From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.5676.1655519541534598350 for ; Fri, 17 Jun 2022 19:32:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=F0cQ4xwJ; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655519541; x=1687055541; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=AqJ2T2dj6SZsexB97ySDp9DzLfwlSEPuSODoqxeZ/FY=; b=F0cQ4xwJN2T9ZW7xsKQQwQo9u7V+EaDmuTiVPl/XXrQyvDhydJb195Nb PaJE9Yrm5tKToF2TnVV6K1OugsbJDH6k+ZHyxpI6X6tgba2MSftBTVzUr 5p2rkK01LhLiHKbi7GOdAR2BLduM6F8ywUFxrxGFN1h2pgxst1l42HPNF cmOCqfV5kJs7naRiH+LKTug+qDM9+rvumiKjCO0Qm4BmZ8oRYnDDM7Tgh Qzk7g4aPKDcIhtDpasjffQOcfqZAA2YOlDPzH2nuLBOzmtwhIrZvHziYI dN6yCtouHMnabfpfO34GCSZI4/LfzRleYVf3Ur6ObUUJ+jKhKGT+HGHr+ Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10380"; a="280355740" X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="280355740" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 19:32:20 -0700 X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="642270309" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.249.173.231]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 19:32:18 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky Subject: [PATCH 0/3] Enable Secure-Boot in Tdx guest Date: Sat, 18 Jun 2022 10:32:00 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). But QEMU command option -pflash is not supported in Tdx guest. So when Tdx guest is booted, EmuVariableFvbRuntimeDxe driver is loaded and the NvVarStore is initialized with empty content. This patch-set is to initialize the NvVarStore with the content of Configuration FV (CFV). Before the NvVarStore is initialized with the content of CFV, CFV's integrity should be validated. So patch #1/2 are imported to do such validation. Code: https://github.com/mxu9/edk2/tree/secure-boot.v1 Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Signed-off-by: Min Xu *** BLURB HERE *** Min M Xu (3): OvmfPkg: Move TdxValidateCfv from PeilessStartupLib to PlatformInitLib OvmfPkg: Validate Cfv integrity in Tdx guest OvmfPkg: Initialize NvVarStore with Configuration FV in Td guest OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c | 19 +++ OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf | 2 + OvmfPkg/Include/Library/PlatformInitLib.h | 17 ++ OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ------------------ .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 153 ++++++++++++++++++ OvmfPkg/Sec/SecMain.c | 8 + OvmfPkg/Sec/SecMain.inf | 2 + 8 files changed, 201 insertions(+), 170 deletions(-) -- 2.29.2.windows.2