public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Min Xu" <min.m.xu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"kraxel@redhat.com" <kraxel@redhat.com>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	"Aktas, Erdem" <erdemaktas@google.com>,
	"James Bottomley" <jejb@linux.ibm.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>,
	"Tom Lendacky" <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B
Date: Thu, 16 Dec 2021 12:21:18 +0000	[thread overview]
Message-ID: <PH0PR11MB50640496F56AC27DE4106470C5779@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20211215102753.m4bp56bdxzgmdzkr@sirius.home.kraxel.org>

On December 15, 2021 6:28 PM, Gerd Hoffmann wrote:
> On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote:
> > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
> >
> > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of
> > jumping to SecStartupPhase2 (), TdxStartup () is called. This function
> > brings up Tdx guest from SEC phase to DXE phase.
> 
> > + #ifdef INTEL_TDX_FULL_FEATURE
> > +  if (SecTdxIsEnabled ()) {
> > +    TdxStartup (&SecCoreData);
> > +
> > +    //
> > +    // Never arrived here
> > +    //
> > +    ASSERT (FALSE);
> > +    CpuDeadLoop ();
> > +  }
> > +
> > + #endif
> 
> Oh, wow.  So you compile in PEI, then decide at runtime whenever you use it
> or not?
Yes.
In OvmfPkgX64.dsc above code will not be built into the image. So it follows the SEC->PEI->DXE flow.
In IntelTdxX64.dsc, it if is Tdx guest, it jumps from SEC to DXE (see TdxStartup ()). Otherwise, it follows the SEC->PEI->DXE flow (Legacy guest, SEV guest, etc).
> 
> No.  Please don't.  That's just silly.  If you don't want use PEI, ok, fine, but
> please go the way then, remove PEI from the build and take the PEI-less code
> path in all cases.
In the first version TDVF, we do remove the PEI from the image. The image only contains the SEC and DXE, and only the components TDVF needs. It's a slim image.
Then the *ONE BINARY* requirement is proposed. It requires to bring up Legacy guest and Tdx guest with the same image. So PEI must be included in the build, and it probes Tdx guest in run-time so that it decides to go to the legacy flow (SEC->PEI->DXE) or Tdx flow (SEC->DXE).
Below are some of the links about the discussion.
https://edk2.groups.io/g/devel/message/76023  Laszlo
https://edk2.groups.io/g/devel/message/76024  Jiewen
https://edk2.groups.io/g/devel/message/76065  Laszlo
https://edk2.groups.io/g/devel/message/76339  Erdem Aktas
https://edk2.groups.io/g/devel/message/76367  Config-A & Config-B

Thanks
Min

  reply	other threads:[~2021-12-16 12:21 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-14 13:41 [PATCH 00/10] Introduce TDVF Config-B (basic) in OvmfPkg Min Xu
2021-12-14 13:41 ` [PATCH 01/10] OvmfPkg: Introduce IntelTdxX64 for TDVF Config-B Min Xu
2021-12-15  9:32   ` Gerd Hoffmann
2021-12-14 13:41 ` [PATCH 02/10] EmbeddedPkg/PrePiLib: Update PrePiLib Min Xu
2021-12-14 14:00   ` [edk2-devel] " Ard Biesheuvel
2021-12-16  4:48     ` Min Xu
2021-12-14 13:41 ` [PATCH 03/10] EmbeddedPkg/MemoryAllocationLib: Add null stub for AllocateCopyPool Min Xu
2021-12-14 13:59   ` [edk2-devel] " Ard Biesheuvel
2021-12-16  3:08     ` Min Xu
2021-12-14 13:41 ` [PATCH 04/10] OvmfPkg: Add PrePiHobListPointerLibTdx Min Xu
2021-12-14 13:41 ` [PATCH 05/10] OvmfPkg: Add SecPlatformLibQemuTdx Min Xu
2021-12-15  9:48   ` Gerd Hoffmann
2022-01-07  6:29     ` Min Xu
2021-12-14 13:41 ` [PATCH 06/10] OvmfPkg: Add TdxStartupLib Min Xu
2021-12-15 10:09   ` Gerd Hoffmann
2021-12-16 11:56     ` Min Xu
2022-01-12  1:55       ` Min Xu
2021-12-14 13:41 ` [PATCH 07/10] OvmfPkg: Update TdxDxe to set TDX PCDs Min Xu
2021-12-14 13:41 ` [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Min Xu
2021-12-15 10:27   ` Gerd Hoffmann
2021-12-16 12:21     ` Min Xu [this message]
2021-12-16 14:25       ` [edk2-devel] " Gerd Hoffmann
2021-12-19  2:49         ` Min Xu
2021-12-20 12:11           ` Gerd Hoffmann
2021-12-24  3:02             ` Min Xu
2022-01-03  8:02               ` Gerd Hoffmann
2022-01-07  6:13                 ` Min Xu
2022-01-10  7:55                   ` Gerd Hoffmann
2022-01-11  2:24                     ` Min Xu
2022-01-11  9:23                       ` Gerd Hoffmann
2022-01-14  2:17                         ` Min Xu
2022-01-14  8:32                           ` Gerd Hoffmann
2022-01-16  0:55                             ` Min Xu
2021-12-14 13:41 ` [PATCH 09/10] OvmfPkg: Update DxeAcpiTimerLib to read HostBridgeDevId in PlatformInfoHob Min Xu
2021-12-14 13:41 ` [PATCH 10/10] OvmfPkg: Add Tdx libs to prevent building broken Min Xu
2021-12-15 10:41 ` [PATCH 00/10] Introduce TDVF Config-B (basic) in OvmfPkg Gerd Hoffmann
2021-12-16 12:36   ` Min Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=PH0PR11MB50640496F56AC27DE4106470C5779@PH0PR11MB5064.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox