From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.3930.1630474910028568057 for ; Tue, 31 Aug 2021 22:41:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=nKO7pc6J; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: min.m.xu@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10093"; a="205764311" X-IronPort-AV: E=Sophos;i="5.84,368,1620716400"; d="scan'208";a="205764311" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2021 22:41:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.84,368,1620716400"; d="scan'208";a="475967612" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga008.jf.intel.com with ESMTP; 31 Aug 2021 22:41:48 -0700 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Tue, 31 Aug 2021 22:41:48 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Tue, 31 Aug 2021 22:41:48 -0700 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.47) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Tue, 31 Aug 2021 22:41:44 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SLNiCGYC5vy5u/wuSA0S6B0ny+4nOEPVeGHhWXfc6AzWsAlyLX0r6kt2QKiN7BgxORQmCO6ojfdCPJ9HrjfqET5YebqfRlpPC0LNppp8YRXjzX8CqkHOMSNk79WsuisV6l78DddDlm5DWmqCbnWX/21zjX6X9rPJ2Kq4SYhlp+cXrOWZpDr58klPuAemBGN3zRj/05G1b0exBf6zFZI1R8mgpY1GZRL9NjaB+Ta0Yqxr7lmBID8R6+ylEDGHIvyKebqTTQtixB9xzloi4tAqO9W9eFYgiQ4abS2xPuVXENhuU9f+bToHzJhlj/ch8Lg/4zUF3BgYX+QAtkq92xGbsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WISLmEv/OwSxTmgwdNmxpo7WiMJUaduwqIcTEJiaIm4=; b=AdZrZVvnB+b9oHj2QsFw4GsWzlflXxwdFVItLFwnXWly6GoicgHXsirst7VVTqLCruId/LavvqIxDdHY3O4/U42woUuf/dsXxhfnmBi5B555oxyqupwXEcAylkPSSDE19eMP4zdevQGWIPWBrWsrUN7KUlyw/A8noVdif5lrSJW6OorQ1eEy7HEWhIaVFXieQpTXtu18Fc9rubTfdipONOw7/urG1YSsWShKsLByXwKk18/KiwHUdCivwdn5MZZ3+jHgrT61/7j3yqWTXd6+X+QIUKjPwJSVpTHjOsaRb4RMoKWt8nW1Xim8SyKoKCjNwBK5JMfJ3FJwZAXQA+kbKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WISLmEv/OwSxTmgwdNmxpo7WiMJUaduwqIcTEJiaIm4=; b=nKO7pc6J5Ut7SqaNbq/zxmdxNmIqaIRvw6HqX7UBPfoQ1w4adYt5+EQkm7isYK2RL0exbMjA6f2yD0yHv9D70Qb+SXmiDc9uL+aX6PUNBKV+lzRUwMtcGmZOso1Sz5+2lP1GslaUvU6EqwaB6AJt6spjmQ4Eg6+TR12wTHz0cBM= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB5063.namprd11.prod.outlook.com (2603:10b6:510:3d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19; Wed, 1 Sep 2021 05:41:43 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::c93:200e:5aeb:e11b]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::c93:200e:5aeb:e11b%3]) with mapi id 15.20.4415.029; Wed, 1 Sep 2021 05:41:43 +0000 From: "Min Xu" To: Gerd Hoffmann , "devel@edk2.groups.io" CC: Brijesh Singh , "Dong, Eric" , Erdem Aktas , "Wu, Hao A" , "Wang, Jian J" , James Bottomley , "Yao, Jiewen" , Liming Gao , "Kinney, Michael D" , "Ni, Ray" , "Kumar, Rahul1" , Tom Lendacky , "Liu, Zhiguang" Subject: Re: [edk2-devel] [PATCH 00/23] Enable Intel TDX in OvmfPkg (SEC/PEI) Thread-Topic: [edk2-devel] [PATCH 00/23] Enable Intel TDX in OvmfPkg (SEC/PEI) Thread-Index: AQHXj3E7+KIR3UGKGEirDzO1+LWv66uNi8sAgAE3ALA= Date: Wed, 1 Sep 2021 05:41:43 +0000 Message-ID: References: <20210831104540.4um7x5zz4aq3oaq6@sirius.home.kraxel.org> In-Reply-To: <20210831104540.4um7x5zz4aq3oaq6@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 745b2100-32c4-42f3-d53e-08d96d0b2e00 x-ms-traffictypediagnostic: PH0PR11MB5063: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 04+j3yBkBVJ+Ibij+iyNelpizTH2UpHT9mKsZJUmGjOepcipaUvPy/NdNSSdKevShPkJWFkdO9aIH7dFu9O56g/eHTiqdeqnkyaTRwJSKcf25I/WDMnWMi0zTgsFxcG+VumNcSwhnjkyovi58/1DtLAuZWow2PQXs/gW31Jpc8QAdJLSODtPbooGcqrPcZHJbwNJJ3arKQ2sPrSPM+lpMFICJrh1wRC+QRtgS2rcvJwqo9KLTQ/KAD3VJrwSw93E2XGArymTdG28aF4LppOeFmWvN72SLHc6++Z8Rxm8O2yILhWpu52kBbIEBa0MMVl3j8B2eWuRhEGsMuKT1v+xuHN1x/MVx6e0vxLBHId3zBCMdg41PPQhC8ehAisQApLJKierTUFCNwQRPZDjU1fiu4giXAg/2vI3Zh0aYxZQZ5tuBA97yWDori+cXl4yiVRJz3PG15hZRcUeawg+LwJlp8wxY7WJgzFGlGVigRsjVvxd+l+MlEyvKTdqborElpNhNfFjc9x1vqN3ECpYoD8u7XNiKCAWmdWmc7jWw1zPHr9AIBbIQh2rpwfOvF20Im51OGINCFbwpAAU8CdvRh4odtl4o92h9dXnWlMTPQ8NBBiXyCbcS4IGlj1/gxXimK5A7N3xUpcwyd6681de0emH2e9cdPoaYwFDX69fNjeddq+eWjzZJiozYiVEavkKDch/Tz4yfdi4+mI+U6joYmXxkzwaaFDUQbDOBgbiR47WShQiBAtFeupKe0qHgNL0xKSAyQrxshAyPssvBCCj8G1xjx6NXRTiZ2ZNVvlSPAb0rkZOehiYP1skTW1T2VYiAAPOGcn7X06V6sg/d8LZDB62mg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(346002)(39860400002)(366004)(396003)(376002)(966005)(8676002)(186003)(64756008)(107886003)(7696005)(38070700005)(66556008)(66476007)(26005)(38100700002)(76116006)(4326008)(6506007)(33656002)(122000001)(66946007)(55016002)(478600001)(2906002)(66446008)(86362001)(5660300002)(71200400001)(8936002)(54906003)(9686003)(52536014)(110136005)(316002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ML+T097olVRuyG4zPhzy7rtPsFPGqGJuxmr/oF9hBwGdXuV1Dh5TpOV7M77i?= =?us-ascii?Q?2PgXVQDbNVJnKcEO8bLELaGQ9quIz9K0CXTVN+hL+fdgg/VXDxLR37oFA+hO?= =?us-ascii?Q?/6NQHz/1UGQCykG7T889E0G8NoAqAm8uhdMeUG5YuZ6uti46yvNZ0hWt95oJ?= =?us-ascii?Q?evBBfpleqzZBR1PrSNRR98pbtfJdRLlcw/HMZk039/KLXCn7mdNXwvCD4gno?= =?us-ascii?Q?xeFCN1dbIa2F3U43FYJTyJ41ZvVbPZPKZHA0Gf0+MWXLG1oZFE+awIFGKeGc?= =?us-ascii?Q?DzWJ3hbM7eNsyuekZMPV5Aa86PG9/2tnaIY4nq4oqAPia886Yk0PM2sfOmUI?= =?us-ascii?Q?2Gm0b1ymeV4cmFAIML6Aas0ZJCz5i88lQkhd+ZfCeTEm9U4/WCFE+o25t9fq?= =?us-ascii?Q?eY6TyQt233BtfcffsOVH4GCVPxM3sodJhyiMulEjBiZbbUpETGYXOll/s3XV?= =?us-ascii?Q?p3/tHq1+L/nabEJfT0mN8zkQ3Wc6UIrRIpUMhdfMNI93hwjHQaOZQhvV+l5/?= =?us-ascii?Q?86rFHqTKa6ZAeWEnr23Ewd0k8is5CzEwkeHFGdereOP+RwOLWLEX8Rk88pNy?= =?us-ascii?Q?6ub2scxO1VXoFkWgjWxPSYRjzDgnbirJ44Mm7efdu6/0UD17m+Sz52+u1hDn?= =?us-ascii?Q?VRoc4Eseq3P2m5ECFiwP6PrhgGcSaQTKYilv3q4n1ydmns3l/ZrWK2PSxhzF?= =?us-ascii?Q?XERT90TXU2pICo4QPvPQcfe9/PBjnzK5oiwsOohJIF2XiCz3rtfq46Hb8098?= =?us-ascii?Q?ToX3/+QSr+ZOdVRRwlX3Jp5olJ7kxTT2+c1ipR1mXeH6BzLAr3DISTV8zxir?= =?us-ascii?Q?2KoKF1TCXRKtRKTM4JZw0eIB1ga57l6uhDnc3RJo+GoFywpmUKDNTPLf04G2?= =?us-ascii?Q?TeKamiCo1wiW2a1uu37CM5plHO3jHfxqSAA7CJDYtr2uCBFn8k+zOcJOSi4r?= =?us-ascii?Q?CCs608MoAWwcuUXSMuhyf96BPMJtJD3um1EYXU9LU5sLca/KK54Mk6Up1OqP?= =?us-ascii?Q?czdpV2Chw5uRpjgEcPepyeaDO4B4ZKh/xnBGOTDVtrI0klxwct9ZT9yhb2kr?= =?us-ascii?Q?3huf7Cqs9iukBc8HrjA/f/CWWVVp5uLOEhhBMVcKWJ1LwbIakM43TcE4lKXq?= =?us-ascii?Q?tk03QfsYDgEE7Ekiy+Sj24rOCd4I0rBVnvJwmtm5IiZpOKKHQu6Ezx35vJSu?= =?us-ascii?Q?q/gBfw6II2YmlcuE6n63Fsiob7MuOpL6PcsPm0PXKZOIpHUVZbspbG9d/Af6?= =?us-ascii?Q?NV8+ECX6XNaDDBP7k8AaDvkTYeMSPfa2DhrQxITFwkwlO7LC1sFnl5itiVKb?= =?us-ascii?Q?tV/Ah8xpzx9e1Lqtxabx3mpc?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 745b2100-32c4-42f3-d53e-08d96d0b2e00 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2021 05:41:43.1578 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LRDJzrCaZII1wpBe2GZdF5tU6u4K4n7NCy3a97SY6hHcQt8uNGWvQn2Xvrco1ZVqKwEVp0kpBahJ/z0kJPMs6w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5063 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On August 31, 2021 6:46 PM, Gerd Hoffmann wrote: > Hi, >=20 > > [TDX]: https://software.intel.com/content/dam/develop/external/us/en/ > > documents/tdx-whitepaper-final9-17.pdf >=20 > So, coming back to this after reading through a bunch of docs and patches= with > some high-level questions. The whitepaper lists two ovmf configs: >=20 > (1) config-a, supporting normal/sev/tdx with basic features. > (2) config-b, supporting normal/tdx with more features. >=20 > What of this is implemented by this patch series? > config-a? completely? parts of it? Because the total patch-sets for TDVF upstreaming is too big and there are = 2 configurations. So we split the upstreaming into below waves. Config-A Config-B Phase Wave-1 Y Y ResetVector Wave-2 Y N SEC/PEI Wave-3 Y N DXE Wave-4 N Y SEC (PEI is = skipped) Wave-5 N Y DXE So this patch-set is wave-2 and for Config-A (SEC/PEI). >=20 > The whitepaper also doesn't explain very well why we have two configurati= ons > in the first place. It describes *what* are the differences but not *why= * they are > there. The whitepaper describes the TDVF as a standalone image. It is *not* one im= age. It can only run on TD guest. Then came the *One Image* requirement. TDVF should be able to run on Legacy= guest,=20 Td guest, even SEV guest with ONE image. Things become very complicated.=20 See discussion in https://edk2.groups.io/g/devel/topic/83283616#76022 >=20 > Apparently some of the additional features supported by config-b are eith= er > more difficult or impossible to implement in config-a. > Is that correct? Is that explained in more detail somewhere? It's correct. Some additional features are not supported in Config-A. For e= xample the TD RTMR based measured boot.=20 There are design slides, recorded meetings in below link https://edk2.groups.io/g/devel/files/Designs/2021/0611 Any questions please let us know. We will try our best to answer/address yo= ur concerns.=20 Thanks! Min