From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.6974.1674011151355814057 for ; Tue, 17 Jan 2023 19:05:51 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=m45YwL68; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674011151; x=1705547151; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=YgmiO5wrNhMdsYBE3Lt+GpwvFFE5Yya0oS79ytXJqwE=; b=m45YwL68KdSak2UOc0R2C8y6zYV8BxifFAIdfno9QZABu788Oupem6cE 6mKVlAGIb41ClWUXqQE06zkmzB0Ih82Cg+VIuWEqYhAwt0hMFFrK0xMe9 XLAgWTNM/aSA+huTEEMJtZ75jOsxx+AeQbqCsWlEARNUJ299Q9MHIcC+s K1HBvLpu2AptNt5gBv/ctSwku4haIxOijl6zD5cea9QMTo693jPvFLyXq JtSd3brkT2xYo3mfgTQl4goLQyog3ASXlLJV4HjWhLwEeo8Hu3FOh+rwt VTU+iGHEZhGaRvPgXl4VREIHKlRHbD8qDAbnZmwD3RaydS0KoS7T6z8kG w==; X-IronPort-AV: E=McAfee;i="6500,9779,10593"; a="352132725" X-IronPort-AV: E=Sophos;i="5.97,224,1669104000"; d="scan'208";a="352132725" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jan 2023 19:05:50 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10593"; a="748279326" X-IronPort-AV: E=Sophos;i="5.97,224,1669104000"; d="scan'208";a="748279326" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by FMSMGA003.fm.intel.com with ESMTP; 17 Jan 2023 19:05:50 -0800 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Tue, 17 Jan 2023 19:05:50 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Tue, 17 Jan 2023 19:05:50 -0800 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.174) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Tue, 17 Jan 2023 19:05:49 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mJg7jgFN4ZZCkXe8HXSQqOn906LwfK4Fad1mEvCqw1mOgRP6RlwygbJO4+9qPOmNxKkTn73mJG6HbopI8xIA2JQdk3gTsCa+ooga12q6LWmImPC9x021+KOI5LHj/PGDv4EfcYL6karfIc0vabS92J56lF+mhpv/RAKFPMqDw86sSbfwKsWDXwB7fmmQam2nVkdve0TovFIrm68qgrE3eKDOHY+ePiF0uc8jz41dNkaeVsQ99FsKJEP9dBRKq2sZU2qFZJX1Nf7q8JurqCTnN+3XRsk9bwQlUAq9seJikZ/s/a2pSdaryXbuD/cSwcQBRJmtKUik+hO1SdgjdDSbNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eg9lts6+i8NrDC6KOdxtNpbbN3yPwBFHT4Q1CmM3+Yo=; b=WT7DRB0YJ69F+d6vF0qaPBIjQhitxAxlQF9muUWYFlvsZ8S2ElnXG1oNlydGvkxn1xRDkb++mzFZ03WnkAwD1P9BR8JFEoZSl72TooGnpYLDZUVKubumBpj9uEZTqLgUDvDvjKK2yYODTEruvkKOCcOmo7HnL1xqs+cA9/nHVHay0pBAlC7UkwSzdWiJyMlkF+AnLzhCFGB7D0nymfesA5PTQ1w17Ck6yJKveM924ZYPw5O/KpvH9hUfHbikcLuhMWU2niBHAkGAHVBeoDW3d59DUthoA9w8rPBBw+HA2ducPhwUoSDmyStRStQjkNimc7rjKJJ6lIy0U7cZnnhugQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by IA1PR11MB7175.namprd11.prod.outlook.com (2603:10b6:208:419::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.23; Wed, 18 Jan 2023 03:05:47 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041%7]) with mapi id 15.20.6002.013; Wed, 18 Jan 2023 03:05:47 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann , "Xu, Min M" CC: "devel@edk2.groups.io" , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , "Aktas, Erdem" , James Bottomley , Tom Lendacky Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Thread-Topic: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx Thread-Index: AQHZKgLJTkKwIF32/U+5t5OSaxqVma6icTaAgAEOKGA= Date: Wed, 18 Jan 2023 03:05:47 +0000 Message-ID: References: <20230116233158.1268-1-min.m.xu@intel.com> <20230117105823.tkasxyjfjxku6wsz@sirius.home.kraxel.org> In-Reply-To: <20230117105823.tkasxyjfjxku6wsz@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|IA1PR11MB7175:EE_ x-ms-office365-filtering-correlation-id: 0413895c-234b-49c7-c7b9-08daf900e574 x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9HX9U9zjto0IRlk/frgxBdLoXX+DzKdYTCRMgTwkmN623RX4xQ342SkMOa3ITfTYYg403pBtJ7VkD/5TLXofS/twBlGHh9w2XXbIk/+PdsHvgGb9isDyFb5h5UnYuO32RuijHKhhuIHdAS/R4YMbnmiMWx2n1/6+ccY6aDUwICrjdxADXCuiSEI+q20+HYk4VM5XrtMNGZuln63geZDxtjp2eQ3YMHlEn3IcaFyLbQpgtVXONvH9R2tmCT//MkZ0URHPH2F3WcGgQF0mD5zTWxTCduJXn6YDLpcihzNk3QnaPA6t4pyfbBg7+6rYMi16po+g+9yHB1u7iQ949LojoyhRfV5I7ck/CPnA0dsNLjgwBVlCC9kD5g3tfRCxfYlZhHNg5M4ZJqDHI5CpuPEjHP6KQeUC/Jge4OX6d0gbXsC4RwcLg9KwVMARsARN/fvf0VOQVXx91oxMfgxv05Hx67hxXKvhw2mlZm/ZRpTOJTgxXLSeTUTLJiFbNKFNoAoDIFmMJeVAiajuD1jZrfrSJOigFZRyojC5seSiQqTkdOiXl8lCYD6Twg/fbVpl3wy0WLY9HRhskuZ2pjx/i4j7N1i21dGqcVCIPmbS3FPpZHh832AXXNHEgcJ7kPCSbHoZmxwodasqUpZCcmInkZ5wPwosMy0PLjFzscml04MFcWjt4BavSQMs8VCb4FzbFyHCfgni1kvjgEeIRyfto5WKnc14eiiDkxlZsPpMogXDSfUlt5l2tLfCflLcVLF3dUenHeE2jU7knhVi5oWxl8/v4w== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(376002)(366004)(396003)(136003)(346002)(39860400002)(451199015)(8676002)(86362001)(38070700005)(76116006)(2906002)(66556008)(66476007)(52536014)(4326008)(64756008)(66446008)(66946007)(8936002)(5660300002)(55016003)(82960400001)(83380400001)(38100700002)(33656002)(122000001)(7696005)(478600001)(71200400001)(966005)(316002)(6636002)(110136005)(54906003)(41300700001)(6506007)(26005)(53546011)(9686003)(186003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?eZoGU4QhHoggDnkcsMPZ09WOmCPr4I9xtkziLE+sGiPEUi0c61g2Erko9FRd?= =?us-ascii?Q?6krhsqrug9KlAgAAbqTiLY/EWcEjPoo/ozuArA0NEkES7DsvcKOeKLvWWaqG?= =?us-ascii?Q?C4G34/yEcoKB/0uxFvloFdhg5S+BRcv+PINm5lNxzBSfYpaUK9EhA4H7UVIx?= =?us-ascii?Q?PZeUciM0+L/zHvt/Fm+SQbNteocB1cxxUvOTDG8EsWFaUFN/B5Lm//w0/eHM?= =?us-ascii?Q?KPRMgE0mn9FP1r1eX5IHF6z95tscCJozmRlV6tvcfYxTPpFX2fwfvP9MOPkW?= =?us-ascii?Q?B9LvhxVBfBHxcEhSyiFvnL4RThBd+OYbX8jAcoMR8QBBe8WUW5YcFq60rVdM?= =?us-ascii?Q?SbE3TvtA5QjBZCxHKNzV9ul6NuCeB2SRpobssEcrjd+IontPWVDkZXXCOlmI?= =?us-ascii?Q?wtMtQEgx7CcGEQ1ZNx7MD0Y5rUAcuhWeaY4QKZzVd5VkJHtISWCbQ54JFDsR?= =?us-ascii?Q?AVEKH/J2bXjBEsMRXJlSJdzoX433wdLliAea0NGOXzKoTrYpdbCvHccwag05?= =?us-ascii?Q?B6q03XtxjVtpHpUG8KQ6ax4JcJhew0GVdUvBJ0Ti2O5X0JOqolKah1x0hv7V?= =?us-ascii?Q?HDFLT8asjpPEsfkONZsRrR7VIdtcIgXnkjaMIpPOSCo5xZeeJAl8ehwUMM98?= =?us-ascii?Q?sySMsECFxIK0JTseoxHvSWIyD8Nx62I2DBDKHmCbCL1gH+xcxR3EPFw6744W?= =?us-ascii?Q?bzId7FXdolytB4WL3OEbVyXVM8yQ/ejnKLvv/NNOPHJnDUWQoT3oNNFLle17?= =?us-ascii?Q?FXd9sINMsiiEjzXTRKOMzniy7Z7USuo2hk1KVvcNgqBWYHyAnK8tQWDV8MoR?= =?us-ascii?Q?12kgUb9zhBLt7awlbvlM4GMzApOs+bxN0JdhujwOO3/F2rhLnpIMFyzH1nr6?= =?us-ascii?Q?VNWAbERZP/I+Yr1eWVZVk8qmyR3FF0bOfQ6DsrmKZm8L6rc9C449LeKb7dA+?= =?us-ascii?Q?nevh7+twJzM5H0ctFux3LnVXCNhEg5liNUuEkCNSAVhSxuYqpnGjTDufI2ZC?= =?us-ascii?Q?ScvbdH3ReuedlKxaaCbhU3BKWu+NrnGChFdv+gutv1oE1D/XKnehHHBAKcF3?= =?us-ascii?Q?RjXzQH2w2bck6cOIokLE2vI9NsdL9V7AMmH1hEJziqGn59u6Q4yU6o+W9Kum?= =?us-ascii?Q?/1P8NFsS09ZHRPI0fVdbuxSjlU3mYBC3K/mRepzkNHrfQHkde4rO9tn/q8Pn?= =?us-ascii?Q?T9f7Ii+Sqe4q8kWQInvFwOfbfnjheqfwwb4fL4gG7lj135jjRmzGyOl5TmGZ?= =?us-ascii?Q?md6DGnGGlDv3vlKOvjX5eOV+NebP1BK1EZVobpXDW0+oy34dI1nqrcwdgxY3?= =?us-ascii?Q?ajHXQxFZxSGzMaLWes28qhq1qdiU0gbZmi6jY2E1NlniBC1dlyzbCA4+ZdRq?= =?us-ascii?Q?p5FikVlSOkkho/3d0j/T7tfLC+RtButN6LIbQ7SnwVdb90bUlAFn/zL03QcF?= =?us-ascii?Q?p8yWmgLCK2Ab/1LO1095fsWIJjINJE83fukBPN+CxNTnZqCYJDv7R/4HUbZH?= =?us-ascii?Q?YVXN/kgz6/GSsEdBZObo/AmKpM4IMsLOYzONAJH9MSSiILabv64m8QSfTIEZ?= =?us-ascii?Q?frT0xtVM6C+lPMu6XzLbPpMO5+WjMtsLa8S+icQX?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0413895c-234b-49c7-c7b9-08daf900e574 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2023 03:05:47.0986 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: wEiQTPfo+OO2MVPHh2QKvDf8mCTm33UyDZaCTvMKHLCTIOtMYWDRzH1WdcR1cxDyM3pzCHsow6sAOuGqwvUUPw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB7175 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao Merged https://github.com/tianocore/edk2/pull/3916 > -----Original Message----- > From: Gerd Hoffmann > Sent: Tuesday, January 17, 2023 6:58 PM > To: Xu, Min M > Cc: devel@edk2.groups.io; Leif Lindholm ; Ard > Biesheuvel ; Abner Chang > ; Daniel Schaefer ; Aktas, > Erdem ; James Bottomley ; > Yao, Jiewen ; Tom Lendacky > > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx >=20 > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote: > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4152 > > > > In current DXE FV there are 100+ drivers. Some of the drivers are not > > used in Td guest. (Such as USB support drivers, network related > > drivers, etc). > > > > From the security perspective if a driver is not used, we should preven= t > > it from being loaded/started. There are 2 benefits: > > 1. Reduce the attack surface > > 2. Improve the boot performance > > > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV > > and NCCFV. All the drivers which are not needed by a Confidential > > Computing guest are moved from DXEFV to NCCFV. > > > > When booting a CC guest only the drivers in DXEFV will be loaded and > > started. For a Non-CC guest both DXEFV and NCCFV drivers will be > > loaded and started. > > > > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK. > > Patch#2 adds PCDs/GUID for NCCFV. > > Patch#3 moves cc-unused drivers to NCCFV. > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest. >=20 > series: > Acked-by: Gerd Hoffmann >=20 > take care, > Gerd