From: "Min Xu" <min.m.xu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"brijesh.singh@amd.com" <brijesh.singh@amd.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Erdem Aktas <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] OvmfPkg: Enable TDX in ResetVector
Date: Wed, 15 Sep 2021 02:13:09 +0000 [thread overview]
Message-ID: <PH0PR11MB5064C1E682217E56D825774AC5DB9@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <2d085336-386b-8492-5f0e-ce9e0c49e8b6@amd.com>
On September 14, 2021 7:25 PM, Brijesh Singh wrote:
>
> Hi Min,
>
> A quick question below.
>
> On 9/14/21 3:50 AM, Min Xu wrote:
> > RFC:
> >
> > 1. Definition of BFV & CFV
> > Tdx Virtual Firmware (TDVF) includes one Firmware Volume (FV) known as
> > the Boot Firmware Volume (BFV). The FV format is defined in the UEFI
> > Platform Initialization (PI) spec. BFV includes all TDVF components
> > required during boot.
> >
> > TDVF also include a configuration firmware volume (CFV) that is
> > separated from the BFV. The reason is because the CFV is measured in
> > RTMR, while the BFV is measured in MRTD.
> >
> > In practice BFV is the code part of Ovmf image (OVMF_CODE.fd). CFV is
> > the vars part of Ovmf image (OVMF_VARS.fd).
> >
> > 2. PcdOvmfImageSizeInKb
> > PcdOvmfImageSizeInKb indicates the size of Ovmf image. It is used to
> > calculate the offset of TdxMetadata in ResetVectorVtf0.asm.
>
> In SEV-SNP v7 series, I implemented the metadata support. I did not see a
> need for the PcdOvmfImageSizeInKB. Why do you need it? I think your
> calculation below will not work if someone is using the OVMF_CODE.fd
> instead of OVMF.fd. Have you tried booting with OVMF_CODE.fd ?
In the original PoC, TDVF is required to be launched with OVMF.fd (OVMF_CODE.fd and OVMF_VARS.fd is not supported) because of the TDX-QEMU limitation. So PcdOvmfImageSizeInKb is used to calculate the offset of Metadata (The offset is from fourGigabytes).
But you're right. PcdOvmfImageSizeInKB is not needed. The offset should be from the TDX Metadata offset block in GUIDed chain.
TDX-QEMU team is aware of the limitation that OVMF_CODE.fd&OVMF_VARS.fd should be supported too, otherwise the SecureBoot does not work with libvirt. They are working on this limitation.
I will remove PcdOvmfImageSizeInKB and update the Metadata offset like below:
tdxMetadataOffsetStart:
DD tdxMetadataOffsetStart - TdxMetadataGuid - 16
DW tdxMetadataOffsetEnd - tdxMetadataOffsetStart
DB 0x35, 0x65, 0x7a, 0xe4, 0x4a, 0x98, 0x98, 0x47
DB 0x86, 0x5e, 0x46, 0x85, 0xa7, 0xbf, 0x8e, 0xc2
tdxMetadataOffsetEnd:
Thanks!
Min
next prev parent reply other threads:[~2021-09-15 2:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 8:50 [PATCH V6 0/1] Add Intel TDX support in OvmfPkg/ResetVector Min Xu
2021-09-14 8:50 ` [PATCH V6 1/1] OvmfPkg: Enable TDX in ResetVector Min Xu
2021-09-14 11:24 ` Brijesh Singh
2021-09-14 19:00 ` [edk2-devel] " vannapurve
2021-09-14 19:52 ` Brijesh Singh
2021-09-15 2:34 ` Min Xu
2021-09-17 12:55 ` Min Xu
2021-09-17 15:52 ` Brijesh Singh
2021-09-18 5:16 ` Min Xu
2021-09-18 11:30 ` Brijesh Singh
2021-09-18 12:15 ` James Bottomley
2021-09-19 3:14 ` Min Xu
2021-09-20 15:49 ` Brijesh Singh
2021-09-15 2:13 ` Min Xu [this message]
2021-09-16 7:54 ` Gerd Hoffmann
2021-09-20 9:51 ` Min Xu
2021-09-21 5:16 ` Gerd Hoffmann
2021-09-21 9:04 ` Min Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB5064C1E682217E56D825774AC5DB9@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox