From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web12.9836.1639657282429465579 for ; Thu, 16 Dec 2021 04:21:22 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=RVXWt6Ir; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1639657282; x=1671193282; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=W5xsNslZdqebfb0J/nkMDo1FymPylJkB4CDwvBziA+U=; b=RVXWt6Ir0PbAgyVG8HohgAtcfKNADGpiZyXdsOF7U7F6ooILz2oejgig AvDun47bk2A54w9eDafzTtqYL2NSNDyqHAPoVLLz+oEJbg4+WAzOcLj/4 nK7sVPCIgiZfz7S5z7h1vi9ZmjpwTg7QhxgVgHnXKWVtE6nulNRm7AnwH awPdmfY3BfB1qUTPcyV1Zr2A0Z/+ur0ptuzjFIO2WTOJtAfuohRvdLi6Y 5qc1kOzptqkv8kzsV7/sdSx2xgdxoHEeE58cyavpnx2lIAm4oq9i1py8v at3pFZHnxeyyAC2oitxdETviW9UJu3Au3utDiO7qinf0thXY/4ojVhzX/ Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10199"; a="237013106" X-IronPort-AV: E=Sophos;i="5.88,211,1635231600"; d="scan'208";a="237013106" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Dec 2021 04:21:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.88,211,1635231600"; d="scan'208";a="506256574" Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by orsmga007.jf.intel.com with ESMTP; 16 Dec 2021 04:21:20 -0800 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 16 Dec 2021 04:21:20 -0800 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Thu, 16 Dec 2021 04:21:20 -0800 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.43) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.20; Thu, 16 Dec 2021 04:21:20 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tl1Cva3iin+Ksqxng1c5rPOjUAqY6t7CuZYTR2E0zW0OF3RZl44tJuEKRHweMbzqHMcFKZ74DjEPZX6oHq5XFwkwjx4eh5MexNSHMTRW7Hgh9nuaHpjJwUImfCUWPlc6TG4EgiH24UzJMXllWaQuYQ62dzyLVsyB5esJhJaUwCuliDXZEhXxZPZxPLGkQKPTLdrs+c9BrQ8rqDAiOlb7HF9Mfvk2TywNfY7GZGdn6KyUv0XghDcu+YWUqF68kDbDKv+xq8+M9uIb3QLGllis4we9idVPpKCS1xYf/ZFhjQ+2HAl/Jnzn94BUmZCIxuYqDUXbWhj/fFJYP/oEtJ0wBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yeJb+nzxb9jaCoWge+nKFQ0XkG3clWlHsn0J+GYArW0=; b=KgWL1ldsokUlqzleK41Njb5dpQUgSpOZZofR+HE9dOeYYu65M+XmWolCKLw8L3uy+1/6WLGw0zGAwmXCnF8Lytl7L0B3ucHdUjkJhcIDPITaLDz2UjTPfGxZFbSv/rWgxAUKKvghQ8Aju8w0b5Ck2fNiHQvIIg9Atavg9J+d4HKSvAyRPCWat0MoLuWS1czuldmV0kiSxZI8KGtZNqxRgoL00JT3Y+D23n3R3sH2Oi42pfHE9YH0GCjC1ElTCXO5nTPR6LzEfnfWwTCvR5STA2HiV+T08LiyYPH/WgjMfcqdKT/4cHjUHYscOvdMRHqohGSS4k77slV5K0h6FFpQzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB5877.namprd11.prod.outlook.com (2603:10b6:510:141::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.26; Thu, 16 Dec 2021 12:21:18 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::fd42:b334:5030:af8d]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::fd42:b334:5030:af8d%6]) with mapi id 15.20.4778.018; Thu, 16 Dec 2021 12:21:18 +0000 From: "Min Xu" To: "devel@edk2.groups.io" , "kraxel@redhat.com" CC: "Kinney, Michael D" , Brijesh Singh , "Aktas, Erdem" , "James Bottomley" , "Yao, Jiewen" , "Tom Lendacky" Subject: Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Thread-Topic: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Thread-Index: AQHX8PBp3T4AYRIE0EySqY5nWcpMV6wzWvSAgAGrRwA= Date: Thu, 16 Dec 2021 12:21:18 +0000 Message-ID: References: <20211214134126.869-1-min.m.xu@intel.com> <20211214134126.869-9-min.m.xu@intel.com> <20211215102753.m4bp56bdxzgmdzkr@sirius.home.kraxel.org> In-Reply-To: <20211215102753.m4bp56bdxzgmdzkr@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7089dd82-0fef-4bdc-59a7-08d9c08e8ff3 x-ms-traffictypediagnostic: PH0PR11MB5877: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: F099301P7WzBcpp04IPWtIaHmukMyANZvMtrqsWLSTE1Y73xE5Zxmr33kh8297tv3/GIP0R70rZSTzsap40BBDNLjdwr2LvgrSk1SYA8gQ/VIcJSiWEM31rTAOhZq9QHE5D10WuRx/c9DFiW6lw2agWuIJESc+zfN2CKSezU1KE9mmpLVXQYD3dNvh4U7ZZG6iOtsw20wgUE8jhyB31yfRODsul0Sfju9Ti2C62F8D+qKhmnzCpZSBWDKFewxG06c6vA/EFmumr8ACRqi77TMLXCHz450Gy6L4ZE0XvMBNATyuP1761bNGxmyTpCDD8+A3xGNg/8tMCDZqVoATu7NqZXL3FbWsUHKkfYSxabwg3yWv5fIaK/fl1xVr0QXLZ6AyyQ3mino9JGvJ9p3MExno5+g3y3Ti70U0A1eV0pelH8TIOU1WnCcpS8v2jQUmlJre1+KaavVkiEbqVLLDReleUTdXejn/rU4GL5Zx1H/BAZAypA2KyWeoV1/Fo9kCTwofXyvCN7c9XLOwoJNv8yFzapawsMlDjyNvO7QWp7brUZh+VE0+HzJc+qLoHmWlolBf5Y7vS5NYVgPxshLSUvetZROEqqIbd+16QymlorkBiIycpcvxEoL8Egz8U9uvk2qJR4dKqJVfVz554/llFJSjuSzhmqtndkFl/ivEjCEj2PnrCUeA+WOoN59Je2IV7bNNgYfSGvulkHPKUGqSEhE8hQrWXBIPF+QNeKjtybEnBBqYsHudcJBfTCAHQ2f/PuzIk3fb03vXO/FUx9NzZK9FOJFgskjhYDY1dDaPRIwRNeCBztmHsAB43sShRtvkF0bqHk29HcUQNjriczXHbwEA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(186003)(7696005)(508600001)(8676002)(966005)(15650500001)(8936002)(52536014)(55016003)(33656002)(86362001)(82960400001)(5660300002)(64756008)(110136005)(316002)(66946007)(2906002)(6506007)(76116006)(66556008)(66446008)(54906003)(71200400001)(83380400001)(26005)(9686003)(38070700005)(4326008)(38100700002)(122000001)(66476007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?TmJr/Osj0ZqtOZ+UqUcinm1T1fpWIzpYs4KZ/ZkDil9Y05wTG4WMIxyBgKph?= =?us-ascii?Q?EAZrRN+TJf2yaipV3YkAb4majXYOVAObX1/6ewKRYrf6+qBHC1vXSVsRfqlP?= =?us-ascii?Q?YUPkVUCJIX8zEpcxilX+hvuoy2hgewsIkOdOYGYn3IxphBXDbDpV4gIXOS1w?= =?us-ascii?Q?6/V3cynm4Esu/TR3tLfphKKPRBYY5ladK0zIfyUFYwaQaaQ3mSng/s5fxdA5?= =?us-ascii?Q?a55DHgKemDS+nR3T2j141WdTCw1JSSXZkr3MOWiuQjp7tmuw2PZ4uk75dm2a?= =?us-ascii?Q?osUHLhf9sacSp+XziJWpgUjkFU8Ak818uvqVYQDIHqLY1MxyIw834gINWNrs?= =?us-ascii?Q?5wWXo9tvqFMFazvS0djXo4YJW2Mt9tnYYXXJmD5pmNlM68OFjQnNjhzNy/tB?= =?us-ascii?Q?iV5stPTaEeSR3o27KwFICMeGLhe3BlDrD8vJa2SuCZSAcmfQ2yrt9luIZS0/?= =?us-ascii?Q?lcQ4D2bsjTwgJp4UyT0ITCXd7pzi2vdcRjvM5p0KN411ypVVViOS/uE/t2TW?= =?us-ascii?Q?k+ym0ciY98NS05Oo5g/TvnC+aFNFFolY1zUQdxzGmKWqjq8u52DoDIs2rsPa?= =?us-ascii?Q?LBc3WsUORl4Ms/cI9u5Kg/j9GzVsueLhNBYeKdM7qU8Df5LBhBfxAf+BxeRI?= =?us-ascii?Q?RHBNcSixw3DXuEJUql19WErfd7vn5/yBsGnwyFiK3qahXvvNOjeeU4oiO2OE?= =?us-ascii?Q?UNOLwg2Wqh8GyzZCDhtJO8OzqRxoOMGZozqS1xDh+lxSf1VP6VuRkqD318wq?= =?us-ascii?Q?IjrKoCS62+CDdig/QmstufYVLGWF9I4ePBsA0L1BvFZP6T3Vh5PgXLWa3xYc?= =?us-ascii?Q?q2IL//nRDBoZHLHVZ3XR+iu1y2qxAEqopdT6mSG2J+oq4tR4nlbyG/DZf5g8?= =?us-ascii?Q?DLL7z7u888YYKxrLCL7L++Jac/ABWlDVzMQrcDMfcbNsc3mCvs6WjdVYquvV?= =?us-ascii?Q?XgvATtY/4CH/I0yVgXNn9tKANexNmrApGPKys+ZSBFTpqDjGhhWbH00YfHFP?= =?us-ascii?Q?twmT4vTF02Lxi6M/s2Pk5R8IF3obZnkg9ugMQCn/9vowwvEEG30j8X7dDgWa?= =?us-ascii?Q?AiVqKjtlWqdDSdyQ8dmazQzjHvAd+jJJERiYWHoq4qZMZoElUpoPqye5uGBl?= =?us-ascii?Q?jVgy638PW+7soSkSqL8+3/Cm11YS+wy7/8m/Yn6TsHGmqg/GGkpqqK8p2WKP?= =?us-ascii?Q?mLfxrv+PJoLIxz9+hzKDoWspEoBuKzEBtWBJwx6eogXAYbTj/4iUvj1wocWh?= =?us-ascii?Q?VQMg5TK9pwGYc3E4vylP6b4Ntn0taNJiRBh+Ct+VGNx+7VUoiIgF91TScg6J?= =?us-ascii?Q?hfMPY54oKoxWLMxFgAlK9ijqfCkUDdJC0BNMoO67LYNwglScV14qxcOIZXSs?= =?us-ascii?Q?78HrjQaJ7VFr+ssfy+uVi/w8pp1BU4i/1nkU2BYRwWifHYW8rZKFg46lW3D4?= =?us-ascii?Q?FF+cr51O/t+64l27GkjXHHOvBvBwAtAD5Sle+JcNbFsSwpmr1gsopoU4KC6w?= =?us-ascii?Q?DY1OMRI+PlJTtDLKTLtAld1Ap1tG7tB4G6WaJjBR7yKKFre60XnjuqdDAoAl?= =?us-ascii?Q?UAAOJ5tbOBnJQUm0sevksm/Klo4s6dqym8Wu+9+3aq8dTo7qyg9p+15nSrpZ?= =?us-ascii?Q?MOI+31MHOG7BloYLA/eyqsU=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7089dd82-0fef-4bdc-59a7-08d9c08e8ff3 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2021 12:21:18.1479 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: xn2r6K4d4ycMuiLwdsX/1RWsjRAo8KfkdIyGrDPrafVHu2EPGR3KYXeiFqzcug86BEDLDR8E/6c3HXamUFEH3Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5877 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On December 15, 2021 6:28 PM, Gerd Hoffmann wrote: > On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote: > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 > > > > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of > > jumping to SecStartupPhase2 (), TdxStartup () is called. This function > > brings up Tdx guest from SEC phase to DXE phase. >=20 > > + #ifdef INTEL_TDX_FULL_FEATURE > > + if (SecTdxIsEnabled ()) { > > + TdxStartup (&SecCoreData); > > + > > + // > > + // Never arrived here > > + // > > + ASSERT (FALSE); > > + CpuDeadLoop (); > > + } > > + > > + #endif >=20 > Oh, wow. So you compile in PEI, then decide at runtime whenever you use = it > or not? Yes. In OvmfPkgX64.dsc above code will not be built into the image. So it follow= s the SEC->PEI->DXE flow. In IntelTdxX64.dsc, it if is Tdx guest, it jumps from SEC to DXE (see TdxSt= artup ()). Otherwise, it follows the SEC->PEI->DXE flow (Legacy guest, SEV = guest, etc). >=20 > No. Please don't. That's just silly. If you don't want use PEI, ok, fi= ne, but > please go the way then, remove PEI from the build and take the PEI-less c= ode > path in all cases. In the first version TDVF, we do remove the PEI from the image. The image o= nly contains the SEC and DXE, and only the components TDVF needs. It's a sl= im image. Then the *ONE BINARY* requirement is proposed. It requires to bring up Lega= cy guest and Tdx guest with the same image. So PEI must be included in the = build, and it probes Tdx guest in run-time so that it decides to go to the = legacy flow (SEC->PEI->DXE) or Tdx flow (SEC->DXE). Below are some of the links about the discussion. https://edk2.groups.io/g/devel/message/76023 Laszlo https://edk2.groups.io/g/devel/message/76024 Jiewen https://edk2.groups.io/g/devel/message/76065 Laszlo https://edk2.groups.io/g/devel/message/76339 Erdem Aktas https://edk2.groups.io/g/devel/message/76367 Config-A & Config-B Thanks Min