From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.11249.1675433165324984995 for ; Fri, 03 Feb 2023 06:06:05 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Oa3f8DlA; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675433165; x=1706969165; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=MgDqQroRI9GG0ih5HmDFJugYUHgiVOz7Ug2R6AOlQW0=; b=Oa3f8DlA753ZOQZVjVuyarPsEyaFPp/HnzZVTk3TWmk9FuZx6r/J4Rkj +6snHYI7QtJNAjV94Fuqx5MFhOKxyTAkX+ei9/b98STRxzvRpoHsFO0Xh 4WPq9RUtvep4ntayXBfENgLd06bHhMlsMkP+8oJo7fLDrZA0HQ3CeQRD1 vRhSB2imSp5nQlwXILxxYeTRajfCDRRcRaXgm5xuDjmcr5t9zI7DPN9pb sh5YFC0zHL/CNWiKmbxX4xpnK7bZTioBqBUjDL5NLbLDBgNDKG6ZaWbsX zCKJoQDc7EEMVEeFxOUVvWaqijLGvG4LkAmJnvN438ZQtq8q9JHX+syhL Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10610"; a="391149340" X-IronPort-AV: E=Sophos;i="5.97,270,1669104000"; d="scan'208";a="391149340" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2023 06:06:04 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10610"; a="808371184" X-IronPort-AV: E=Sophos;i="5.97,270,1669104000"; d="scan'208";a="808371184" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.208.128]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2023 06:06:01 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [PATCH V1 1/1] OvmfPkg/IntelTdx: Update README Date: Fri, 3 Feb 2023 22:04:25 +0800 Message-Id: <20230203140425.1704-1-min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Min M Xu TDVF's README is updated based on the latest feature. - RTMR based measurement is supported in OvmfPkgX64 (Config-A) - Features of Config-B have all been implemented, such as removing unnecessary attack surfaces. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/README | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/OvmfPkg/IntelTdx/README b/OvmfPkg/IntelTdx/README index cc01ebca5c0a..7307ede78faf 100644 --- a/OvmfPkg/IntelTdx/README +++ b/OvmfPkg/IntelTdx/README @@ -26,17 +26,19 @@ There are 2 configurations for TDVF. - The OvmfX64Pkg.dsc includes SEV/TDX/normal OVMF basic boot capability. The final binary can run on SEV/TDX/normal OVMF. - No changes to existing OvmfPkgX64 image layout. - - No need to add additional security features if they do not exist today. - No need to remove features if they exist today. - - RTMR is not supported. - PEI phase is NOT skipped in either Td or Non-Td. + - RTMR based measurement is supported. + - External inputs from Host VMM are measured, such as TdHob, CFV. + - Other external inputs are measured, such as FW_CFG data, os loader, + initrd, etc. Config-B: - - (*) Add a standalone IntelTdx.dsc to a TDX specific directory for a *full* + - Add a standalone IntelTdx.dsc to a TDX specific directory for a *full* feature TDVF.(Align with existing SEV) - - (*) Threat model: VMM is out of TCB. (We need necessary change to prevent + - Threat model: VMM is out of TCB. (We need necessary change to prevent attack from VMM) - - (*) IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final + - IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final binary can run on TDX/normal OVMF. - It might eventually merge with AmdSev.dsc, but NOT at this point of time. And we don?t know when it will happen. We need sync with AMD in @@ -48,13 +50,6 @@ There are 2 configurations for TDVF. initrd, etc. - Need to remove unnecessary attack surfaces, such as network stack. -In current stage, Config-A has been merged into edk2-master branch. -The corresponding pkg file is OvmfPkg/OvmfPkgX64.dsc. - -Config-B is split into several waves. The corresponding pkg file is -OvmfPkg/IntelTdx/IntelTdxX64.dsc. The features with (*) have been implemented -and merged into edk2-master branch. Others are in upstreaming progress. - Build ------ - Build the TDVF (Config-A) target: -- 2.29.2.windows.2