From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web09.39898.1605553894463351775 for ; Mon, 16 Nov 2020 11:11:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WJsFPxrk; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605553893; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aNegg35NHZSGPZ/BiduC8ZiKw3MipGrVbCKFW/IlER0=; b=WJsFPxrkbzAX+hRs5PDJAq1VY8I8QiXm7DaM3phnEICZpVoHpYxEHW5gloxgwYLH5KC+RA /xzyxc4WXoxDktk+Nlz80Gf/LVeVBIOmqkx6jE3D/irbIrFpqE2aHR4VfKsKqUkFY6gN9C KXnul3WXJhmwpLbsp03NmHkrJJ2TT3w= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-363-xCsiaq0_PZGADzJ5JUQezg-1; Mon, 16 Nov 2020 14:11:31 -0500 X-MC-Unique: xCsiaq0_PZGADzJ5JUQezg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D85B48015AA; Mon, 16 Nov 2020 19:11:29 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-190.ams2.redhat.com [10.36.112.190]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8201C60C04; Mon, 16 Nov 2020 19:11:26 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 1/4] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF To: devel@edk2.groups.io, jejb@linux.ibm.com Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" References: <20201112001316.11341-1-jejb@linux.ibm.com> <20201112001316.11341-2-jejb@linux.ibm.com> From: "Laszlo Ersek" Message-ID: Date: Mon, 16 Nov 2020 20:11:25 +0100 MIME-Version: 1.0 In-Reply-To: <20201112001316.11341-2-jejb@linux.ibm.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/12/20 01:13, James Bottomley wrote: > This commit represents the file copied from OvmfPkgX64 with minor > changes to change the build name. > > This package will form the basis for adding Sev specific features. > Since everything must go into a single rom file for attestation, the > separated build of code and variables is eliminated. > > Signed-off-by: James Bottomley > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 1024 ++++++++++++++++++++++++++++++++++ > OvmfPkg/AmdSev/AmdSevX64.fdf | 506 +++++++++++++++++ > 2 files changed, 1530 insertions(+) > create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc > create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > new file mode 100644 > index 0000000000..d1dfb8742f > --- /dev/null > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -0,0 +1,1024 @@ > +## @file > +# EFI/Framework Open Virtual Machine Firmware (OVMF) platform for SEV (1) I suggest / request that we put "remote attestation" somewhere in the above file-top comment. > +# > +# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.
> +# (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## (2) In every new file created in this series, please prepend an IBM Copyright Notice, to the original (C) notices (if any). > + > +################################################################################ > +# > +# Defines Section - statements that will be processed to create a Makefile. > +# > +################################################################################ > +[Defines] > + PLATFORM_NAME = Ovmf > + PLATFORM_GUID = 5a9e7754-d81b-49ea-85ad-69eaa7b1539b (3) Please generate a new PLATFORM_GUID for this new platform with "uuidgen". > + PLATFORM_VERSION = 0.1 > + DSC_SPECIFICATION = 0x00010005 > + OUTPUT_DIRECTORY = Build/AmdSev > + SUPPORTED_ARCHITECTURES = X64 > + BUILD_TARGETS = NOOPT|DEBUG|RELEASE > + SKUID_IDENTIFIER = DEFAULT > + FLASH_DEFINITION = OvmfPkg/AmdSev/AmdSevX64.fdf > + > + # > + # Defines for default states. These can be changed on the command line. > + # -D FLAG=VALUE > + # > + DEFINE SECURE_BOOT_ENABLE = FALSE > + DEFINE SMM_REQUIRE = FALSE (4) SEV-ES doesn't support (to my knowledge) SMM, so we should strip everything dependent on SMM_REQUIRE being TRUE (DSC and FDF files both). (5) Given that SMM cannot protect Secure Boot, SECURE_BOOT_ENABLE too should be assumed FALSE, and stuff dependent on SECURE_BOOT_ENABLE being TRUE should be stripped. > + DEFINE SOURCE_DEBUG_ENABLE = FALSE > + DEFINE TPM_ENABLE = FALSE > + DEFINE TPM_CONFIG_ENABLE = FALSE > + > + # > + # Network definition > + # > + DEFINE NETWORK_TLS_ENABLE = FALSE > + DEFINE NETWORK_IP6_ENABLE = FALSE > + DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE > + DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE (6) My understanding is that netboot with this platform is never desired. If that's the case, then please remove: - all the NETWORK_* flags, - the dependent DSC/FDF snippets, - the gEfiNetworkPkgTokenSpaceGuid.* PCD defaults, - and (in particular) all !include directives that refer to NetworkPkg/* My goal with the above trimming is two-fold: - avoid an implication for platform builders that they can meaningfully tweak the -D flags for this platform, - cut down on the size of the new DSC/FDF files (given that the above fruits seem to hang low). Thanks Laszlo