From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web09.3317.1637378340212424297 for ; Fri, 19 Nov 2021 19:19:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=KJ+GXg4n; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10173"; a="258324485" X-IronPort-AV: E=Sophos;i="5.87,249,1631602800"; d="scan'208";a="258324485" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Nov 2021 19:18:59 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,249,1631602800"; d="scan'208";a="496123957" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga007.jf.intel.com with ESMTP; 19 Nov 2021 19:18:59 -0800 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Fri, 19 Nov 2021 19:18:58 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Fri, 19 Nov 2021 19:18:58 -0800 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.173) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Fri, 19 Nov 2021 19:18:58 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GKUkZvVyGw5OI2k6RBmJ7qMYr9++5GYfB1rM8FGijDVPCgsP4yraxYOW6PIofezCIo8J0/lmiORkHjmLzVmBOu2qadzr/BsfC4GukPbUKEk29nlFRo3j8oclKR8Y6Q9fDcO9ybIS22ek3BW7ScN9n+/cq9GptHoA2Xs+yG2YDd4vnm2oQ7iwu7NiCzpyVfJ7JN5M/Ox3BjSWHVVji8uWGyi/JfZNLDNT/lY5fElpXbPBBspYA7J9kiTrEvPeIKZe619qTFYYRE1D8EdB7OBKZfL0c0m1jp3Fc5iHqaS/0g8S6KxfhxA6CU+A1M6uKkxeLmcHYjcVnGsbcnQktDoQ2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e9nrXdcXwWfm0TGt8FiglW632nRT0aerpw3C8ctTKVs=; b=Yr6v9FoLj/j5fX7hU0wLwhGIHYvecDQUZwN0hCD+ZWjxfMy4Nd5VDsdgw6pWsElbJvGfxK810UvIe/uvnqTg33EZYOKvnXHa2tX0pAGMPJP9vgiqsaW3Ck2A83lOqH3HtRJfdExEP4J4qoMsSdITe2qEmsL4/3ja1pi35yccRq9xh+Tdn2YUU1NCS0nNTrQNtqUZOANxM595Vn8DvLb7ALOOksvz5AlPxBpLfd+iVU/4/s4a/1wsMnITYI3Oc8rPILciBovkKrHfMQccWxeL6A0CGo9UBSWDahOzvOSVjjUgtRP84aBdwU8cRKaQ5qAKFi7AjNFevOsIfNdHp81OXA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e9nrXdcXwWfm0TGt8FiglW632nRT0aerpw3C8ctTKVs=; b=KJ+GXg4nG84xGnoyY6jxl95bIiDbH+odvuKJBXhkW0yTf9xmdlLJMMMskzUBlsmgImPUZUkBjghv2UaoHrg8SgYH2sfIIfrQjCuYn/nJsGwBmpnROjT1UMYeZqa9jjuXFmGUMtdpNITP9acfn4M78idgodgoudn3rUYABKYXwPs= Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CO1PR11MB4931.namprd11.prod.outlook.com (2603:10b6:303:9d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.19; Sat, 20 Nov 2021 03:18:56 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::1d07:d296:b2c7:7114]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::1d07:d296:b2c7:7114%8]) with mapi id 15.20.4669.016; Sat, 20 Nov 2021 03:18:56 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann CC: "Xu, Min M" , "devel@edk2.groups.io" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , James Bottomley , Tom Lendacky Subject: Re: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Thread-Topic: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Thread-Index: AQHX2uMZH+dNhguCw0OBghbxJplRDawH11AAgAEwN+CAAfIoAIAAvv7A Date: Sat, 20 Nov 2021 03:18:56 +0000 Message-ID: References: <867e8a2aaf28c308b20a659057217453c6e38e00.1635769996.git.min.m.xu@intel.com> <20211103063045.kmttoxyluifwo2bq@sirius.home.kraxel.org> <20211117151942.iqow75zq2lrn5xlc@sirius.home.kraxel.org> <20211119151130.g2wcnuhivt3lxvzi@sirius.home.kraxel.org> In-Reply-To: <20211119151130.g2wcnuhivt3lxvzi@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 20831f0a-b5cb-4e18-a1bb-08d9abd47d0f x-ms-traffictypediagnostic: CO1PR11MB4931: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: GVd7CavCyuC6gIKzYecq/Dvdk709+IyIrejcfoDHlgLf33HziDdxoRpg9DyzwLC2TA311Mo/P992meLw+KoT0xW4DXTtNTfupN9NF9K4OqnKy32/fTpzMBDmh0BGTAcVZWveUH54Ub5kTovsQW4Z3B1mihNsUZoZ8U915FOb4yGORwnR17aQOfpUqABJeBC4GLITl8lLbsAv+LHzk0xQzL9fYqdIt794ogf+YLNYexbyklHa78Y1VX94EjapsuieMRgApIiswsBCqNW5EwJcrvFrSNhLMUQUCSusrD25XfycfnePf6wHzQzeFhgSmfDkKdAl3Vr7KNmwRPfvOWR+ukAMTcrJDwu6IniJdYSal6gegYogj22uZNk86X1ccanHja9o71Oot9NSQXPEwLWNPP+moh5A7rv0rwTys49xcSPxv/m0E88bDWOcEUPJ4WMHUJM3h9stoPgvozio0YgkBU1gp+DST9B+tYvEikgEcWnFRrGyXcfvp86P4CAsMZnOSt+FwAx7Lygeni8cjcbual+LnXCHz/GTiRgr+FcpEX+or4bN/RRLc/3juvTXZ95Joa/ALUhK83pI410ZUsWeQrNDPFTBX5BQGIeeR3CE1Hk1yl7BHcbqA6Vk1VdCX5x6ueAPmKzjq/jxT6abCQyUdYi8kAUsEfnUEpozuLGwhbZzm0vOferS0gzMh0Z4Mx+KwY8YYavkFBfFpJ8XozgxwpEYBMmlkPl5Row+N10GB4NDAq35lM2CtAbFd1r34qHeOvrcx7f/AIgTh6IqwUgjoH/sDpv/BHLlShJxgPeyisg= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(26005)(966005)(83380400001)(86362001)(2906002)(52536014)(5660300002)(4326008)(71200400001)(55016002)(33656002)(64756008)(38100700002)(82960400001)(9686003)(66476007)(66556008)(66446008)(7696005)(66946007)(8676002)(186003)(53546011)(15650500001)(6506007)(76116006)(508600001)(316002)(38070700005)(8936002)(6916009)(54906003)(122000001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?7yqUEZjTQjgwQwAjjaj+/4OacbsH1LhAaEeDYN9kJPWwsNtvVbmYPnbysxTv?= =?us-ascii?Q?u50cDqg1dAhZLqymSYj8rPJepRKFyAR0KzAllU4Vd8Ld6AwPTzCnFQEt4j+a?= =?us-ascii?Q?qj3Wmn9eIxBWlbVb8ZE4g2ExX+tADs5G4/ytITnAHDX3AkXW3i4b6fZZayO3?= =?us-ascii?Q?BZn6MZSeHCovGa7Lsfw09ZwV3lniC9VlmwibrmdUUs2D7SKzMpYcw+GQEq40?= =?us-ascii?Q?riqivMw6yMwYxWb+s1OPbJK3SPVdJF7fB15vjMTC0XAIONGA93CJ8vy2ACQw?= =?us-ascii?Q?db8CDpvHjbLA1aviYLFbDc7Cr52S2VIXzG+N4/j06mUBhen+2JRzgPbL5PTa?= =?us-ascii?Q?3QefyALk5Wrs2b7zn1GIVVtgiCDcNo/1FJisDTmSVk6hQFx4unLlda7kSCm+?= =?us-ascii?Q?IfZPKqClPC62gBMO9rPKc5gm/xTK3pO95sfNmiOsk9kg+TOoZ8zk/OyOMQ3i?= =?us-ascii?Q?n/xXuZsm+bf/pPi0K5cL/vVytyMwkGGcslcJI926RsPF5YQ2RKB8k+1jvNMG?= =?us-ascii?Q?J6uz9h7ss7s6TF+dKPgJSH4erRnj644vUJLy3xVFawgB77UelI9p4XsrT3Dg?= =?us-ascii?Q?3jPhgum/nYF5mAS2MQsYeCFwHrVtTMlRPDW3gMEzjnzeZmD0BEPozgmM4kJQ?= =?us-ascii?Q?hNQVOcjoch7JDqVrTDNzb+ksyQB8GWUILLKfbSfPk1UAI/cFzWSqIXbGFbQ6?= =?us-ascii?Q?9vKWpXXxPPmBot3Ilg8uK29yU9qoT+R9/StxPlDRf9wfo/DsqUcYEpfNdXaT?= =?us-ascii?Q?9LmNCbhx76+blhjaOFkYtTmV1K5wiA8CZhGkBAxbY4RsNKdORgfVKZO3nK1m?= =?us-ascii?Q?o47lsDQU0rMpJBH96GTu0y9X1RL3Xh5rMhWVw3LAvOY692mJJr95F95d1Qgt?= =?us-ascii?Q?rqDiTNggdzzywJgXJCyhC/LAJg67m0inaGvaivwmZQfI2QjxU2KQ74B0EyeU?= =?us-ascii?Q?9gDRzSgJaGShLZ8GPv1+5YMnfr2PqBs8BmVzuIy2K9Gy1fjJO3xIOboWGeXS?= =?us-ascii?Q?dDq6k50vrpnVQ5ATAZxChoAK57aZFFvVQIYWlzMaeHTzbt+OdnfWjUh7T3eP?= =?us-ascii?Q?wJFBHDkIOb5iidIvecbSR6NOSSU/XED10aa285MNODBNeQ1TypEJzZuZOLHY?= =?us-ascii?Q?3Hy6t9paFR4bqvPN9mAdY0qtiNECTro3s10K6Ce85b1QqysnKHBq+9GBM4n4?= =?us-ascii?Q?XBFfPuOkdV+IGaMXEJLfnTCe3FRp0qBbcllmVOvlzEAPlbNgBg/B/TKLTxh2?= =?us-ascii?Q?YbpbFMQGgHMPDtvLPwSk3oF82nFEjSd9ir1CYNkk4W7UEHPI1KIoiA37DHyl?= =?us-ascii?Q?/lrHPe/Sn8SzFmqNliY/EViyklPjePQcPMampl59Z/icHnvVWy9Nwmoz1FPV?= =?us-ascii?Q?D5Vo3zIrPK7WWjWMp/zYKXYCP4fDfP1XUI4jQoywGlTSB7xkK5guryGhb9Ir?= =?us-ascii?Q?OhyCeM7dRwoNiKlmzsc3WFKkUFaNnTBf8EKDK7Ahv5U7xoxOzJJwcfgeUsVf?= =?us-ascii?Q?VKPNAO0684ddMXvi4/Y5/oUouZfIwDJq90NGkkkp26awPnXjvits3IamLyYU?= =?us-ascii?Q?E+k2oGF+KG9XYoXmUYIdwrrw+S+wuhINWCFIeI9ZfnMaMudXHufdVBiqKuke?= =?us-ascii?Q?coMhBavMQn6CWpZ62xDdRsM=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20831f0a-b5cb-4e18-a1bb-08d9abd47d0f X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2021 03:18:56.7287 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3EmQXEHOSw+JIOJukVhWnEQPTGrv4SVgL1aRMkPXlxfGWp1IHDNhmtHG1/Zmgrgt1vMiRKzO+wrkZBn6wahPVg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4931 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > -----Original Message----- > From: Gerd Hoffmann > Sent: Friday, November 19, 2021 11:12 PM > To: Yao, Jiewen > Cc: Xu, Min M ; devel@edk2.groups.io; Ard Biesheuvel > ; Justen, Jordan L = ; > Brijesh Singh ; Erdem Aktas > ; James Bottomley ; Tom > Lendacky > Subject: Re: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Td= x >=20 > Hi, >=20 > > Comment on config-B. >=20 > > > I'm sure I've asked this before: Why skip the PEI phase? So far > > > I have not seen any convincing argument for it. > > > > Skipping PEI phase is valid architecture design. >=20 > Sure. >=20 > > Second, the confidential computing changes the threat model > > completely. One of our goal is to simplify the design for CC-firmware > > (TDVF) - remove unnecessary modules, remove unnecessary interface, > > make the image smaller and faster. That will reduce the validation > > effort, too. > > > > That is the main motivation. >=20 > That totally makes sense. I expect TDVF Config-B will look alot like > the existing AmdSev configuration variant which is stripped down too. [Jiewen] I don't think TDVF config-B will be like the AMD SEV is right stat= ement. TDVF and SEV are two different platforms. Intel mainly focuses on TDVF and we will let AMD defines the feature set in= SEV. They MAY be alike if possible. But difference is also acceptable if there is architecture difference or di= fferent decision in different company. > No SMM support, no network stack, ... >=20 > There wouldn't be left much in PEI beside PeiCore and > OvmfPkg/PlatformPei. >=20 > But I don't see how dropping the PEI phase altogether helps much in > stripping down the firmware image. The initialization currently handled > by OvmfPkg/PlatformPei must happen somewhere else instead. Given SEC is > a very restricted environment I don't expect the code can be shared > easily, so we will probably end up with code duplication. Also two > different boot workflows which I fear can easily introduce subtle bugs > due to differences like a initialization order changes. This is what I > see as maintenance problem. [Jiewen] I don't think this is right statement. In Tiano history, there were security bugs exposed in PEI phase, even the P= EI Core on FV processing. I do see the value to skip PEI core. Again, I am very familiar with non-PEI flow. Back to 10 years ago, I was maintainer of a non-PEI platform (named DUET) a= nd we jumped from SEC to DXE directly. I don't see any maintenance problem. >=20 > > Config-A is to keep current architecture, to maximum compatible with > > OVMF. And we don't remove VMM out of TCB. >=20 > > Config-B is to have a new TDVF design, to maximum satisfy the security > > requirement. And we remove VMM out of TCB. >=20 > Sure. >=20 > config-a is ovmf with tdx support added, all uefi features present, only > basic tdx/sev support (basically support memory encryption). >=20 > config-b is simliar to AmdSev (maybe we'll merge them some day), > stripped down uefi feature set (no network etc), full tdx support > including attestation etc. [Jiewen] I think we are debating two different things. Your statement that "config-B is similar to AmdSev" does not support the st= atement "config-B should be adopt what AmdSev chooses". TDVF config-B is proposed by Intel. AMD SEV is proposed by AMD. I respect S= EV people and I *may* propose something, but I will ack their decision. I would not force them to accept the TDVF config-B. And vice versa. >=20 > I don't want question all that. I still don't see the point in dropping > the PEI phase and make config-b work different that all other ovmf > variants though. [Jiewen] My point is simple - Threat Model is different. That causes security objective difference and design difference. Each CC env owner should have freedom to choose what they want to enforce. IMHO, they are the policy decision maker. > > > Jiewen argued this is a simplification. Which is not completely wron= g, > > > but it's also only half the truth. Switching all OVMF builds over to > > > PEI-less boot doesn't work because some features supported by OVMF > > > depend on PEI Modules. Therefore TDX Config-B skipping the PEI phase > > > means we would have to maintain two boot work flows (with and without > > > PEI phase) for OVMF. Which in turn would imply more work for > > > maintenance, testing and so on. > > > > [Jiewen] I am not asking your to OVMF build to PEI-less. > > But if you want to do, I will not object. >=20 > s3, smm, tpm and maybe more depends on pei modules, so dropping the PEi > phase is not an option for a full-featured OVMF build. So I'd very much > prefer all ovmf variants (including tdvf) use the PEI phase. >=20 > > On contrast, if we keep PEI for config B, it adds extra burden from > > security assurance perspective. That means, every issue in PEI may be > > exposed to TDVF. >=20 > Same for all other modules used by tdvf. >=20 > The list of affected PEI modules is rather short though. I think it's > only PeiCore and DxeIpl. PlatformPei doesn't count as the code wouldn't > go away but would be moved to SEC (and maybe parts of it to DXE). >=20 > > Comparing the effort to maintain the work flow and the effort to > > handle potential security issue, I would choose to maintain the work > > flow. I have experience to wait for 1 year embargo to fix EDKII > > security issue, it is very painful and brings huge burden. >=20 > The security workflow is a serious problem indeed. Not only for TDVF, > also for OVMF in general, and other platforms too. We should certainly > try to improve it. [Jiewen] If you look at how we state config-A and config-B again, you will = find we made difference statement. I copy it here again. 1) Config-A is to keep current architecture, to maximum compatible with OVM= F. And we don't remove VMM out of TCB. 2) Config-B is to have a new TDVF design, to maximum satisfy the security r= equirement. And we remove VMM out of TCB. Because of the threat model difference, in config-A, we can safely make som= e assumption that the VMM is benign and VMM will not input malicious data. = As such, we might not perform data validation. We just trust VMM input. However, in config-B, VMM is malicious, which means we need be careful to N= OT trust VMM at any time. The code in config-A and config-B may do totally different thing to handle = the difference situation. I don't think it is hidden assumption that if TDVF need do some check, then= a generic OVMF need do this check. If OVMF trusts the VMM, the check might be totally unnecessary. > I'm not going to open that discussion in this thread. But let me drop > two links two links to osfc talk and workshop (Not 30th + Dec 1st), > titled "The firmware supply-chain security is broken: can we fix it?" >=20 > https://talks.osfc.io/osfc2021/talk/D9X39Z/ > https://talks.osfc.io/osfc2021/talk/E9YYJF/ >=20 > > > I want TDVF be consistent with the rest of OVMF. Makes long-term > > > maintenance easier. Building a single binary for both SEV and TDX wi= th > > > full confidential computing support (including config-b features) wil= l > > > be easier too. > > > > [Jiewen] I am not convinced that TDVF be consist with rest of OVMF. > > The goal of project is different. The choice can be different. > > I don't see a reason that one platform must be in this way, just becaus= e other > platform does in this way. >=20 > Hmm? Seeing TDVF as "other platform" is a rather strange view given > that we are integrating tdx support into OVMF right now ... [Jiewen] This is how Intel views the "platform". In history, we call this one binary mode is "multiple-platform" or "multipl= e-SKU". That means we only have one binary, and this single binary can boot differe= nt platforms, which has similar CPU or silicon but different platform board= design. And there will be platform specific code flow, such as Switch (PlatformId) { Case PlatformA: {do platformA init} Case PlatformB: {do platformB init} } If you treat CC_TYPE to be platformID, it perfectly matches. Also a platform may has extra module (a driver or an FV) to support the pla= tform specific feature. Or a platform may much simpler design and skip some= drivers. The actual multi-platform design is even more complicated, because we also = have group concept. So I will stop the discussion here. >=20 > > I think a PEI-less TDVF is much easier to maintain, comparing with > > complicated OVMF flow, at least from security perspective. The less > > code we have, the less issue we have. >=20 > Well, we will have TDX support in the normal OVMF workflow anyway, > because we need that for config-a. Why use and maintain something > different for config-b? That looks rather pointless to me ... [Jiewen] I think I have explained a lot above. The key difference between config-a and config-b is threat mode. I even propose config-a skip PEI phase. I am persuaded to let config-a adop= t the OVMF way, because the threat model of config-A is same as the normal = OVMF. But config-B is NOT. Different threat model drives different solution. I completely don't understand why they must be same. If you force me to add PEI to config-B. Finally, that causes TDVF config-B = is compromised due to an issue in PEI. Who will take the responsibility? Will you or RedHat take that? >=20 > take care, > Gerd