From: "Min Xu" <min.m.xu@intel.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
"Erdem Aktas" <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH 18/23] OvmfPkg: Enable Tdx in SecMain.c
Date: Tue, 24 Aug 2021 12:07:02 +0000 [thread overview]
Message-ID: <PH0PR11MB50648B0CCE6CFC4D1B177712C5C59@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20210820072253.plne3mudm3dj6777@sirius.home.kraxel.org>
On August 20, 2021 3:23 PM, Gerd Hoffmann wrote:
> On Thu, Aug 19, 2021 at 02:27:16PM +0000, Min Xu wrote:
> > On August 19, 2021 2:50 PM, Gerd Hoffmann wrote:
> > > > +/**
> > > > + In Tdx guest, some information need to be passed from host VMM
> > > > +to
> > > guest
> > > > + firmware. For example, the memory resource, etc. These
> > > > + information are prepared by host VMM and put in HobList which
> > > > + is described in
> > > TdxMetadata.
> > >
> > > What kind of information is passed to the guest here?
> > Please see
> >
> https://software.intel.com/content/dam/develop/external/us/en/document
> > s/tdx-virtual-firmware-design-guide-rev-1.pdf
> > Section 4.2 TD Hand-Off Block (HOB)
>
> So basically the physical memory map.
> qemu has etc/e820 for that.
>
> > > qemu has fw_cfg to pass information from the VMM to the guest
> firmware.
> > > What are the reasons to not use fw_cfg?
> > Not all the VMM support fw_cfg. Cloud-Hypervisor is the example.
>
> I can't see any support for Cloud-Hypervisor in OVMF.
Right that currently OVMF is not supported by Cloud-Hypervisor in Td guest. But we're
planning to support Cloud-Hypervisor to launch OVMF in Td guest and have done
some POC.
>
> Also FreeBSD's bhyve doesn't support fw_cfg either and has its own ways to
> detect memory. Cloud-Hypervisor can surely do that too.
>
> So, why does this matter?
Yes, Cloud-Hypervisor has some POC to launch OVMF in Non-Td guest. In that POC
Cloud-Hypervisor leverage a 4k page in MEMFD and pass ACPI data to guest
Firmware in that memory.
https://github.com/cloud-hypervisor/edk2 "ch" branch
https://github.com/cloud-hypervisor/edk2/commit/52cb72a748ef70833100ca664f6c2a704c28a93f
>
> > https://github.com/cloud-hypervisor/cloud-hypervisor
> > TD Hob list gives Cloud-Hypervisor a chance to pass information to guest
> firmware.
> > For example, ACPI can be downloaded from QEMU via fw_cfg to firmware.
> > But Cloud-Hypervisor cannot pass ACPI via fw_cfg. In this situation,
> > TD Hob can resolve this problem.
>
> Sure, but again, why does this matter? For qemu?
I don't quite understand the question here(For qumu?).
What I mean in my last answer is that TD Hob can resolve the problem when the host VMM
doesn't support fw_cfg communication mechanism.
For the host VMMs which doesn't support fw_cfg, when ACPI data need to be passed to guest
firmware, a 4k page (to hold ACPI data) is added in MEMFD. Then when SMBIOS is needed,
shall we add another page in MEMFD? If the ACPI data is too big to be held in a 4k page, then
the size of the reserved memory region in MEMFD is the restriction.
>
> I don't like the idea to have TDX take a completely different code paths.
> That increases the code complexity and makes testing harder for no good
> reason.
TD Hob is not a completely different code path. This is a useful supplement to the fw_cfg which
is not supported by some host VMM.
>From another perspective TD Hob can be treated as a set of launch parameter by host VMM.
It provides the flexibility for the host VMM to bring up the guest firmware with more parameters.
Another benefit is that TD Hob can be measured into some secure register (for example, in TD guest
it is RTMR registers, like the TPM PCR) so that attestation can be done based on the measurement.
Thanks Gerd for the comments. I am not sure if my explanation addressed your concern. Your comments
is always welcomed.
>
Thanks!
Min
next prev parent reply other threads:[~2021-08-24 12:07 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-12 11:56 [PATCH 00/23] Enable Intel TDX in OvmfPkg (SEC/PEI) Min Xu
2021-08-12 11:56 ` [PATCH 01/23] OvmfPkg: Add Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb Min Xu
2021-08-12 11:56 ` [PATCH 02/23] OvmfPkg/Sec: Update the check logic in SevEsIsEnabled Min Xu
2021-09-11 1:13 ` Erdem Aktas
2021-09-13 3:04 ` Min Xu
2021-08-12 11:56 ` [PATCH 03/23] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Min Xu
2021-09-11 1:14 ` Erdem Aktas
2021-09-13 6:06 ` Min Xu
2021-09-14 2:16 ` Erdem Aktas
2021-08-12 11:56 ` [PATCH 04/23] MdePkg: Add Tdx.h Min Xu
2021-08-12 20:52 ` Michael D Kinney
2021-08-12 22:57 ` Min Xu
2021-08-12 11:56 ` [PATCH 05/23] MdePkg: Add TdxProbeLib to probe Intel Tdx Min Xu
2021-08-16 9:43 ` [edk2-devel] " Gerd Hoffmann
2021-08-17 0:14 ` Min Xu
2021-08-17 8:20 ` Gerd Hoffmann
2021-08-17 8:43 ` Min Xu
2021-08-17 8:58 ` Gerd Hoffmann
2021-09-11 1:14 ` Erdem Aktas
2021-09-13 6:11 ` [edk2-devel] " Min Xu
2021-08-12 11:56 ` [PATCH 06/23] MdePkg: Add TdxLib to wrap Tdx operations Min Xu
2021-09-11 1:15 ` Erdem Aktas
2021-08-12 11:56 ` [PATCH 07/23] MdePkg: Update BaseIoLibIntrinsicSev to support Tdx Min Xu
2021-08-17 8:38 ` [edk2-devel] " Gerd Hoffmann
2021-08-18 5:54 ` Min Xu
2021-08-19 6:30 ` Gerd Hoffmann
2021-08-19 13:12 ` Min Xu
2021-08-20 6:41 ` Gerd Hoffmann
2021-09-11 1:15 ` Erdem Aktas
2021-09-28 8:33 ` [edk2-devel] " Min Xu
2021-08-12 11:56 ` [PATCH 08/23] UefiCpuPkg: Support TDX in BaseXApicX2ApicLib Min Xu
2021-08-12 11:56 ` [PATCH 09/23] UefiCpuPkg: Add VmTdExitLibNull Min Xu
2021-08-12 11:56 ` [PATCH 10/23] OvmfPkg: Prepare OvmfPkg to use the VmTdExitLib library Min Xu
2021-08-12 11:56 ` [PATCH 11/23] OvmfPkg: Implement library support for VmTdExitLib in Ovmf Min Xu
2021-08-12 11:56 ` [PATCH 12/23] UefiCpuPkg/CpuExceptionHandler: Add base support for the #VE exception Min Xu
2021-08-12 11:56 ` [PATCH 13/23] UefiCpuPkg: Enable Tdx support in MpInitLib Min Xu
2021-08-12 11:56 ` [PATCH 14/23] OvmfPkg: Update SecEntry.nasm to support Tdx Min Xu
2021-08-12 11:56 ` [PATCH 15/23] OvmfPkg: Add IntelTdx.h in OvmfPkg/Include/IndustryStandard Min Xu
2021-08-12 11:56 ` [PATCH 16/23] OvmfPkg: Add TdxMailboxLib Min Xu
2021-08-12 11:56 ` [PATCH 17/23] MdePkg: Add EFI_RESOURCE_ATTRIBUTE_ENCRYPTED in PiHob.h Min Xu
2021-08-12 11:56 ` [PATCH 18/23] OvmfPkg: Enable Tdx in SecMain.c Min Xu
2021-08-19 6:49 ` [edk2-devel] " Gerd Hoffmann
2021-08-19 14:27 ` Min Xu
2021-08-20 7:22 ` Gerd Hoffmann
2021-08-24 12:07 ` Min Xu [this message]
2021-08-24 12:55 ` Ard Biesheuvel
2021-08-25 6:10 ` Yao, Jiewen
2021-08-25 7:52 ` Gerd Hoffmann
2021-08-25 9:07 ` Yao, Jiewen
2021-08-25 14:51 ` Gerd Hoffmann
2021-08-25 16:28 ` Yao, Jiewen
2021-08-26 8:31 ` Gerd Hoffmann
2021-08-26 16:58 ` Yao, Jiewen
2021-08-25 6:22 ` Gerd Hoffmann
2021-08-12 11:56 ` [PATCH 19/23] OvmfPkg: Check Tdx in QemuFwCfgPei to avoid DMA operation Min Xu
2021-08-12 11:56 ` [PATCH 20/23] MdePkg: Add AllocatePagesWithMemoryType support in PeiMemoryAllocationLib Min Xu
2021-08-12 20:43 ` Michael D Kinney
2021-08-15 2:51 ` Min Xu
2021-08-12 11:57 ` [PATCH 21/23] OvmfPkg: Add PcdUse1GPageTable support for TDX Min Xu
2021-08-12 11:57 ` [PATCH 22/23] MdeModulePkg: EFER should not be changed in TDX Min Xu
2021-08-12 11:57 ` [PATCH 23/23] OvmfPkg: Update PlatformPei to support TDX Min Xu
2021-08-31 10:45 ` [edk2-devel] [PATCH 00/23] Enable Intel TDX in OvmfPkg (SEC/PEI) Gerd Hoffmann
2021-09-01 5:41 ` Min Xu
2021-09-01 6:25 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB50648B0CCE6CFC4D1B177712C5C59@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox