From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.22321.1627247423251119562 for ; Sun, 25 Jul 2021 14:10:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=b6Asd8G6; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16PL2xYV158689; Sun, 25 Jul 2021 17:10:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : reply-to : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=fi/jyAG1JMUGKzU0HuQhqhzWIGw4UMd5wutTXjY3Fqw=; b=b6Asd8G6gpl9ALjA7VsIINLkE0TNncYQXUfd17t8AMQa9Jbx8wjosLQhFCmhNykmWyHn XK4fndzksSyCjYbo+EN9+F/94kySuzavau4vfxudWy0eTAEgymOk4IUuGDM1yOG55/5D 1ZEXsjpkAU9F8WcSIOsYbPCmlOrtl+d31xVtaQpV/1NLvk43p4irnqdf2PUgmAfiTyWN QihPF/ySlCbgR3RiNcY9D901X6/IVo/3pDhHviZ5Xa0O025+7kHtnI9nPcMbx1DCIkBf sP8zMPcXzSaX0zTG5iNAECQpYRq0e5dzD6/BPXL+uLyKAcAKmXAc6TOmXjez45qqLOII UA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a1et88up5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 25 Jul 2021 17:10:17 -0400 Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16PL4Fnu168493; Sun, 25 Jul 2021 17:10:17 -0400 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a1et88unn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 25 Jul 2021 17:10:17 -0400 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16PL7FYa032380; Sun, 25 Jul 2021 21:10:16 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma04dal.us.ibm.com with ESMTP id 3a0agb086t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 25 Jul 2021 21:10:16 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16PLADHf47382900 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 25 Jul 2021 21:10:13 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 95CCD78069; Sun, 25 Jul 2021 21:10:13 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 042157805E; Sun, 25 Jul 2021 21:10:09 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.85.129.14]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Sun, 25 Jul 2021 21:10:09 +0000 (GMT) Message-ID: Subject: Re: [edk2-devel] [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline From: "James Bottomley" Reply-To: jejb@linux.ibm.com To: devel@edk2.groups.io, dovmurik@linux.ibm.com, "Yao, Jiewen" Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , Hubertus Franke , Ard Biesheuvel , "Justen, Jordan L" , Ashish Kalra , Brijesh Singh , Erdem Aktas , "Xu, Min M" , Tom Lendacky , Leif Lindholm , Sami Mujawar Date: Sun, 25 Jul 2021 14:10:08 -0700 In-Reply-To: <711c0ad9-9ebe-0eaa-e04b-28e7e7f69ef4@linux.ibm.com> References: <20210722084307.2890952-1-dovmurik@linux.ibm.com> <711c0ad9-9ebe-0eaa-e04b-28e7e7f69ef4@linux.ibm.com> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hORU2HbJYNfyAUitnvDv1D8oEt5dqEWM X-Proofpoint-ORIG-GUID: AaxdvpCf5MvY2ct4YwCc22iCa61X8Z5i X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-25_07:2021-07-23,2021-07-25 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 malwarescore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107250148 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Sun, 2021-07-25 at 10:52 +0300, Dov Murik wrote: > And I do have one question: > > May I know what is criteria to put a SEV module to OvmfPkg\AmdSev > > or OvmfPkg directly? > > > > My original understanding is: > > If a module is required by OvmfPkg{Ia32,Ia32X64,X64}.{dsc,fdf}, > > then it should be OvmfPkg. > > If a module is only required by OvmfPkg\AmdSev\AmdSevX64.{dsc,fdf}, > > Then it should be in OvmfPkg\AmdSev. > > > > Am I right? > > > > I actually don't know the criteria. What you say sounds reasonable. > I'll also let James (who introduced the AmdSevX64 target) say what he > thinks. The original reason for the AmdSev package was actually for attestation: The only way to get attested boot using a standard VM image for SEV and SEV-ES was to pull grub inside the measurement envelope and have a stripped down hard failing boot path, so if the key didn't decode the encrypted boot volume for some reason, the whole thing would fail without revealing the injected secret. This stripped down hard failing boot path is much easier to construct as a separate target. Essentially that means that lots of SEV exists outside the AmdSev directory and things should only be in it if they're either modified to support the encrypted volume boot path or are only required by it. However, this ran into problems when it was decided AmdSev shouldn't have it's own Library, so the modified boot path now lives in OvmfPkg/Library/PlatformBootManagerLibGrub, so now it's unclear even to me what the criteria are. James