From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web11.31001.1618228484346198392 for ; Mon, 12 Apr 2021 04:54:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=yvE6CYBt; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com) IronPort-SDR: vP668kUimiszAAjeLDRUhlxMUzEocL8ielOP9iX5K0qC2hXLxbcd6++UYnkrzgmdnpvt65hGrp mkRBkJkcy9hQ== X-IronPort-AV: E=McAfee;i="6000,8403,9951"; a="181691198" X-IronPort-AV: E=Sophos;i="5.82,216,1613462400"; d="scan'208";a="181691198" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Apr 2021 04:54:43 -0700 IronPort-SDR: iSVyEMHEF6+JOlGdsGOesI88aGuqPI7FiYzYMv9/coFJ5zvS2y2Sgw2ghTrA6+xSQEI27dRS18 NCcND1NlD8Vg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,216,1613462400"; d="scan'208";a="417354339" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmsmga008.fm.intel.com with ESMTP; 12 Apr 2021 04:54:42 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 12 Apr 2021 04:54:42 -0700 Received: from orsmsx606.amr.corp.intel.com (10.22.229.19) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 12 Apr 2021 04:54:41 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Mon, 12 Apr 2021 04:54:41 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Mon, 12 Apr 2021 04:54:40 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ivlDPvJwcrNDJsMAeojqRJmshoOFtWJVTD6TWJRCNhJ6KDZ+BdJtX7AR/QW4qq+1RHfYSr283S4MrTIjBqrBLE9X++oCV1t5u1NCsHCiVOtX1ixg1yODaFd9Enpa1+R+wsei4Qy2WaFu64CCyF7Fhgcq2iAFLuD/ASGcJdKfMT5LCPIgROV9yblLj9vwKOffxQ08sOfxRdQa4vOoqbmBU/XIaYLIS7jqDrr3iVR7XL8ZQxplyHPQFVxPIade3xcPIFqDF/zYdQucv69Hj1YuT7m9PDc7ia2K5bbCbekpLHpFvAmQoUmco68+aqDc6QeUVorHyYf6urVk1AsoN98ONA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZIHh+MhJ1/foXlMKjIdfD22gyPg/P9/rNMroSr0hNNU=; b=guOn3q60ukgP6YIUFzD2E9jGSvmOyHFZNfWT8Fx8QxXylYfN79H1cPx74eGU0kUXi2fYfOTZSuwRzsTk3lY4FJXp4W9HLgmfLGiSWyCoY8h4/mU1dzsnBiTMdgDPirlyg10dyCuyF9tok/+Bc1iTwR8Fk/wf2ScFFBRa3iwYXn+aFqRRoQ0xUg+Ka/B5Alz6E+oyNQS/kmTVB4VyUujsma7Ae1VGjxRSEEjdRtTLr7jidteHoRO7IolFbZUVIBeXP7RVVAqEUIqLWBbq4j9nbmRWNLuh6NyTInR+XqixSsCok7NHVu8hvKk/7eQ5CJENLfO8XI122UdEmx+dGZM//A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZIHh+MhJ1/foXlMKjIdfD22gyPg/P9/rNMroSr0hNNU=; b=yvE6CYBt73+RzgXbmcKti+axcwXiRwtW2yxFKFX1NXq1H6Fusw5puGV2ftJdP+XCFSwTvGuf/CNE1qFd97b9BOFNiAvYQkv7McGCkW8NI6i4sQ5/fW0t12eAfULhEq7tkAcIJyXH8eO1AeHdD4qHa6xnMKYEhW7L9VrfCd4K+4M= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by SJ0PR11MB5054.namprd11.prod.outlook.com (2603:10b6:a03:2d3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.21; Mon, 12 Apr 2021 11:54:38 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::2c04:3586:4a42:819]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::2c04:3586:4a42:819%2]) with mapi id 15.20.4020.022; Mon, 12 Apr 2021 11:54:38 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "dgilbert@redhat.com" , Laszlo Ersek CC: "Xu, Min M" , "thomas.lendacky@amd.com" , "jejb@linux.ibm.com" , "Brijesh Singh" , "Justen, Jordan L" , Ard Biesheuvel , Paolo Bonzini , Nathaniel McCallum , "Yao, Jiewen" Subject: Re: [edk2-devel] separate OVMF binary for TDX? [was: OvmfPkg: Reserve