From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.19492.1625655123000711992 for ; Wed, 07 Jul 2021 03:52:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=rr+MzHrp; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 167AYSI3014722; Wed, 7 Jul 2021 06:52:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : reply-to : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=+dEX0UISegZAQGkEZumDrSHB4x/wy7//KwxkairVk/I=; b=rr+MzHrpAtk30L6+H4AzYnv+kyQk/ajPCFi5bBVrkmK4ue4LpR6eEX8Qr2cxR4sdmijt Sa4zrjIbItkCkz/X8NjY1/gpNjIzKN6GJCre3b+9dsb7wwFl3GWOS3oy0nMJR9UTjZRX cTqiEoQduqD9bW5KeNHT+u317qLvNQmig6JFcVAPzRucsoFrsh0xJCLHIegC9LuQe0V3 jJR9XAkpGPNH1yfUp54/7BSHvdbhlpyFkcEODAc465IKgS4agZptD4UMDH4VtuTGI+3H Tgw5wLi5pSZqbZvw6VyH17uDbKSw3x0/iVn3oxXJojRW0cVnhRumdFU8WSaMJDRf0oYx qw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mm66b0pw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 07 Jul 2021 06:52:01 -0400 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 167AYVm8014924; Wed, 7 Jul 2021 06:52:00 -0400 Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mm66b0pj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 07 Jul 2021 06:52:00 -0400 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 167Amto9004399; Wed, 7 Jul 2021 10:52:00 GMT Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma05wdc.us.ibm.com with ESMTP id 39jfhbyknw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 07 Jul 2021 10:52:00 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 167ApwMU31195396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 7 Jul 2021 10:51:58 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9BDAE7805F; Wed, 7 Jul 2021 10:51:58 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E75317807D; Wed, 7 Jul 2021 10:51:54 +0000 (GMT) Received: from [192.168.0.73] (unknown [9.85.129.14]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Wed, 7 Jul 2021 10:51:54 +0000 (GMT) Message-ID: <50cb40b9c3e13f30cd68a78fb9d7ed463ecf9aad.camel@linux.ibm.com> Subject: Re: [PATCH 1/1] OvmfPkg/AmdSev: introduce EMBED_GRUB=FALSE to skip including Grub image From: "James Bottomley" Reply-To: jejb@linux.ibm.com To: Dov Murik , devel@edk2.groups.io Cc: Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky , Tobin Feldman-Fitzthum Date: Wed, 07 Jul 2021 11:51:52 +0100 In-Reply-To: <20210707104232.3071659-1-dovmurik@linux.ibm.com> References: <20210707104232.3071659-1-dovmurik@linux.ibm.com> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: _J4M0d4hADQkHyENmSbpbI3NRagWfdZp X-Proofpoint-ORIG-GUID: 9YYAOf3A8oFjIF1HoAScHeOGcDD8S1HE X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-07_05:2021-07-06,2021-07-07 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 phishscore=0 clxscore=1011 mlxlogscore=999 malwarescore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070063 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Wed, 2021-07-07 at 10:42 +0000, Dov Murik wrote: > The AmdSevX64 target includes an embedded Grub image to support > secure > (measured) boot of confidential guests with encrypted root images. > > However, it is sometimes convenient to build this target without an > embedded Grub. We introduce the EMBED_GRUB setting (defaults to > TRUE), > which conditions the generation (grub.sh) and inclusion of the Grub > image. Now building AmdSevX64 with -DEMBED_GRUB=FALSE allows it. > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > Cc: Tobin Feldman-Fitzthum > Signed-off-by: Dov Murik > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 16 +++++++++++++++- > OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++ > 2 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc > b/OvmfPkg/AmdSev/AmdSevX64.dsc > index 1d487befae08..ba7d6fe6b749 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -25,7 +25,6 @@ [Defines] > BUILD_TARGETS = NOOPT|DEBUG|RELEASE > SKUID_IDENTIFIER = DEFAULT > FLASH_DEFINITION = OvmfPkg/AmdSev/AmdSevX64.fdf > - PREBUILD = sh OvmfPkg/AmdSev/Grub/grub.sh > > # > # Defines for default states. These can be changed on the command > line. > @@ -40,6 +39,19 @@ [Defines] > # > DEFINE BUILD_SHELL = FALSE > > + # > + # Embed Grub into the OVMF image so they are measured together > when launching > + # confidential guest > + # > + DEFINE EMBED_GRUB = TRUE > + > +!if $(EMBED_GRUB) == TRUE > + # > + # This step builds the grub.efi binary image if needed > + # > + PREBUILD = sh OvmfPkg/AmdSev/Grub/grub.sh > +!endif > + > # > # Device drivers > # > @@ -784,7 +796,9 @@ [Components] > } > !endif > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > +!if $(EMBED_GRUB) == TRUE > OvmfPkg/AmdSev/Grub/Grub.inf > +!endif > !if $(BUILD_SHELL) == TRUE > ShellPkg/Application/Shell/Shell.inf { > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf > b/OvmfPkg/AmdSev/AmdSevX64.fdf > index 9977b0f00a18..ee3d96bb813f 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.fdf > +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf > @@ -270,7 +270,9 @@ [FV.DXEFV] > INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellC > ommand.inf > !endif > INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > +!if $(EMBED_GRUB) == TRUE > INF OvmfPkg/AmdSev/Grub/Grub.inf > +!endif > !if $(BUILD_SHELL) == TRUE > INF ShellPkg/Application/Shell/Shell.inf > !endif This likely isn't enough: the boot pathway of the AmdSev package is stripped down and designed to fail if grub won't boot, so if you set EMBED_GRUB = false, you'll likely build a system that won't boot. This would still work for the Kata use case, if the kernel and initrd are plumbed back in, but it won't work for the generic use case. I think the change log needs to describe the use cases so we don't end up getting a load of annoyed people building systems that won't work for them. There's also the broader question of whether this should all be integrated back into OvmfX64Pkg with more determination done at runtime, so we can build fewer separate binaries? James