[edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Min Xu min.m.xu at intel.com
Thu Dec 16 12:21:18 UTC 2021 

On December 15, 2021 6:28 PM, Gerd Hoffmann wrote:
> On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote:
> > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
> >
> > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of
> > jumping to SecStartupPhase2 (), TdxStartup () is called. This function
> > brings up Tdx guest from SEC phase to DXE phase.
> 
> > + #ifdef INTEL_TDX_FULL_FEATURE
> > +  if (SecTdxIsEnabled ()) {
> > +    TdxStartup (&SecCoreData);
> > +
> > +    //
> > +    // Never arrived here
> > +    //
> > +    ASSERT (FALSE);
> > +    CpuDeadLoop ();
> > +  }
> > +
> > + #endif
> 
> Oh, wow.  So you compile in PEI, then decide at runtime whenever you use it
> or not?
Yes.
In OvmfPkgX64.dsc above code will not be built into the image. So it follows the SEC->PEI->DXE flow.
In IntelTdxX64.dsc, it if is Tdx guest, it jumps from SEC to DXE (see TdxStartup ()). Otherwise, it follows the SEC->PEI->DXE flow (Legacy guest, SEV guest, etc).
> 
> No.  Please don't.  That's just silly.  If you don't want use PEI, ok, fine, but
> please go the way then, remove PEI from the build and take the PEI-less code
> path in all cases.
In the first version TDVF, we do remove the PEI from the image. The image only contains the SEC and DXE, and only the components TDVF needs. It's a slim image.
Then the *ONE BINARY* requirement is proposed. It requires to bring up Legacy guest and Tdx guest with the same image. So PEI must be included in the build, and it probes Tdx guest in run-time so that it decides to go to the legacy flow (SEC->PEI->DXE) or Tdx flow (SEC->DXE).
Below are some of the links about the discussion.
https://edk2.groups.io/g/devel/message/76023  Laszlo
https://edk2.groups.io/g/devel/message/76024  Jiewen
https://edk2.groups.io/g/devel/message/76065  Laszlo
https://edk2.groups.io/g/devel/message/76339  Erdem Aktas
https://edk2.groups.io/g/devel/message/76367  Config-A & Config-B

Thanks
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84987): https://edk2.groups.io/g/devel/message/84987
Mute This Topic: https://groups.io/mt/87720802/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list