From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web12.6567.1637762840935194105 for ; Wed, 24 Nov 2021 06:07:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=VfM9JeEI; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1AOCN2pu007058; Wed, 24 Nov 2021 14:07:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : reply-to : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=GhOKpQ4HfILDhUzZpHpqxZAI0mWNVzI8Ri1AEHfdJoE=; b=VfM9JeEITLTKfHO0mLn+SqlCfx5EGRREY0UcBCbn30VBxDpLwMmYkbqZ9ufiJkYD90vm dPM5/iFCIv5YJZt/k1GzBp0u5gH4vz/lUl2GtQ9IoRAYWm3BfzsuidhWTmFTL7CJTmy1 cxdrSfAxgJr7X1itNylPYZiE4alOxYmVTC4NYhpijgly6UKabse9YnpPL9hXUXcQ7vPg bIVWMbwWoSAgMZ8aHqCssY0uv8SUTxdvswJ254wa3Z4F0GOFoOfLm/kjHC+iQ+fifWTu cqepCf63/cXqXgBgDxcIlSXv7FKz6RbTYPgzY2A8HT8KnJlemxnBap3qhOzwr9HR8gZ/ Ag== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3chnbej8pt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Nov 2021 14:07:17 +0000 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1AOE6xvR027673; Wed, 24 Nov 2021 14:07:17 GMT Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 3chnbej8pc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Nov 2021 14:07:17 +0000 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1AODvB2j031619; Wed, 24 Nov 2021 14:07:16 GMT Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma03wdc.us.ibm.com with ESMTP id 3cernbac7x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Nov 2021 14:07:16 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1AOE7FHo44827128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 24 Nov 2021 14:07:15 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 41DC07805F; Wed, 24 Nov 2021 14:07:15 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E35997805E; Wed, 24 Nov 2021 14:07:13 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.163.26.160]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Wed, 24 Nov 2021 14:07:13 +0000 (GMT) Message-ID: Subject: Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx From: "James Bottomley" Reply-To: jejb@linux.ibm.com To: "Yao, Jiewen" , "devel@edk2.groups.io" , Gerd Hoffmann Cc: "Xu, Min M" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , Tom Lendacky Date: Wed, 24 Nov 2021 09:07:12 -0500 In-Reply-To: References: <20211119151130.g2wcnuhivt3lxvzi@sirius.home.kraxel.org> <20211123123821.q4fanslttg72n2r3@sirius.home.kraxel.org> <1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com> <1DF0C062-BF78-44E2-BE96-2C8727C36845@intel.com> <5ec6897681e46fe181193651164f0f17d5d1205d.camel@linux.ibm.com> <20211124081204.ortxlgwgp2c5dlhw@sirius.home.kraxel.org> <5d39c546fe66fc945e9687f187ed9892b6a6a00c.camel@linux.ibm.com> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: w0bRR8lqNrkuiCNfJO_HvrS5w4lYSIpT X-Proofpoint-ORIG-GUID: j_g-FSv_OlpiNGPNtw8d8tu1Q0rTYdp8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-24_04,2021-11-24_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 mlxlogscore=993 mlxscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 clxscore=1015 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111240079 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Wed, 2021-11-24 at 14:03 +0000, Yao, Jiewen wrote: > James > I am sorry that it is hard for me to understand your point. > > To be honest, I am not sure what is objective on the discussion. > Are you question the general threat model analysis on UEFI PI > architecture? The object is for me to understand why you think eliminating PEI improves security because I think it moves it in the opposite direction. > Or are you trying to persuade me we should include PEI in TDVF, > because you think it is safer to add code in PEI ? > Or something else? > > Please enlighten me that. Somewhere a decision was taken to remove PEI from the OVMF that is used to bring up TDX on the grounds of "improving security". I'm struggling to understand the rationale for this. James