[edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Tue Dec 14 13:41:24 UTC 2021

RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429

Tdvf Config-B skip PEI phase to reduce attack surface. So instead of
jumping to SecStartupPhase2 (), TdxStartup () is called. This function
brings up Tdx guest from SEC phase to DXE phase.

Cc: Michael D Kinney <michael.d.kinney at intel.com>
Cc: Brijesh Singh <brijesh.singh at amd.com>
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Signed-off-by: Min Xu <min.m.xu at intel.com>
---
 OvmfPkg/Sec/IntelTdx.c  |  7 ++++++-
 OvmfPkg/Sec/SecMain.c   | 17 +++++++++++++++++
 OvmfPkg/Sec/SecMain.inf |  2 ++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/Sec/IntelTdx.c b/OvmfPkg/Sec/IntelTdx.c
index d1d952e8d433..f9d44617b211 100644
--- a/OvmfPkg/Sec/IntelTdx.c
+++ b/OvmfPkg/Sec/IntelTdx.c
@@ -12,7 +12,7 @@
 #include <Uefi/UefiBaseType.h>
 #include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
-#include <Library/HobLib.h>
+#include <Library/PrePiLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <IndustryStandard/UefiTcgPlatform.h>
 #include <Library/MemoryAllocationLib.h>
@@ -25,6 +25,11 @@
 
 #define ALIGNED_2MB_MASK  0x1fffff
 
+#define GET_HOB_TYPE(Hob)     ((Hob).Header->HobType)
+#define GET_HOB_LENGTH(Hob)   ((Hob).Header->HobLength)
+#define GET_NEXT_HOB(Hob)     ((Hob).Raw + GET_HOB_LENGTH (Hob))
+#define END_OF_HOB_LIST(Hob)  (GET_HOB_TYPE (Hob) == EFI_HOB_TYPE_END_OF_HOB_LIST)
+
 /**
   Check TDX is enabled.
 
diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
index e2f3ede93901..c5dd066941fe 100644
--- a/OvmfPkg/Sec/SecMain.c
+++ b/OvmfPkg/Sec/SecMain.c
@@ -33,6 +33,10 @@
 #include "IntelTdx.h"
 #include "AmdSev.h"
 
+#ifdef INTEL_TDX_FULL_FEATURE
+  #include <Library/TdxStartupLib.h>
+#endif
+
 #define SEC_IDT_ENTRY_COUNT  34
 
 typedef struct _SEC_IDT_TABLE {
@@ -913,6 +917,19 @@ SecCoreStartupWithStack (
   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
   DisableApicTimerInterrupt ();
 
+ #ifdef INTEL_TDX_FULL_FEATURE
+  if (SecTdxIsEnabled ()) {
+    TdxStartup (&SecCoreData);
+
+    //
+    // Never arrived here
+    //
+    ASSERT (FALSE);
+    CpuDeadLoop ();
+  }
+
+ #endif
+
   //
   // Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready.
   //
diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf
index 230ee5e465b9..05e49ab5ae81 100644
--- a/OvmfPkg/Sec/SecMain.inf
+++ b/OvmfPkg/Sec/SecMain.inf
@@ -38,6 +38,7 @@
   MdeModulePkg/MdeModulePkg.dec
   UefiCpuPkg/UefiCpuPkg.dec
   OvmfPkg/OvmfPkg.dec
+  EmbeddedPkg/EmbeddedPkg.dec
 
 [LibraryClasses]
   BaseLib
@@ -58,6 +59,7 @@
 
 [LibraryClasses.X64]
   TdxLib
+  TdxStartupLib
 
 [Ppis]
   gEfiTemporaryRamSupportPpiGuid                # PPI ALWAYS_PRODUCED
-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84812): https://edk2.groups.io/g/devel/message/84812
Mute This Topic: https://groups.io/mt/87720802/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-



