Biesheuvel
@ 2023-01-18 12:07 ` Yao, Jiewen
2023-01-18 13:43 ` Gerd Hoffmann
2023-01-19 1:50 ` Min Xu
1 sibling, 1 reply; 17+ messages in thread
From: Yao, Jiewen @ 2023-01-18 12:07 UTC (permalink / raw)
To: devel@edk2.groups.io, ardb@kernel.org, Xu, Min M
Cc: Gerd Hoffmann, Leif Lindholm, Ard Biesheuvel, Abner Chang,
Daniel Schaefer, Aktas, Erdem, James Bottomley, Tom Lendacky
Hey Ard
I am worried about the CI for ArmVirtPkg.
Can we add such ArmVirtPkg build into CI?
I feel disappointed that a simple build error cannot be caught by CI.
Hey Min/Ard
I think the reason is that the API in EmbeddedPkg/PrePiLib library is changed. That makes it compatible. It is a bad idea, IMHO.
A better way is to keep old API - FfsFindSectionData(), and add a new API - FfsFindSectionDataWithHook().
That can keep the compatibility, and we don’t worry about any unknown consumer.
Thank you
Yao Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 7:08 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io; Leif
> Lindholm <quic_llindhol@quicinc.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Abner Chang <abner.chang@amd.com>;
> Daniel Schaefer <git@danielschaefer.me>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
>
> This series has broken the ArmVirtQemuKernel build (see below).
>
> Please fix or revert.
>
>
>
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
> In function ‘RelocatePeCoffImage’:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
> error: too few arguments to function ‘FfsFindSectionData’
> 158 | Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
> &SectionData);
> | ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
> 81 | FfsFindSectionData (
> | ^~~~~~~~~~~~~~~~~~
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
> error: too few arguments to function ‘FfsFindSectionData’
> 160 | Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
> &SectionData);
> | ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
> 81 | FfsFindSectionData (
> | ^~~~~~~~~~~~~~~~~~
> make: *** [GNUmakefile:397:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/Build/ArmVirtQemuKernel-
> AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreR
> elocatable/OUTPUT/PrePi.obj]>
> Error 1
>
> On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
> >
> > Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> >
> > Merged https://github.com/tianocore/edk2/pull/3916
> >
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> > > Sent: Tuesday, January 17, 2023 6:58 PM
> > > To: Xu, Min M <min.m.xu@intel.com>
> > > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>;
> Ard
> > > Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> Aktas,
> > > Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>;
> > > Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > > <thomas.lendacky@amd.com>
> > > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
> > >
> > > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > > >
> > > > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > > > used in Td guest. (Such as USB support drivers, network related
> > > > drivers, etc).
> > > >
> > > > From the security perspective if a driver is not used, we should prevent
> > > > it from being loaded/started. There are 2 benefits:
> > > > 1. Reduce the attack surface
> > > > 2. Improve the boot performance
> > > >
> > > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > > > and NCCFV. All the drivers which are not needed by a Confidential
> > > > Computing guest are moved from DXEFV to NCCFV.
> > > >
> > > > When booting a CC guest only the drivers in DXEFV will be loaded and
> > > > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > > > loaded and started.
> > > >
> > > > Patch#1 updates EmbeddedPkg/PrePiLib with
> FFS_CHECK_SECTION_HOOK.
> > > > Patch#2 adds PCDs/GUID for NCCFV.
> > > > Patch#3 moves cc-unused drivers to NCCFV.
> > > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> > >
> > > series:
> > > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> > >
> > > take care,
> > > Gerd
> >
>
>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 12:07 ` [edk2-devel] " Yao, Jiewen
@ 2023-01-18 13:43 ` Gerd Hoffmann
2023-01-18 15:35 ` Ard Biesheuvel
0 siblings, 1 reply; 17+ messages in thread
From: Gerd Hoffmann @ 2023-01-18 13:43 UTC (permalink / raw)
To: Yao, Jiewen
Cc: devel@edk2.groups.io, ardb@kernel.org, Xu, Min M, Leif Lindholm,
Ard Biesheuvel, Abner Chang, Daniel Schaefer, Aktas, Erdem,
James Bottomley, Tom Lendacky
On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> Hey Ard
> I am worried about the CI for ArmVirtPkg.
> Can we add such ArmVirtPkg build into CI?
CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
the other ones are not covered right now.
take care,
Gerd
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 13:43 ` Gerd Hoffmann
@ 2023-01-18 15:35 ` Ard Biesheuvel
2023-01-18 16:41 ` Yao, Jiewen
0 siblings, 1 reply; 17+ messages in thread
From: Ard Biesheuvel @ 2023-01-18 15:35 UTC (permalink / raw)
To: Gerd Hoffmann, Michael Kubacki
Cc: Yao, Jiewen, devel@edk2.groups.io, Xu, Min M, Leif Lindholm,
Abner Chang, Daniel Schaefer, Aktas, Erdem, James Bottomley,
Tom Lendacky
On Wed, 18 Jan 2023 at 14:43, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> > Hey Ard
> > I am worried about the CI for ArmVirtPkg.
> > Can we add such ArmVirtPkg build into CI?
>
> CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
> the other ones are not covered right now.
>
The following platforms are not built by CI:
ArmVirtPkg/ArmVirtQemuKernel.dsc
ArmVirtPkg/ArmVirtKvmTool.dsc
ArmVirtPkg/ArmVirtCloudHv.dsc
ArmVirtPkg/ArmVirtXen.dsc
Maybe Michael can explain whether this can be added easily? I couldn't
quite figure out from the existing scripts whether we can just list
multiple DSCs per package.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 15:35 ` Ard Biesheuvel
@ 2023-01-18 16:41 ` Yao, Jiewen
2023-01-18 16:49 ` Ard Biesheuvel
0 siblings, 1 reply; 17+ messages in thread
From: Yao, Jiewen @ 2023-01-18 16:41 UTC (permalink / raw)
To: devel@edk2.groups.io, ardb@kernel.org, Gerd Hoffmann,
Michael Kubacki
Cc: Xu, Min M, Leif Lindholm, Abner Chang, Daniel Schaefer,
Aktas, Erdem, James Bottomley, Tom Lendacky
I think it is feasible.
For example, https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI includes multiple xxxBuild.py. Each GetDscName() will return different dsc.
But https://github.com/tianocore/edk2/tree/master/ArmVirtPkg/PlatformCI only includes one xxxBuild.py.
As long as we can adopt same mechanism in OvmfPkg, the ArmVirtPkg can support multiple dsc.
I believe that will help to catch such build issue earlier, if we enable them.
Thank you
Yao, Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 11:35 PM
> To: Gerd Hoffmann <kraxel@redhat.com>; Michael Kubacki
> <mikuback@linux.microsoft.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Xu, Min M
> <min.m.xu@intel.com>; Leif Lindholm <quic_llindhol@quicinc.com>; Abner
> Chang <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>; Tom Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
>
> On Wed, 18 Jan 2023 at 14:43, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> > > Hey Ard
> > > I am worried about the CI for ArmVirtPkg.
> > > Can we add such ArmVirtPkg build into CI?
> >
> > CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
> > the other ones are not covered right now.
> >
>
> The following platforms are not built by CI:
>
> ArmVirtPkg/ArmVirtQemuKernel.dsc
> ArmVirtPkg/ArmVirtKvmTool.dsc
> ArmVirtPkg/ArmVirtCloudHv.dsc
> ArmVirtPkg/ArmVirtXen.dsc
>
> Maybe Michael can explain whether this can be added easily? I couldn't
> quite figure out from the existing scripts whether we can just list
> multiple DSCs per package.
>
>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 16:41 ` Yao, Jiewen
@ 2023-01-18 16:49 ` Ard Biesheuvel
0 siblings, 0 replies; 17+ messages in thread
From: Ard Biesheuvel @ 2023-01-18 16:49 UTC (permalink / raw)
To: Yao, Jiewen
Cc: devel@edk2.groups.io, Gerd Hoffmann, Michael Kubacki, Xu, Min M,
Leif Lindholm, Abner Chang, Daniel Schaefer, Aktas, Erdem,
James Bottomley, Tom Lendacky
On Wed, 18 Jan 2023 at 17:41, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> I think it is feasible.