the Secrets and Cpuid page for the SEV-SNP guest] Thread-Topic: [edk2-devel] separate OVMF binary for TDX? [was: OvmfPkg: Reserve the Secrets and Cpuid page for the SEV-SNP guest] Thread-Index: AQHXLUpXwU32wv6PhEGzrKoUUecYJKqwkuoAgAA3Z2A= Date: Mon, 12 Apr 2021 11:54:38 +0000 Message-ID: References: <719a63e555376ca65a7bbe0c7e23c20b6b631cd3.camel@linux.ibm.com> <9aa00ba0-def0-9a4e-1578-0b55b8047ebd@redhat.com> <2ff2c569-1032-3e5f-132a-159c47c9f067@amd.com> <18180548-016d-4e37-68fd-050dfc3b4e77@redhat.com> <5183d5fd-9bba-6f0a-52e0-a3e27a6784de@redhat.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.206] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4950f89a-8fa9-42ee-7b90-08d8fda9bfe0 x-ms-traffictypediagnostic: SJ0PR11MB5054: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: XLkRZ7A495J9ZVr4VmWL4CWQDdSUcwZciarnyyOB3ynJARkWPOSw8kqiSPqiH/L8PN1EQ7ubSglsqLkUQ/ggi4R90/e3STW43QJxL5+SiD1IOj1fD18MH67zejqPsIoE+2J9bI2afaK4Q9M8eA4vFwS1YFR4sF+nsD2PbPrM7YTbWsMt8EfbZjNQZ3zCv66mhiP8BpMyXuGYtFbvXOntGPkSEZ6BtnFiBWENJgNxhcn9kuP/hBztU5aHrjnJ1rh8Fqrn+ZeTKqJEnCFU/Jl1O59xZ5xIyUOwczuvl8iRzI2eKArRA6hbQrlGlb3p+pfjdZW5VhfiqMCvWYc+E0p6WNBY5EuD2ewiBcWvAdoqnmHTpeTzDoMq3PXmpWBDJIFvXmT88o+7eBXndUE8ph8vinMkJeUxm1tKxd5gkyluoYDowipp8cqQCJ8Lj9xgCDSWc7kLWdj/+/MtB9katSfteSSJPKwz1/KsozBv88jNH2eBFRVg9F5EO5eghmoqTwOLhF6HtZ1MvVA9EDhwyzaYb0PtnDp1hRRdrjWBR0YnaOvw6hvnXTGA1hSjYSlFCRMJIcbw7EEMvkqOHtZmHRG6e38DIsHgL3uLF9lmFmH1kQ1w5NF30hlzs2xR4gJ2hL8cnDsnNI+ifOcQCWHBNS3hXL/a5vjR9n/bUNffl5LNbtqHjQjeTAZXnzDlNlEhCJ6W x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(376002)(346002)(396003)(39860400002)(136003)(53546011)(6506007)(66946007)(966005)(76116006)(316002)(86362001)(83380400001)(4326008)(186003)(33656002)(9686003)(2906002)(55016002)(26005)(8676002)(38100700002)(8936002)(5660300002)(66476007)(66446008)(110136005)(52536014)(54906003)(478600001)(66556008)(64756008)(7696005)(71200400001)(107886003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?9XeABMt4xCBRdWs4nmy6Du7IwsG14wu4iraHAL1ClyuSGL7I1WnPrBRIXSR4?= =?us-ascii?Q?58a2KR7oDm2wptAgqHavQ9kBqcQnDewqEgAmVw/7NmIXo5plGd85hIwS+AT5?= =?us-ascii?Q?Ewk52doFzheM6rxkufExcQzucXqHmnbd74sgB/hnYRIEvjPTRj6IeUFZuI8Z?= =?us-ascii?Q?msp4CYYF/RPGekvtcfm9mmZp7O5QYzeURn1rngvXHzUEohTnJJsYd8fjJMVc?= =?us-ascii?Q?yZQSwwNeFuuUj/HJ/gzUre2haI7EhCz91+NfRyrRhlyuW2Ja5liEX6xKh36e?= =?us-ascii?Q?XXQeHIyZZ3S2TAVb8BkgtTDdixa74WlGN6wvn1o3sSQaYbJjK3xr2XYvSiYr?= =?us-ascii?Q?5tTwxB7B7vlr3aRYVw9o0zsOFEm6ts1YZT7jUVSSySIVV5sITW9+shw2U+Hc?= =?us-ascii?Q?hOgzJ91Q3k6mPX0REeAMVa4/N7ephH/JCKzVkDEeGoOwsu8D6rWH4ALxh2A0?= =?us-ascii?Q?DevUOq/hPWg0OSVmsOZsg63lBPhGO0WqV/GAMWgXEcHxuPFZy572Q5kTFzR8?= =?us-ascii?Q?DiWBkpyr42Ar0oX01G/5HJFX1JeQ1/FWk2jNJEJ0i1kaUqsdXpNaPnpYECcy?= =?us-ascii?Q?BUS0o5WB36qWWVTcoH37mSlr2x7yvcaYBsP97kekJXNBDWArYRrJfSXonVwu?= =?us-ascii?Q?A+uHhBa135cnuRG9I9AAkNT+b90LDgEuDd7IM+VMcqefkl/8MVUFP5eoHM2a?= =?us-ascii?Q?iJsL3qDkolBYiMotI8WLwZEaF1GThx6kOFBAjVI0dZFp2ra1FInvhtYME7LZ?= =?us-ascii?Q?NuGsoZ1YQETCdp2R3ENpzIVOI0TapoexJZkVxwFLWVqxy4iTtHlXiZVEvOX6?= =?us-ascii?Q?Xo7sVIxUvePcP9u6BagEO9VXJ4hWHC+rGpph3jlcV3mkqqwnfdrZ1lu8dfOX?= =?us-ascii?Q?CNQz1ujzwzDPxTTrwdcXc8e99dQQygdfJKlSxWkiFQ6O/OAmVwEWfX+nusVq?= =?us-ascii?Q?TC68x3n/dLSIXRcvWYdr+XF768A/Ram5WkFm3Wbf9p1fObaHUpsd4h0HjWmP?= =?us-ascii?Q?JIsdvTgZuSyb3irCGTi5lH/jXbd4/5r/9rmlSixj68CBPEGOrpQEBHzl0E/k?= =?us-ascii?Q?IKTfAIN51VWqR50Ez+xwjPVO0LjLERhjL4UhQNfxM2C1HtK1QQQD9IjTm2K1?= =?us-ascii?Q?elQU+UVX700j0kieUxWyrbza3asGFaPLMWw+gF/iQTSkw3udhj7S70J5HVcj?= =?us-ascii?Q?ESkHi4vF4S2J/MMiTZUCM8FDHLU/kuxjqhe6jidrxCMLLdlb06XeBK4/hfD3?= =?us-ascii?Q?5DAK/yJZBL/8pjBbzfHNHke3ZjGEbAnrU6++I4ONwEvIYjaV4zXeXPRQZh4n?= =?us-ascii?Q?GWDk/rhYQwvJbQFJRBb49CLD?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4950f89a-8fa9-42ee-7b90-08d8fda9bfe0 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2021 11:54:38.2196 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hBjmCV7OFBoZSq7m10X5oIUeFG587OPDH48Oog8eqjvpk7duzlJITEOfk1egVYNHyNlM8rt/9usyQTD5mTAmYg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5054 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I totally agree with you that from security perspective, the best idea to i= solate AMD SEV/Intel TDX from standard OVMF. Do you want to propose move AMD SEV support to another SEC? > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Dr. David > Alan Gilbert > Sent: Monday, April 12, 2021 4:35 PM > To: Laszlo Ersek > Cc: Yao, Jiewen ; Xu, Min M ; > devel@edk2.groups.io; thomas.lendacky@amd.com; jejb@linux.ibm.com; > Brijesh Singh ; Justen, Jordan L > ; Ard Biesheuvel ; > Paolo Bonzini ; Nathaniel McCallum > > Subject: Re: [edk2-devel] separate OVMF binary for TDX? [was: OvmfPkg: > Reserve the Secrets and Cpuid page for the SEV-SNP guest] >=20 > * Laszlo Ersek (lersek@redhat.com) wrote: > > On 04/09/21 15:44, Yao, Jiewen wrote: > > > Hi Laszlo > > > Thanks. > > > > > > We did provide a separate binary in the beginning - see > https://github.com/tianocore/edk2-staging/tree/TDVF, with same goal - ea= sy to > maintain and develop. A clean solution, definitely. > > > > > > However, we got requirement to deliver one binary solution together = with 1) > normal OVMF, 2) AMD-SEV, 3) Intel-TDX. > > > Now, we are struggling to merge them...... > > > > > > For DXE, we hope to isolate TDX driver whenever it is possible. > > > But we only have one reset vector here. Sigh... > > > > Can we please pry a little bit at that "one binary" requirement? > > > > Ultimately the "guest bundle" is going to be composed by much > > higher-level code, I expect (such as some userspace code, written in > > python or similar); selecting a firmware binary in such an environment > > is surely easier than handling this "polymorphism" in the most > > restrictive software environment imaginable (reset vector assembly cod= e > > in the guest)? >=20 > I think also there's a security argument here; some people like to > measure security in kloc's; so having your secure boot image as small > as possible for the environment you're actually running does make some > sense, which favours the 2 image idea. >=20 > Dave >=20 > > Thanks > > Laszlo > -- > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK >=20 >=20 >=20 >=20 >=20