From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.8056.1638451376805059585 for ; Thu, 02 Dec 2021 05:22:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=XY+UqZ6I; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10185"; a="216722353" X-IronPort-AV: E=Sophos;i="5.87,282,1631602800"; d="scan'208";a="216722353" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2021 05:22:55 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,282,1631602800"; d="scan'208";a="677662653" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by orsmga005.jf.intel.com with ESMTP; 02 Dec 2021 05:22:54 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 2 Dec 2021 05:22:54 -0800 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 2 Dec 2021 05:22:54 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Thu, 2 Dec 2021 05:22:54 -0800 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.49) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.20; Thu, 2 Dec 2021 05:22:54 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DIpsAOgVEj3VhfggkxkLwgKLkZwHyOOCSBYAmAMdEIEVBQMcYjvT3p9/3zFKgK25RoWaEoAGRkbsOpRSgET3uLdirbdafz8ymNkZmsOZCTSqJxEoxKss1t11JAFQgieHgtD8rrIRQAQy9l5mBTgsjv0cYr76VMV29B2TBRwoCtIR9I8xdf7FxF/iG8jwSCUJrSNcmpMts3ScrsUGbtNi4KXLvphpgqsoeBjaulBlSzVENU6LtzU9ZSyDoAUNA2uvbXN6BKBm5XJH2TMakd3G11fLW60i2e6eYrKaXll75s2sYy8xGI1gLNDsNPDx0lVEH5Jt67ZWYcTI28j/kkSVjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NjY45NK81IGmxp/3PE6s9y6seEBG94zpcpo08puU6+M=; b=n42geR7U2jSLlp01yYZT3Nb4q0O3Sh4CleTMr/XfdJTZrB6a/uu1YpJtmtrV5Vms8v+I7NgODS8Zi61780b6RzATrPgA1FR9Xq3O/43O+PRA/ADbGf6kSAp/uV3x8auCcZfelSfAeTAZvCfyBuydJ3q96kohpC7epGxeqMe//8PQvBRm7DXB7mKy9L1zKeJaX42twhCCdVQ5MHxanaPdrvw2y1UHu/1MvTUk4QpHCQ+1lhx57+fSD2qRgOjRmHrDRJCvX0eYH+FZeiBSI3ko+4ZOH+CLP5m3FGBOARZBXKAhiQRO8+yVYMIn2FX+h2UeVgVztSgoTLTFlI9crJ733w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NjY45NK81IGmxp/3PE6s9y6seEBG94zpcpo08puU6+M=; b=XY+UqZ6IvZwSpEEqWVI6VO+BU8Nb9NSPPO1wrecRYBpXd2Hd+oAas42uRrIX80tMG7fA0DMzwhJHYbNw72SCCAkl+g3y2WPNiC6hmWVs+cViSkmJ2M9bUXZppG1qlwWCthJARvypPAy1Bk0Q2D36X/GFnetX2tTfOSqPp20h6O4= Received: from PH0PR11MB5879.namprd11.prod.outlook.com (2603:10b6:510:142::5) by PH0PR11MB4903.namprd11.prod.outlook.com (2603:10b6:510:36::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.14; Thu, 2 Dec 2021 13:22:52 +0000 Received: from PH0PR11MB5879.namprd11.prod.outlook.com ([fe80::54ec:aecc:2cab:3127]) by PH0PR11MB5879.namprd11.prod.outlook.com ([fe80::54ec:aecc:2cab:3127%9]) with mapi id 15.20.4690.026; Thu, 2 Dec 2021 13:22:52 +0000 From: "Yao, Jiewen" To: "kraxel@redhat.com" CC: "devel@edk2.groups.io" , "jejb@linux.ibm.com" , "Xu, Min M" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Thread-Topic: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Thread-Index: AQHX2uMZH+dNhguCw0OBghbxJplRDawH11AAgAEwN+CAAfIoAIAAvv7AgAVfi4CAAAXBAIAAGIUAgAAC0naAAAQtAIAABTlIgAAHrQCAAKQIkIAAcbwAgAArxNCAAC6GgIAABxjAgAAB1wCAAABGQIABNH6AgAESSSCACLXkAIABflnw Date: Thu, 2 Dec 2021 13:22:52 +0000 Message-ID: References: <5ec6897681e46fe181193651164f0f17d5d1205d.camel@linux.ibm.com> <20211124081204.ortxlgwgp2c5dlhw@sirius.home.kraxel.org> <5d39c546fe66fc945e9687f187ed9892b6a6a00c.camel@linux.ibm.com> <20211125083219.uiqbg7fsoervmdkq@sirius.home.kraxel.org> <20211201135506.bwxpo5h4fr5lcbni@sirius.home.kraxel.org> In-Reply-To: <20211201135506.bwxpo5h4fr5lcbni@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fd8167ce-7982-42f9-18fe-08d9b596d832 x-ms-traffictypediagnostic: PH0PR11MB4903: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: QRmoY88kK9Dla9nuUWMgnZHaiBWmGghjbiGQBsobRVdSVB1YhGV4Gh3acq5AVIPZa44YwXJoI2P7sYmqdQUrHLCMe7AbWgFsdK5cnrL6D/ORN2UyAWVlj/wXnHvXacFueV8W8xM/cMI5e7V4zKZiRXzTMB3YBfloEWLaF0gvjeMJhXjXniZJl1gl0wgP2KfbdErme03oQP3Xzh7Wg9XGnpL9CHHy3IZKHjoiv5JTGIkleBAjgIImyZEb3Y1KI9jRi3A4TkaZE5qvzOTjKVRwhzjPiEuz9Mytc9ozo8+sRyhzYaN3X0RZnSjvXtcd7S+xjVVjbHRHOE9cKNeSSciTZfQXYZx6qQCaaaVy6D+fx5qrFkYfkjC+ENOh1rSrEz/qKpoFYLTD7LaUr/jFxM/zezYYmcOe/PmpCREgcKDoWT8g4Wpz5n63lXBX75Kzbw8hBal/Ypx3F4jsnq/VZb0z53CM/0h1l2phtpaY2gkuU0YdOctJ6/bHDFNsXnK1xrhH67kx6gR2/fjz4dq7R9HsKw4q1j20+TIQSKh2Z/gSvCWKFdi7S1bkQeHG9GKuF03Rvyd/UVcjRrCCrAdol49Mdz7vA1BAVEzRNsdLAxttUwJvbJZNkAGyd5ykY8vQ92pXZ6EDTKV9K7mNeJ3bFTOzjtLVRHsIS0F3yxltFRgLsohEcizmCMWnbZ6jnpnb9cZZK08CnWrNfdqjm9LycE3n14+QeYRqGarX9DP4bTjKrAIs3r6ExxytOOSZtlSN7qHz3apUqyJyE1+sROy7cGaK5cshdNpg4FfdDJ2LShhl9fskSr2PbMiO8D35Pai4EP4tmndLEiLjyTN1Q266z/Fu3w== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5879.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(38100700002)(4326008)(33656002)(83380400001)(2906002)(15650500001)(122000001)(54906003)(82960400001)(316002)(55016003)(5660300002)(66446008)(6916009)(186003)(6506007)(53546011)(71200400001)(86362001)(64756008)(66946007)(66556008)(66476007)(9686003)(76116006)(52536014)(38070700005)(26005)(7696005)(8936002)(8676002)(508600001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?Bosxx5mF2grehYL9znGwYqk9oBQT2mu5+PH9ArteEzw69Cy3VrlWppafwjTQ?= =?us-ascii?Q?YEQWkn/nj9+NcOcsl4wo/I0wc6646TWoiosy+DzigK4+W7yu94Z6EFtBqD4E?= =?us-ascii?Q?W2TpkjYLy1+AQ+Ds3fOvl8GSIExHHkanQYJxAhSbH2QbpzKgAAwaP7/MHUJk?= =?us-ascii?Q?KLIq2Y4CN75vDkhGgm33wtmjGx6XYJiV0n/8WyVIszj4XdfkKR82DPvPjIZF?= =?us-ascii?Q?k89gUghDWp4+YSDIG8g0RNaEIuXvNEOxPtltjlIa3MDU/+tuvtY0b7zmIM5Z?= =?us-ascii?Q?E2Sw+NDFC6+X1OP+P8meZXKDIMibv6bpppcma58LtNVZNGu9V0sg9Gu9sp+E?= =?us-ascii?Q?uDEm1Cd6t4uPxLZN21VpcLf9PebAP3+qyoot9guOtAzvhJWC+p6lwaeixzR/?= =?us-ascii?Q?3NXtOATP43o3X/thNPssjf+QnFzjkMGF3n+xFreAhE3gC91MjfwprmD2PlXi?= =?us-ascii?Q?hkszESZAdYfy18jfeU07bJZYvGX8OA9a/njYVhagZ4B9stlP2DPY6vz1pSqN?= =?us-ascii?Q?WLRIttPqFrB7i903qhVG65DhBUuEndcBrLsHs6uepDN/VzEh1knv6+eCJ0ol?= =?us-ascii?Q?uTPc94lS/h4Lpyq2/CViXk/JTgmyNBf1cMmobdMVb+8XmmDqzasBTXs1kbcU?= =?us-ascii?Q?QIcMTQoIgNvQBMG9kDVrMsP6AnUKiYpK4bx8qZHelsGuKB1ySqOVLeQ1p2Bp?= =?us-ascii?Q?cyhVeHlhQEpuZWnOq34AIDhanL3mtZF+9KJc0jxs5VPKTxES9X8o8GW4J1i/?= =?us-ascii?Q?/C29m0ZsfyWn5eKTD1e9K8Xgu9M5dP7aJS3q0NCp9WXBiLPgaTds0Po34nwz?= =?us-ascii?Q?/Yy7Tyb0jdu9obtYtvAkHJvkr6zeNZj+RIfNhV7cuZCKXW3DSOOPFBzOjQ5E?= =?us-ascii?Q?GPvfOj8bHES09fTA7xO+Zmpl6HM8i8Clbbx29jQOt/gOueAkC1VF6AD0N6JT?= =?us-ascii?Q?W0Lq6jMxcBZaIAoTBmpZ+OmZU2BbfvMDjUzjcgEMqL7+2IDy39P9lHhM4aFb?= =?us-ascii?Q?mfxgwhUZ7ddGQEGaOTCiXXvEyAAdNCtJQ86IAiByqxVAUsoShyMo7CmSYCld?= =?us-ascii?Q?hDTGaUXajzeY+/1Zp2EJFxm0wgx8OJIs6sWkSTEvmBGD/9r+cgfkkSSc0M9T?= =?us-ascii?Q?WN0UwapzQZcgPrBFkfcpRqgTLfiDXi87uEg8kDldWqllDryKy5Swxp4+IJ1x?= =?us-ascii?Q?wbbBJgeIB8LHZectmhHc688c42kscIQK4aOWLcjShadrML8SLXZkeFDK0R4g?= =?us-ascii?Q?B4YC3ydKA2GVNcGMwOmXegZmnZH9Mi39oqYcHC1C74L6OjXsMq1tnYhQ7Jqo?= =?us-ascii?Q?fH6b6BPL0Ly0vyh1OhfWmdwygYYbekBBZZj4bGWcf1vT7Rhmt9kRLOBtAVP+?= =?us-ascii?Q?s8uOkBBcJT9yuS6/JOmbhZuxgcAQJDfXZGqU6IGIEEbCmeUSjsUTqJ0cABLR?= =?us-ascii?Q?uKqlV7rZlCxr5RO4HN7k4G0KtPg73sTOnYzb4Ze2AuEi4k60L5f/KxkQfJN4?= =?us-ascii?Q?WK6a5lulWavF+OT/qRT9Ddby5uhYkpjrb0NoHwc0eRdrhdKMcNFpQ+USRrwO?= =?us-ascii?Q?xRYrbvXso8wWzi+n0lsLcrWtl9QieNhdgIYF9Y2vAKzi2ifkasYGhK59jceW?= =?us-ascii?Q?dqy/kX3PwQLhcwM7NNp6BCk=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5879.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fd8167ce-7982-42f9-18fe-08d9b596d832 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 13:22:52.5484 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: w7cRMSWNo0Mb4CQsbaeDPjzOusVYnT+qVhfNw52dpr6Lk599CCT3AzeXlcPPSfGD0mPC5vodJMhgDUf4nm7kWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4903 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > -----Original Message----- > From: kraxel@redhat.com > Sent: Wednesday, December 1, 2021 9:55 PM > To: Yao, Jiewen > Cc: devel@edk2.groups.io; jejb@linux.ibm.com; Xu, Min M > ; Ard Biesheuvel ; Justen, > Jordan L ; Brijesh Singh ; > Erdem Aktas ; Tom Lendacky > > Subject: Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm = to > support Tdx >=20 > Hi, >=20 > > Please refer to PI specification 1.7A > (https://uefi.org/sites/default/files/resources/PI_Spec_1_7_A_final_May1.= pdf) > > Section 2.1 - Introduction. >=20 > > "Philosophically, the PEI phase is intended to be the thinnest amount > > of code to achieve the ends listed above. As such, any more > > sophisticated algorithms or processing should be deferred to the DXE > > phase of execution." >=20 > Well, that might have been the original intention. Reality is that a > bunch of security-related stuff ended up in PEI too. Support for TPM, > SMM, suspend. And I think the motivation for that is exactly what James > described: Given that most communication with external entities happens > in the DXE phase it is much harder to trick PEI code because there are > simply less attack vectors available. [Jiewen] Again, I feel lost. Would you please clarify what is your purpose for this discussion? Yes, Security related stuff in PEI, that is not a problem. For example, we = moved flash lock from DXE to PEI. (I already describe that in my previous e= mail.) The key is *privilege*. If you don't need PEI privilege, you don't need mov= e to PEI. 1) For "TPM" feature. In history, the Root-of-trust for measurement (RTM) b= elongs to Recovery TR. That is why it is in PEI naturally. 2) "SMM" support is in DXE today. What do you mean SMM support in PEI ? 3) "Suspend" is S3 *feature*, it is clearly documented in PI spec. In S3, D= XE does not run. You have to put Suspend code in PEI. Yes, you give some examples. But I don't see how the examples support your statement on "exposure". IMHO, they are totally unrelated. > > I am not convinced that "exposure (external interface)" is a good > > reason to decide where the module should be. Thinking of this, if you > > prefer to put a module to the PEI because PEI has *less* exposure, > > then PEI will have *more* exposure after that. If you move half of > > DXE features to PEI, then PEI has same exposure as DXE. What benefit > > we can get? >=20 > Why is TPM and SMM and suspend support in PEI not DXE today? [Jiewen] See above. >=20 > > > Moving code to SEC has its problems too. SEC is a much more restrict= ed > > > environment. A direct consequence is that you have re-invented > > > multiprocessor job scheduling (using tdx mailbox) instead of using > > > standard mp service for parallel accept. I do not account that as > > > "reducing complexity". > > > > [Jiewen] OK. Let me explain multiprocessor related topic. > > > > I don't think we intent to "reduce" complexity in this area. I would > > say, it is same with or without PEI. > > > > TDX (also SEV) has special requirement to *accept* memory, before use > > it. The accepting is time consuming process. So the motivation is to > > use multiprocessor to accelerate the process. > > > > We have at least three architecture places to accept the memory - SEC, > > PEI and DXE. >=20 > Well, I want focus on how all this will look like long-term, i.e. once > we have lazy accept implemented. I don't think it makes sense to put > much effort into optimizing a workflow which will only be temporary > anyway. [Jiewen] This is the long-term solution. Lazy accept and MP accept are two required feature. "Lazy accept" just mean you can do things later, but you still need do it. "MP accept" means you can do things much quicker. I don't think we can remove MP accept just because we have lazy accept. > The lazy accept concept pretty much implies that the vast majority of > memory will either be accepted in the DXE phase, or will not be accepted > by the firmware at all and the linux kernel will handle that instead. >=20 > I expect in the future SEC and/or PEI will accept barely enough memory > that the firmware is able to enter the DXE phase and initialize core > memory management. Then lazy accept takes over. [Jiewen] the "barely enough memory" is 64M and it takes long time to accept= if you don't use MP. That is how SEC/PEI/DXE designed today. > > A) Accept in SEC > > We need write multiprocessor code in SEC. This is already mandatory, > > even without accepting memory. The TDX architecture already changes > > the reset vector flow - ALL processors jumps to the reset vector at > > same time. Having multiprocessor code in SEC is unavoidable. We have > > to do it, to rendez-vous APs and initialize mailbox. >=20 > Sure. >=20 > > The code is written because of TDX architecture change, not because > > memory accepting. So I won't treat it as a burden to add additional > > feature to memory accept in SEC. >=20 > That is the point where you start re-inventing the wheel though. > You add logic to distribute memory acceptance jobs to the APs. > I'd suggest to add full MP service support to TDX (probably also using > the mailbox), then use MP service to distribute memory acceptance jobs > to the APs. I think you will need that anyway for lazy accept, to do > parallel accept in DXE phase. [Jiewen] I think I have stated it clearly that this is due to TDX architect= ure, we have to rendezvous all APs in SEC. So the MP code SEC is unavoidable. We have to reinvent the wheel in some wa= y. >=20 > > B) Accept in PEI > > PEI has MP_PPI, that is TRUE. But the problem is: MP_PPI starts *later*= . > > MP_PPI starts *after* the memory discovery > (https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/CpuMpPei/CpuM > pPei.c#L706), which mean the process will be: > > Step 1: TdxPeim accepts PEI required memory without MP_PPI > > Step 2: PlatformPei installs PEI required memory. > > Step 3: MP_PPI starts. > > Step 4: TdxPeim accepts additional memory with MP_PPI >=20 > Yes. Or just don't initialize MP in PEI and do that in DXE only. > Lazy accept will need that anyway. >=20 > > Now, you can see the benefit to accept PEI memory is not there. > > NOTE: PEI memory is ~64M if GPAW is 48, it is ~98M if GPAW is 52, which= is a > big number. >=20 > What is all this memory needed for? [Jiewen] These are initial memory for PEI Core and DXE Core to initialize t= he content. If you don't have initial memory, the core will fail. > Why do you need 32M additional memory for 5-level paging? > Is that page table memory? If so, how does lazy accept change the > picture? >=20 > > As such, we conclude that doing memory accept in SEC is the best > > choice for TDX architecture. >=20 > Not convinced this is still the case with lazy accept on the horizon. [Jiewen] I think MP accept is irrelevant to lazy accept, as I explained bef= ore. Having "lazy accept" !=3D you can drop "MP accept" in SEC, because SEC is t= o "accept initial memory" before you can do lazy. >=20 > > For config-B, Min is working on it and doing clean up. > > You are welcome to provide feedback after we send out patch for config-= B. >=20 > Will do for sure. >=20 > take care, > Gerd