From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web10.12837.1639882173409758799 for ; Sat, 18 Dec 2021 18:49:34 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=XFedXVkF; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1639882173; x=1671418173; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=uDRYvIKBdklzxzBG9HoYKZFPElxXSnwIURwE9JO0EpQ=; b=XFedXVkFvXXypyWOVpeHllHoCc7zyB/W7NcUd52nun3Bk6JEza7xDLGF jHhsQufwhw8MUF7z+7wYHxK+EMnLARWpUq2CYAsMNL17Xc0nEfyZyfe+a Kd4XKfp17Ao4QTTKKMdfEc4KwgepbzV9jxonbQCyGOak948jMl3F3VvFp QwBypVbn2jQ1QiNxG/oZUCBbXzL5M5eqDQEqt7WsptZYaEzTgh4dAmgTI nahUqlDVNmzPB5ECen9cll8Ilbqpqm2unfV98jKli7LeAfzQuD8T3qZoy WNmKmE+4heD9rnPN1edq5zjb7qmIVyXbCwkIR4bp8p7aRtF1tGfHk/wlt A==; X-IronPort-AV: E=McAfee;i="6200,9189,10202"; a="239782010" X-IronPort-AV: E=Sophos;i="5.88,217,1635231600"; d="scan'208";a="239782010" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Dec 2021 18:49:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.88,217,1635231600"; d="scan'208";a="483647554" Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by orsmga002.jf.intel.com with ESMTP; 18 Dec 2021 18:49:32 -0800 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Sat, 18 Dec 2021 18:49:31 -0800 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Sat, 18 Dec 2021 18:49:31 -0800 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.177) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.20; Sat, 18 Dec 2021 18:49:31 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I66/Rkq1Z/3gMCOGs21pnw0eaIqk19GdLcbg+EhNf22Tw5MrpWZt3GLvBKFDriYbIIwpPi+WQpS74K4LDi2aHSlpm8qGKViVp/8NuaGpMhBM5bfkeg7qpUm1QlFG/A+otIer0ZI+/Y8EpP3JzQd9OkRsR7J4uaxXeHK5j/IsKZdACwdKTJeuvQXWfskch+E1N3MjZEm7hyfN0F7eaR1SfpVXZ7guaOO0PUkxoK6btqDvk3L9a9PeCuL6ioJ5C6bg4Jl/55YDOkG1LIpP4Ub9A19FFlDD9/S/E0QBKjRugUPUzj3AXoka1gHqX0qfIIH55ItNt3elmDya85FE7abJsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HHascOk72OVcPwzrPXjIcw73utPo1pioM4ip4ih2UNg=; b=hGY1gVN2MbEHDXIfFHpYT2RjilWAzkB5Cl6GLCzYAnAJa9Y0D6ZkyKLSyAkHjk3esXWcufKu6ofMLwBA8Xn9ikvSJEp+VvtxBQ07Or3T/Wit9wwZBrUsjTzh23LImjyTBKj7ny7s88x+ZUx2rTkPNbJH8geWmuGuTRQjhfcnJgF0dh6UYfnU40KV8iXXKUGhtfLTk59iTWkqV4dwM1NpK0zOKB5seKx5rE/oDIgnc5YFEsqeRJc6yXl/xvAFp3ASNYlCClwdOt03k4jeleBlZSayhX2LaPtbl/K1uSaLGK2XyJ+7DQlMtPo4o6fFme0l+763SIRD7yWfJSW3EH/V5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB5207.namprd11.prod.outlook.com (2603:10b6:510:32::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.17; Sun, 19 Dec 2021 02:49:29 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::fd42:b334:5030:af8d]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::fd42:b334:5030:af8d%6]) with mapi id 15.20.4801.020; Sun, 19 Dec 2021 02:49:29 +0000 From: "Min Xu" To: "devel@edk2.groups.io" , "kraxel@redhat.com" CC: "Kinney, Michael D" , Brijesh Singh , "Aktas, Erdem" , "James Bottomley" , "Yao, Jiewen" , "Tom Lendacky" Subject: Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Thread-Topic: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B Thread-Index: AQHX8PBp3T4AYRIE0EySqY5nWcpMV6wzWvSAgAGrRwCAAClsgIAD7/RA Date: Sun, 19 Dec 2021 02:49:29 +0000 Message-ID: References: <20211214134126.869-1-min.m.xu@intel.com> <20211214134126.869-9-min.m.xu@intel.com> <20211215102753.m4bp56bdxzgmdzkr@sirius.home.kraxel.org> <20211216142525.pkaxszwaevlpg4ap@sirius.home.kraxel.org> In-Reply-To: <20211216142525.pkaxszwaevlpg4ap@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2309aeb0-21fa-454d-8ed7-08d9c29a2d89 x-ms-traffictypediagnostic: PH0PR11MB5207:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 5uk9KCNMVxwNiCPlXBTHoAZ3mSOJ8iwM7cJ3dUEa3VSbOHaH7Lf61etFWW6gXyMqdt7uWyAvnImmY/TQhd7NjI7lgZjaSqXWPan5dRVjiwmfh0tGDZUH+PuXo6WHv+uNdLaNBYROSPd8GDuYAvGFuoDWyUMf3Tl5PnVgIl2aerPat6UuPs5K/ze90yLirS4AZ+0JoL23NO834xPFO2EKWzrLztNqYtxf1MltowN9FikyL5VzxdknRcPs6+aFfp8Jp/jltLptgInyx+i7C2WvIYQc30SWnK28hNSihZfYwYqnsJqdFBRiuwPeDvmsE+MFRS3bghaFgUG212WfIAXUym5aXVHL6qjXVpCec9VcOOxmiQIxuMYjW/b5qAKyxPiqPVDv1cccK/N1SnBfP52ah0WayxI8w78NbAFLzU5x2lP17no9RvxhE09LtbVQGHQUeLMtH2hZUqgVSpREQKrJIgWfzUgs/u6rdzNV+oTo8uZrqhHg7mhw9rX6D5guKeSOGDn0H0ZnxyNALtlnWycGcMtp1d4JDucCBfLi8ngfVc4qZFwoh2xhnppImXLRU4jcq9CK5e1YSa11r0GDXFe8nSsaALHSnDy2MEu0TyGmkePmiM5cY42GPsRV4hhgyOFqW46TFEUuRmXoPlpof6FXhBdv5cgQ2NYzitDj6rl083skBca3qDywM5j5qUNVniGMxI+SC6quTI4ML/XUHzIBBA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(83380400001)(55016003)(54906003)(19627235002)(8936002)(508600001)(38100700002)(9686003)(38070700005)(5660300002)(82960400001)(4326008)(122000001)(66446008)(64756008)(66556008)(66476007)(66946007)(76116006)(86362001)(52536014)(33656002)(186003)(26005)(71200400001)(8676002)(7696005)(6506007)(316002)(110136005)(2906002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?B660M3Om6dA15tACQvRmYBTsBmlNGQJbozKC/7/JqBYZjE6tJJARxW+oXCtJ?= =?us-ascii?Q?4NeIruIpxxHpVrjXSuAUaCvTvPkXKA7JNSVj4oH7HBXGnZctn5g544LhDiRQ?= =?us-ascii?Q?Oi2S7DXTKQYhs1eCwRqYT17OQ+aT8J19JT7GUqIwYUsu0uLkKNAZVvQfpT0t?= =?us-ascii?Q?qNg7JMs2OVgGfHPdE9m7pKfVqHaFgezYwqgB2ce15p/w80hdRGGjNkRYJgoe?= =?us-ascii?Q?R5wEEeRtoEFqGxtxXAELU9yB1UgVXYq3xDBrVAqy45UF0bUVdKUpMXC0G82o?= =?us-ascii?Q?n/sjtpTinc8fFkwhSrTYaLj7KU4ZXZaK7Ovl7KdDy+nclporCx2WrNDJ0pBP?= =?us-ascii?Q?9q4DJsjpw1n/AO3ZIcPurYXqEwvkotSxUd1gSfqjIAvMh9qOG+2gMuRmXWRN?= =?us-ascii?Q?2S/o6cBKA8KzMq6XdRyolBfTmDD5ODj9k5HbRTdIm/zXiQu0DBN/gSXGgtXZ?= =?us-ascii?Q?X+tsc905ToCazEE81eBMI66r9tuD2RpsTRgHi1vdn0eQLmHQrx5wxY+cd564?= =?us-ascii?Q?NfeNtKyCcV/GHvhfrX3NiJy6dxfLHr3xebVCKdPLLxd8hyET/up7nsA84oFu?= =?us-ascii?Q?CGQj+/81bCPWRv+MJBcHaKw5unbjZYfvFQEKJV3mLbZ5eazRvM89Oyn7wfOp?= =?us-ascii?Q?+H3ZBngR3T4133Rng+7VwRthscYYB+6/Ke3Un1RU6QY+xfuKTX+v+qMqxSNd?= =?us-ascii?Q?9LLvmrNCIOjO/xoUH2E06ad9/oFBxksHvpVPdOxQu34i141FusHxroA8UHXF?= =?us-ascii?Q?xzc1+KUxeXJ3DSnagWnezEQYsi0/ZGhmvokVWIW/qgdw6gy1o45vyu4xVPlB?= =?us-ascii?Q?wiwDqSohW/4Yq+mJDLv8qmXzcg1BMOifkAnGCWkTLwKL1JOGUyxBHckVXvor?= =?us-ascii?Q?do1XLbAbKHqDsRKE57XaGjp5fBTr47W3F7ua1tEyPC3PxaiXcxUUi1uupWWr?= =?us-ascii?Q?+qWoYkt425q5OOiUq02wwlr/8uRPSJALEiKzYQEDgpUo0yxAxszicRagsduU?= =?us-ascii?Q?KxrUNqSjD8WfKZX85/0+YJ1Qn7cf3A8YUBMQSiDJ6L7zHDDWXCG9hZUIfDK7?= =?us-ascii?Q?CVpRZDNIGpsj8NJt6HTY7AJFYNeQe6pP51mJoQ42wfntw7+fC94C7Ud/Bl6t?= =?us-ascii?Q?a7MjEmIlECIaZlQwTda1qavnjPy/8C0zNI8NKduFuD5N4BcrEIHOmdy1qPGh?= =?us-ascii?Q?jwV7HR4gpHH6no310dObhzYRWHF4MRAT5z/AUu0vCPMgELbFKPuPZ1ymxD/P?= =?us-ascii?Q?yNbiTNnC58SKzdWNoHXQisJDJzzlV9tXd9WJSbwgl/teHDVQX+xrOdqdqUKb?= =?us-ascii?Q?0WFh9lzcqEO3ai813TZMa3KNftv6+jXJWnXsqbKSit4K9dwmBuEygp3x1f8z?= =?us-ascii?Q?6O2U7kbGcshVI5JuNyDco2PjM1b10PyjmmlOYr0hlQAbHDGM5o4rfKwLV21f?= =?us-ascii?Q?BmmQXslknEaswXNk1mEHDmjHUMnUlpPFX3Tjz52crFsxplwyByee3R80U2IK?= =?us-ascii?Q?3byLOPdgsgztqkFGN1zdMj9bG8FdHzfAQClmHsCWlJFvbxQABF/SQ2qC5+rF?= =?us-ascii?Q?0lDoOqWZEjYbV2p88rhe4APeg3QEZKENQXvVnEdiYMPKK4spgYomAxbCNG1n?= =?us-ascii?Q?yfofITEn3vtrORl7UQVq2JY=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2309aeb0-21fa-454d-8ed7-08d9c29a2d89 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2021 02:49:29.3133 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ch8Fyp4RsDmP1n+kCpvRvnaDJJeyg3jW1eye/025+bnwJX+TuTjszuvPIt4axI9tRR+zQs+/2beaveW/baqjAw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5207 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On December 16, 2021 10:25 PM, Gerd Hoffmann wrote: > > > Oh, wow. So you compile in PEI, then decide at runtime whenever you > > > use it or not? > > Yes. > > In OvmfPkgX64.dsc above code will not be built into the image. So it fo= llows > the SEC->PEI->DXE flow. > > In IntelTdxX64.dsc, it if is Tdx guest, it jumps from SEC to DXE (see T= dxStartup > ()). Otherwise, it follows the SEC->PEI->DXE flow (Legacy guest, SEV gues= t, etc). >=20 > > > No. Please don't. That's just silly. If you don't want use PEI, > > > ok, fine, but please go the way then, remove PEI from the build and > > > take the PEI-less code path in all cases. >=20 > > In the first version TDVF, we do remove the PEI from the image. The > > image only contains the SEC and DXE, and only the components TDVF > > needs. It's a slim image. Then the *ONE BINARY* requirement is > > proposed. It requires to bring up Legacy guest and Tdx guest with the > > same image. So PEI must be included in the build, >=20 > Why? Booting non-tdx guests without PEI shouldn't be fundamentally > different from a TDX guest. Memory detection needs fw_cfg instead of the > td_hob, and you have to skip some tdx setup steps, but that should be it. > Code for all that exists in PlatformPei, it only needs to be moved to a p= lace > where SEC can use it too. >=20 > Yes, you can't include a number of features which depend on PEI into the = build > then. But config-b wants be a stripped down build anyway, right? >=20 > One major advantage of having a single binary is that most aspects of the= SEC- > >DXE boot workflow can also be tested without TDX. Easier for developers= . > Easier for CI coverage. Especially now where we talk about pre-productio= n > hardware support. >=20 > When builing a frankenstein image which uses SEC->DXE with TDX and > SEC->PEI->DXE without TDX you loose that advantage, because that is > effectively a two-in-one binary. >=20 > > and it probes Tdx > > guest in run-time so that it decides to go to the legacy flow > > (SEC->PEI->DXE) or Tdx flow (SEC->DXE). >=20 > Ok, so the state with wave-2 merged will be: >=20 > * We have the ovmf build, which supports native/sev/tdx guests, > with basic tdx support (aka config-a). >=20 > * We have the amdsev variant (supports native/sev/not-sure-about-tdx), > which is largely identical to the normal build, only unwanted > drivers removed (no network etc), grub boot loader added and its own > PlatformBootManagerLib to have a more strict boot policy (all dxe > phase changes). >=20 > So, where to go from here? >=20 >=20 > I still think the best way forward would be to model the inteltdx build (= aka > config-b) similar to the amdsev variant. Just disable the stuff you don'= t need, > add support for the advanced tdx features (measurement etc), but otherwis= e > continue to use the same SEC->PEI->DXE boot workflow. >=20 > Advantages: > * It should be relatively easy to unify amdsev + inteltdx into one > binary. > * No quirks needed due to SEC/PEI differences. SEC can't set PCDs, > leading to patches like #9 of this series (and there was another > similar one ...). >=20 >=20 > The other route (as preferred by Jiewen) would be to not use PEI in intel= tdx. > Requires some reorganization of the qemu platform initialization code > (probably move to lib) so we can run the same code (without using cut+pas= te > programming) in both sec and pei phase. > Clearly not my preference, but should work too. >=20 > A better solution for the PCD issue (and possibly other simliar issues po= ping up > later) would be good. Can't we handle that early in PlatformDxe? So we = have > one single place for those quirks, and the dxe drivers don't need to know > about the SEC->DXE and SEC->PEI->DXE differences? >=20 Thank Gerd for the review comments. Yes, TDVF Config-B is a strip down and it is to be a more secure solution (= because RTMR based measurement/measure boot is enabled, un-used drivers are= excluded to reduce attack surface, sanity check/measure all external input= s, etc). We would like to split TDVF Config-B into below stages. 1. Basic Config-B (wave-3) 1.1 A standalone IntelTdxX64.dsc/.fdf. Un-used drivers/libs are removed fro= m the fdf, such as network components, SMM drivers, TPM drivers, etc. 1.2 PEI FV is excluded from the build. Only DxeFV is included. 1.3 Since PEI FV is excluded from the build, so Basic Config-B can only bri= ng up Tdx guest. It *CAN NOT* bring up legacy guest. 2. Advanced Config-B (wave-4) 2.1 RTMR based measurement and measure boot are enabled 2.2 External input is checked and measured 3. Full feature Config-B (wave-5) 3.1 Add *basic* Ovmf feature without PEI, to achieve *ONE Binary* goal. (he= re basic means S3 is not supported without PEI) @Gerd, What's your thought? Thanks Min