On Jul 19, 2024, at 12:35 AM, Gerd Hoffmann <kraxel@redhat.com> wrote:

On Thu, Jul 18, 2024 at 07:57:27PM GMT, Tom Lendacky wrote:
On 7/16/24 21:30, 韩里洋 wrote:
Hi Tom,




Thank you for your response.

In fact, I'm unable to proceed with the development of the fix patch locally as I don't have a SEV-SNP hardware for experimentation. However, it has proven to be crucial for effectively testing and completing the patch.

Given your expertise and potentially available hardware, would your team be able to take over the fixing of this issue? (bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4807 )

Secure Boot is not supported under SEV-ES and SEV-SNP because SMM is
required in order for Secure Boot to be secure.

The other option is initializing the variable store from ROM on each
boot.  Which implies there are no persistent EFI variables, which has
its own set of drawbacks.  But this is what the IntelTdx build is doing
and AmdSev should be able to do this too.


Seems like you might be able to just overwrite the secure boot related variables on every boot to a hard coded value. You could have PCDs for the default values of the variables. 

Thanks,

Andrew Fish

take care,
 Gerd




_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#120200) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_