>
> For example, https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI includes multiple xxxBuild.py. Each GetDscName() will return different dsc.
>
> But https://github.com/tianocore/edk2/tree/master/ArmVirtPkg/PlatformCI only includes one xxxBuild.py.
>
> As long as we can adopt same mechanism in OvmfPkg, the ArmVirtPkg can support multiple dsc.
> I believe that will help to catch such build issue earlier, if we enable them.
>
Ah interesting - I didn't realize there are multiple xxxBuild.py
files. I'll try to implement the same for ArmVirtPkg
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
2023-01-18 11:07 ` Ard Biesheuvel
2023-01-18 12:07 ` [edk2-devel] " Yao, Jiewen
@ 2023-01-19 1:50 ` Min Xu
1 sibling, 0 replies; 17+ messages in thread
From: Min Xu @ 2023-01-19 1:50 UTC (permalink / raw)
To: devel@edk2.groups.io, ardb@kernel.org, Yao, Jiewen
Cc: Gerd Hoffmann, Leif Lindholm, Ard Biesheuvel, Abner Chang,
Daniel Schaefer, Aktas, Erdem, James Bottomley, Tom Lendacky
I will submit a patch-set to fix it soon.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 7:08 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io; Leif
> Lindholm <quic_llindhol@quicinc.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Abner Chang <abner.chang@amd.com>;
> Daniel Schaefer <git@danielschaefer.me>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
>
> This series has broken the ArmVirtQemuKernel build (see below).
>
> Please fix or revert.
>
>
>
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
> In function ‘RelocatePeCoffImage’:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
> error: too few arguments to function ‘FfsFindSectionData’
> 158 | Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
> &SectionData);
> | ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
> 81 | FfsFindSectionData (
> | ^~~~~~~~~~~~~~~~~~
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
> error: too few arguments to function ‘FfsFindSectionData’
> 160 | Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
> &SectionData);
> | ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
> 81 | FfsFindSectionData (
> | ^~~~~~~~~~~~~~~~~~
> make: *** [GNUmakefile:397:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/Build/ArmVirtQemuKernel-
> AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRe
> locatable/OUTPUT/PrePi.obj]>
> Error 1
>
> On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
> >
> > Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> >
> > Merged https://github.com/tianocore/edk2/pull/3916
> >
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> > > Sent: Tuesday, January 17, 2023 6:58 PM
> > > To: Xu, Min M <min.m.xu@intel.com>
> > > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>;
> > > Ard Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> > > Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> > > <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom
> > > Lendacky <thomas.lendacky@amd.com>
> > > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in
> > > OvmfPkg/IntelTdx
> > >
> > > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > > >
> > > > In current DXE FV there are 100+ drivers. Some of the drivers are
> > > > not used in Td guest. (Such as USB support drivers, network
> > > > related drivers, etc).
> > > >
> > > > From the security perspective if a driver is not used, we should
> > > > prevent it from being loaded/started. There are 2 benefits:
> > > > 1. Reduce the attack surface
> > > > 2. Improve the boot performance
> > > >
> > > > So we introduce Separate-Fv which separates DXEFV into 2 FVs:
> > > > DXEFV and NCCFV. All the drivers which are not needed by a
> > > > Confidential Computing guest are moved from DXEFV to NCCFV.
> > > >
> > > > When booting a CC guest only the drivers in DXEFV will be loaded
> > > > and started. For a Non-CC guest both DXEFV and NCCFV drivers will
> > > > be loaded and started.
> > > >
> > > > Patch#1 updates EmbeddedPkg/PrePiLib with
> FFS_CHECK_SECTION_HOOK.
> > > > Patch#2 adds PCDs/GUID for NCCFV.
> > > > Patch#3 moves cc-unused drivers to NCCFV.
> > > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> > >
> > > series:
> > > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> > >
> > > take care,
> > > Gerd
> >
>
>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread