Re: [edk2-devel] [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline

["Yao, Jiewen" <jiewen.yao@intel.com>]

Hi James
"However, this ran into problems when it was decided AmdSev shouldn't have it's own Library."

I am not clear on the history. Would you please clarify why AmdSev should not have its own library?

It looks not reasonable to me. AmdSev is just a feature. A feature may have its own library. We have enough examples.

Also, the instance name "Grub" is very confusing. I compared PlatformBootManagerLib and PlatformBootManagerLibGrub. This is just a customized PlatformBootManagerLib. 

For example, XEN feature removing and PIIX4 difference has nothing to do with Grub...
=================
      PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x60), 0x0b); // A
      PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x61), 0x0b); // B
      PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x62), 0x0a); // C
      PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x63), 0x0a); // D
=================

It is a big misleading. Can we move the PlatformBootManagerLibGrub To AmdSev now?



> -----Original Message-----
> From: James Bottomley <jejb@linux.ibm.com>
> Sent: Monday, July 26, 2021 5:10 AM
> To: devel@edk2.groups.io; dovmurik@linux.ibm.com; Yao, Jiewen
> <jiewen.yao@intel.com>
> Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>; Tobin Feldman-Fitzthum
> <tobin@ibm.com>; Jim Cadden <jcadden@ibm.com>; Hubertus Franke
> <frankeh@us.ibm.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Justen,
> Jordan L <jordan.l.justen@intel.com>; Ashish Kalra <ashish.kalra@amd.com>;
> Brijesh Singh <brijesh.singh@amd.com>; Erdem Aktas
> <erdemaktas@google.com>; Xu, Min M <min.m.xu@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>; Leif Lindholm <leif@nuviainc.com>; Sami
> Mujawar <sami.mujawar@arm.com>
> Subject: Re: [edk2-devel] [PATCH v4 00/11] Measured SEV boot with
> kernel/initrd/cmdline
> 
> On Sun, 2021-07-25 at 10:52 +0300, Dov Murik wrote:
> > And I do have one question:
> > > May I know what is criteria to put a SEV module to OvmfPkg\AmdSev
> > > or OvmfPkg directly?
> > >
> > > My original understanding is:
> > > If a module is required by OvmfPkg{Ia32,Ia32X64,X64}.{dsc,fdf},
> > > then it should be OvmfPkg.
> > > If a module is only required by OvmfPkg\AmdSev\AmdSevX64.{dsc,fdf},
> > > Then it should be in OvmfPkg\AmdSev.
> > >
> > > Am I right?
> > >
> >
> > I actually don't know the criteria.  What you say sounds reasonable.
> > I'll also let James (who introduced the AmdSevX64 target) say what he
> > thinks.
> 
> The original reason for the AmdSev package was actually for
> attestation:  The only way to get attested boot using a standard VM
> image for SEV and SEV-ES was to pull grub inside the measurement
> envelope and have a stripped down hard failing boot path, so if the key
> didn't decode the encrypted boot volume for some reason, the whole
> thing would fail without revealing the injected secret.  This stripped
> down hard failing boot path is much easier to construct as a separate
> target.
> 
> Essentially that means that lots of SEV exists outside the AmdSev
> directory and things should only be in it if they're either modified to
> support the encrypted volume boot path or are only required by it.
> However, this ran into problems when it was decided AmdSev shouldn't
> have it's own Library, so the modified boot path now lives in
> OvmfPkg/Library/PlatformBootManagerLibGrub, so now it's unclear even to
> me what the criteria are.
> 
> James
>