From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web09.32039.1656629783468050327
 for <devel@edk2.groups.io>;
 Thu, 30 Jun 2022 15:56:23 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=dVlUujnx;
 spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: min.m.xu@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1656629783; x=1688165783;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=guRShZEhyfrS2PCgcJKwTEsEbN9V5eM0inZrrfTof8Y=;
  b=dVlUujnxuO0RK8s4m4kAppxbUJ9AlgB/YQO9xAg+lT87LUrZs1jnMXRJ
   ytL4IxYuvoK+fJkHm7ZI42Y/Pw+VOTxIn6LGedIoe+d/WRBfLrtuqV9lK
   LqLuzUsQCbTDPNs1BaqJBY7Uhdii44GtbbA1Z6vak+xUYgY2W7EvJK2vD
   CThDtX4wUBxVMQeCfhCy/nXUOWGtMAnjlVn/+WVCYSx3o0H7LUE4iMw40
   s/xx4xjID660EWkoE4wfBIpUmdWtkksfutR9lA945bOX+2abxpD27izAG
   vbSiC41i1PilxM7qgYDr2n5cLyc2Vpf6iRIsdALazah07e2pk7bRxvR+1
   A==;
X-IronPort-AV: E=McAfee;i="6400,9594,10394"; a="308001881"
X-IronPort-AV: E=Sophos;i="5.92,235,1650956400"; 
   d="scan'208";a="308001881"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2022 15:56:23 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.92,235,1650956400"; 
   d="scan'208";a="618140763"
Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85])
  by orsmga008.jf.intel.com with ESMTP; 30 Jun 2022 15:56:22 -0700
Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by
 fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27; Thu, 30 Jun 2022 15:56:22 -0700
Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by
 fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27; Thu, 30 Jun 2022 15:56:21 -0700
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by
 fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27 via Frontend Transport; Thu, 30 Jun 2022 15:56:21 -0700
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.172)
 by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.27; Thu, 30 Jun 2022 15:56:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=enBag3r4lwOyvQtIm+CMsEfDxWNjYYot6j9qNsCQVhW+q26f4afOeNgFZMYXVcfZnyFWGV2G6eAmsJsH7WL6X6UgpwmZuqHqV2d4mpYCJ8DHloea8FvdTyUL7qsrgiIoz3tQu778lbiOxfguj7zzig7tyuGtt8z2VK6lau/GGWzwS1m0Tjduarcm7Iy3pJkyShsY3+R5dYx6wQCrT7iS0RO6ulj2ZuLvqZCGieVXsGCrFTtADC2FpAqo9MMV3BNDhvQVRBdc17Z6ys8OJeUMqxk5LBsYSUNzwbrDoekp14Al2mr19f9MGQPwBlj+yPwtLx4hmEqHWf2VGNntx8Vflw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=vwZ10PBfqHwdVqLZjKEA6xdp3JXcHtXjhn5iHgAid6Q=;
 b=HzMiEuwh2gg2SvOWYELajDmVQECZ1Bj040G2vKCcaqE0RxNTbyK0Tfuq1NQ/EUtyYw/24lEDly63adWUMgi/TDfJNfnCpC6O9lEqTUDNVtQsTPkrMA/NeV5CtqI8jltx+PdNvUhorDA6HtEYO734DbenvCcQjleZLZ4mU6PXOXM4O4f2+tZEYOccgcqW9P9V13MsWljyNFuMoYBYFTJ5a2toDYH45T2l/xGg97SbD4+C0N5QboMJ2pzYVFyeP2jaLh0gnUngR/XqUqu8KpX6/ZZtmy3zb2rAYG6ckmtaeKKJLqtZtz5OBU7m9HIJBKwYOyGDy+xmg8Pgf58VjORFzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15)
 by DM6PR11MB3017.namprd11.prod.outlook.com (2603:10b6:5:6f::27) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.15; Thu, 30 Jun
 2022 22:56:19 +0000
Received: from PH0PR11MB5064.namprd11.prod.outlook.com
 ([fe80::a0ea:2e53:9c0e:9148]) by PH0PR11MB5064.namprd11.prod.outlook.com
 ([fe80::a0ea:2e53:9c0e:9148%4]) with mapi id 15.20.5395.014; Thu, 30 Jun 2022
 22:56:19 +0000
From: "Min Xu" <min.m.xu@intel.com>
To: Gerd Hoffmann <kraxel@redhat.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Leif Lindholm
	<quic_llindhol@quicinc.com>, Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Chang, Abner" <abner.chang@hpe.com>, "Schaefer, Daniel"
	<daniel.schaefer@hpe.com>, "Aktas, Erdem" <erdemaktas@google.com>, "James
 Bottomley" <jejb@linux.ibm.com>, "Yao, Jiewen" <jiewen.yao@intel.com>, "Tom
 Lendacky" <thomas.lendacky@amd.com>
Subject: Re: [PATCH V3 0/7] Enable secure-boot when lauch OVMF with -bios parameter
Thread-Topic: [PATCH V3 0/7] Enable secure-boot when lauch OVMF with -bios
 parameter
Thread-Index: AQHYi5ZUk4LHbViRnEWn9nRHEB8dUa1n816AgACcITA=
Date: Thu, 30 Jun 2022 22:56:19 +0000
Message-ID: <PH0PR11MB5064955F224DE06E0C6F51ACC5BA9@PH0PR11MB5064.namprd11.prod.outlook.com>
References: <cover.1656479990.git.min.m.xu@intel.com>
 <20220630132823.soam44jmopahv63y@sirius.home.kraxel.org>
In-Reply-To: <20220630132823.soam44jmopahv63y@sirius.home.kraxel.org>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-reaction: no-action
dlp-version: 11.6.500.17
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3562b011-eb02-4f96-386f-08da5aebbef0
x-ms-traffictypediagnostic: DM6PR11MB3017:EE_
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QpPx13hjPmSaRuwMeOKHplDzrdNAGcwrWN4n5wkEW0bAuUFOkwj6PIhBmY5716otBgZ13+F6zh5uA6ekjC1cOaMHTDnvhUpJvh0jKEvacRBomWHKYXXioExsC856PFPvQ1u6PK3ko18gpdOGpGpfREM4Vm3TUhbgTKl2vVsHTb9e+t8/vjpYrlmjL5vuYjM3eLRnv7yERvcxsdXGaItA4dAm36q+F/2Efs0vfRCRiBq+cFh+Vw5BkzqpiF/lMgJ6vTi7HZl/2tGz2a/AZ543f47AK9St96EPa3Yd5Dh8UbS1gbiGZmQyG2xbt/okmrupV1IGmtnbgxVdLgTSYcdNoKPP+oDk56yl7qzQAtkQH6igaJsbZJhFUCMuByNW5OEzazCsCmq5rh64bromUdwF7cdPWl82nnB1gFCpGe7uJrVNBEcMxopV3bef9GbhaAZj1zCoV0Erz2Pi3lRh3Xi0eWb1tU/8qEiCERgEWgmkBmpKBtqDIAc/O1rUtPvXOTkCg9KDcJjz/U5t0zAQr/Efm2/r85EQ0e1EKadqpizJSE+c8GyNbc0zmKIubD4d1ugVFb5qSMYwqdLTGMev77O4fDkC3gvNvmUDdp3eFkRafNL6inYJPtYahgX3IwZfX+RFAuicx9PhK58sxtUI+ew9C6ykkqRmQ5zU0YIaWtrAsq9RPzv6BkXFnNa5G1kYVOFkqjfmNeKgGfQ1YQwsRMUJTtedy/tB10fRkYeREOJyAO72g6qv/15poUwJA/Zs8Y5GlXyqi6i7j7FT8TE2krVqa8+Aq9MWXyCDTY1jpLaOufXMg6I9rHHgQWx9S9Ifm3d7voB8LZIsAKse7YlosQHGe76eXNeinhittryh6Zzav4w9DA/uU6JhqdsyBkRqTbjO
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(39860400002)(396003)(376002)(346002)(366004)(136003)(8676002)(4326008)(122000001)(82960400001)(316002)(38070700005)(55016003)(66446008)(66946007)(66476007)(64756008)(76116006)(66556008)(83380400001)(38100700002)(6916009)(26005)(186003)(9686003)(966005)(2906002)(33656002)(86362001)(5660300002)(41300700001)(71200400001)(54906003)(52536014)(478600001)(7696005)(8936002)(6506007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?Z/i4sd1bC/dertljblUq5oO7y718GWtzin46jmO0t/QZgV7HjtRb4Ch3vWfA?=
 =?us-ascii?Q?MukHBz6+eDW2Zo0Pm7PkjWowf8Ab43KSMfHpcOaeGN2e29u3kZfwmwhZSVkq?=
 =?us-ascii?Q?DjzE3ojgxtrEelpMtWjuPd2bZon99GBGngmTTo5QSAbBwlsxT+C1LRSZVYD+?=
 =?us-ascii?Q?an+WDoGyoEaWBGgboplYKjOFiAg+RJQf0M7+Up51AslC2ueP8SbYws/NncS7?=
 =?us-ascii?Q?k/v7V//v+m/aze7Q4OGvB5WBVUfu5u99qO1LlU426pWo4LHHVKbDXk2cNKpZ?=
 =?us-ascii?Q?i1qeoPfRQ2J7h36CO1uHNR1DL1m2iSNOVdNCalhsMxeXk+bu8GjKTQo6XC+n?=
 =?us-ascii?Q?6oJbmug7cG58DCB81B5IiQjbJaIln+tYey1xiUY3IpG4VgndKEhkpjPQfBP9?=
 =?us-ascii?Q?B41Jt1lVbl+ysRPEDDsck0D2T/4jdzgFJfZrd4kPhVE383OBh71qHcqAtz1V?=
 =?us-ascii?Q?vvwXuxcvCPjgu1d/M3SledVOV/jHJCUGuOvi2ViSj3F+a88eAMwaS4u76Etb?=
 =?us-ascii?Q?nBoxdUvd2MfKaiDWLxdbGGXCho8qVqessnBrD8hJPnrsDyh5YOlB2eajPYw0?=
 =?us-ascii?Q?oY6mWse8WxqKVcZEz+pNmu8h/9SBv6Y67tE8ti8cK7UM5nAFyixZpfwu3Dve?=
 =?us-ascii?Q?MmgXP7ufmuvvM9wiWDlzfAkJ3EWURole9wJrb5RiKrM4F2ldDcBtBFTBev6w?=
 =?us-ascii?Q?ps8uxxvGR1cTqs+JYa6UPGFRnU/AAvRi82cAw7NHSz6pK/DTFGM/+WqBKoT2?=
 =?us-ascii?Q?72nJHvum9YhP3kX+JnJAjixAcB1hucrrm9rLJwhiLCnCLgoIeyvAM4iaxi2Y?=
 =?us-ascii?Q?a5CBLN/YiAAppFnrUSHFc0xc5o7xoZ+aXGJxLVk99t2ifsXP3Wy5g3LK5o2K?=
 =?us-ascii?Q?3po702TgkXWRxKS/kCm5t8ryXkKUOs2SjFj4IxKM2j1qdVddVYOf/BUp8t/Q?=
 =?us-ascii?Q?1NzOusI6gzdJob+bB0XY30UlpO9dUICs3iPLnb5KE2pUuzWpwBWrKdASDswZ?=
 =?us-ascii?Q?9WVyxkQ0hlJdQnmn65ME4VTBGSBYT0LykxoE/q2jmVfRFSjJ4CGUs06uGoew?=
 =?us-ascii?Q?xw9v6VSOQpwSPDpSfJgjAcdhPS7oaLpr7sOJmAEmG581lyHZO4/Xuur72pyJ?=
 =?us-ascii?Q?Ms7MgRYJ+wCsdxlFHd+znsYcCE9kanV+qPOt+k+a4QFA93XOn1h7pSdZuNdG?=
 =?us-ascii?Q?QzCK4jUCQ/UQFnxuLH5GrZnOXNNcrH6KNojMgeho/arKeHbulk1Wxlvcpk2e?=
 =?us-ascii?Q?IwRtUb/F0aoaAfjvXC2xf6Pz1vzPc6DfZRzIpM9GqxwR9ieJZ4Iq3/HhJ8XG?=
 =?us-ascii?Q?ycUZV5+s60IyWCqMrMljRW/JuYJMMZvxhrhidTzRfMM4wzqfyry+IvqwxxBY?=
 =?us-ascii?Q?R0mtcmw8Mg30YCoxtKD1yvbyH8AeficFj1Z9AGMQAtgw/dPqCXw6zEtJw3jc?=
 =?us-ascii?Q?7U+/d2J+5Uf2BgdFUYqDXYpuyEdfLu5keq2dhoolvDZjJX+7yCYXyYZ678ce?=
 =?us-ascii?Q?fiFIAA3Psi00osE7HfuWGhu6MBRWGNgyjfBSm6XD142QNXggN+SUWLNg5bXC?=
 =?us-ascii?Q?FF5HNamh/4pGqUMzNYPXjeHKeHK2OJrvBBfuKhc8?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3562b011-eb02-4f96-386f-08da5aebbef0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2022 22:56:19.3419
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kHXNMym7rIUM6brM91YmR4qnZqk2QwoojhNN+t9Po5gbK3kCG4B7NnA+vo0sb/jvW3Jh8haM2PxkeqrJCHt5vA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3017
Return-Path: min.m.xu@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

On June 30, 2022 9:28 PM, Gerd Hoffmann wrote:
> On Wed, Jun 29, 2022 at 04:56:56PM +0800, Min Xu wrote:
> > Secure-Boot related variables include the PK/KEK/DB/DBX and they are
> > stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash,
> > QEMU/OVMF will use emulated flash, and fully support UEFI variables.
> > But when launching with -bios parameter, UEFI variables will be
> > partially emulated, and non-volatile variables may lose their contents
> > after a reboot. See OvmfPkg/README.
> >
> > Tdx guest is an example that -pflash is not supported. So this
> > patch-set is designed to initialize the NvVarStore with the content of
> > in OVMF_VARS.fd.
> >
> > patch 1:
> >  Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib.
> >  This function will be used in PeilessStartupLib which will run  in
> > SEC phase.
> >
> > patch 2:
> >  Delete the TdxValidateCfv in PeilessStartupLib. Because it is going
> > to  be renamed to PlatformValidateNvVarStore and be moved to
> PlatformInitLib.
> >
> > patch 3 - 7:
> >  Then we add functions for EmuVariableNvStore in PlatformInitLib. This
> > lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib.
> >  We also shortcut ConnectNvVarsToFileSystem in secure-boot.
> >
> > patch 8:
> >  At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in
> > the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to
> > EmuVariableNvStore is only required when secure-boot is enabled.
> >
> > Code: https://github.com/mxu9/edk2/tree/secure-boot.v3
>=20
> /usr/bin/ld:
> /home/kraxel/projects/edk2/Build/IntelTdx/DEBUG_GCC5/X64/UefiCpuPkg/
> Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib/OUTPUT/S
> ecPeiCpuExceptionHandlerLib.lib(ExceptionHandlerAsm.obj): warning:
> relocation in read-only section `.text'
> /usr/bin/ld: /tmp/ccCEPSuH.ltrans0.ltrans.o: in function
> `SecCoreStartupWithStack':
> /home/kraxel/projects/edk2/OvmfPkg/Library/PlatformInitLib/Platform.c:76
> 0: undefined reference to `AllocateRuntimePages'
> /usr/bin/ld:
> /tmp/ccCEPSuH.ltrans0.ltrans.o:/home/kraxel/projects/edk2/OvmfPkg/Libra
> ry/PlatformInitLib/Platform.c:760: undefined reference to
> `AllocateRuntimePages'
> /usr/bin/ld: warning: creating DT_TEXTREL in a PIE
> collect2: error: ld returned 1 exit status
> make: *** [GNUmakefile:431:
> /home/kraxel/projects/edk2/Build/IntelTdx/DEBUG_GCC5/X64/OvmfPkg/Int
> elTdx/Sec/SecMain/DEBUG/SecMain.dll] Error 1
>=20
Ah  my bad. I forgot sending below patch in the series.
fec80e84db 2022-06-22 EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryA=
llocationLib [Min M Xu]
It is in https://github.com/mxu9/edk2/tree/secure-boot.v3
I will send a new version with this patch soon.

> adding a build test for intel tdx to ci is probably a good idea ...
I have submit  such build test and it has been acked-by. But it hasn't been=
 merged. I will ask Jiewen to merge it.
https://edk2.groups.io/g/devel/message/89803

Thanks
Min