From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web12.29668.1618216523660250048 for ; Mon, 12 Apr 2021 01:35:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jRl+LJs8; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: dgilbert@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618216522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/3cQnp9yVbfXff06mjmQJai2uzUoTOuddvhRdL8fWUI=; b=jRl+LJs8/m6xzCjjYjUOyv2hHrwLmExKOvTTvdMYLVl6KqbmaSGdNXo87VdqVGxHw5SuU4 mxE5X0kOc1U5aRZQbf+YJmnfkkEauhJRBizaFIbjb06HXGgPRiaxDfKA2skTuF8wxUxoBy RT12pNENNqpewgdv/9fX1zpbRIzy004= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-372-LPwGabj9P_mX6yW35MG_hA-1; Mon, 12 Apr 2021 04:35:20 -0400 X-MC-Unique: LPwGabj9P_mX6yW35MG_hA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AAB6910054F6; Mon, 12 Apr 2021 08:35:18 +0000 (UTC) Received: from work-vm (ovpn-115-48.ams2.redhat.com [10.36.115.48]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B175190D0; Mon, 12 Apr 2021 08:35:13 +0000 (UTC) Date: Mon, 12 Apr 2021 09:35:10 +0100 From: "Dr. David Alan Gilbert" To: Laszlo Ersek Cc: "Yao, Jiewen" , "Xu, Min M" , "devel@edk2.groups.io" , "thomas.lendacky@amd.com" , "jejb@linux.ibm.com" , Brijesh Singh , "Justen, Jordan L" , Ard Biesheuvel , Paolo Bonzini , Nathaniel McCallum Subject: Re: separate OVMF binary for TDX? [was: OvmfPkg: Reserve the Secrets and Cpuid page for the SEV-SNP guest] Message-ID: References: <719a63e555376ca65a7bbe0c7e23c20b6b631cd3.camel@linux.ibm.com> <9aa00ba0-def0-9a4e-1578-0b55b8047ebd@redhat.com> <2ff2c569-1032-3e5f-132a-159c47c9f067@amd.com> <18180548-016d-4e37-68fd-050dfc3b4e77@redhat.com> <5183d5fd-9bba-6f0a-52e0-a3e27a6784de@redhat.com> MIME-Version: 1.0 In-Reply-To: <5183d5fd-9bba-6f0a-52e0-a3e27a6784de@redhat.com> User-Agent: Mutt/2.0.6 (2021-03-06) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dgilbert@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline * Laszlo Ersek (lersek@redhat.com) wrote: > On 04/09/21 15:44, Yao, Jiewen wrote: > > Hi Laszlo > > Thanks. > > > > We did provide a separate binary in the beginning - see https://github.com/tianocore/edk2-staging/tree/TDVF, with same goal - easy to maintain and develop. A clean solution, definitely. > > > > However, we got requirement to deliver one binary solution together with 1) normal OVMF, 2) AMD-SEV, 3) Intel-TDX. > > Now, we are struggling to merge them...... > > > > For DXE, we hope to isolate TDX driver whenever it is possible. > > But we only have one reset vector here. Sigh... > > Can we please pry a little bit at that "one binary" requirement? > > Ultimately the "guest bundle" is going to be composed by much > higher-level code, I expect (such as some userspace code, written in > python or similar); selecting a firmware binary in such an environment > is surely easier than handling this "polymorphism" in the most > restrictive software environment imaginable (reset vector assembly code > in the guest)? I think also there's a security argument here; some people like to measure security in kloc's; so having your secure boot image as small as possible for the environment you're actually running does make some sense, which favours the 2 image idea. Dave > Thanks > Laszlo -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK