[edk2-devel] [PATCH V5 1/2] OvmfPkg: Introduce Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb
Min Xu
min.m.xu at intel.com
Tue Aug 31 03:29:41 UTC 2021
On Monday, August 30, 2021 3:04 PM, Gerd Hoffmann wrote:
>
> Hi,
>
> > In practice BFV is the code part of Ovmf image. CFV is the vars part
> > of Ovmf image (exclude the SPARE part).
>
> Why do you exclude the spare part?
CFV includes all the provisioned data, such as UEFI Secure Boot Variable contents.
It will be measured into RTMR by TDVF. So the other parts, such as SPARE part, is
excluded because SPARE part should not be measured.
Detailed information is in TDVF design guide Section 3.2
https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
>
> From a security point of view I don't think it is a good idea to hard code any
> assumptions about the layout of the vars volume.
Do you mean I cannot assume the layout of VarStore?
At least in Ovmf the VarStore.fdf.inc defines the layout of VarStore like below.
[VARIABLE_STORE_HEADER]<-- 0
[ VAR 1 ]
[ VAR 2 ]
[ VAR n ]
[ ] <-- VARS_LIVE_SIZE
[ NV_EVENT_LOG ]
[ NV_FTW_WORKING ] <-- VARS_SIZE
>
> > +SET gUefiOvmfPkgTokenSpaceGuid.PcdCfvBase =
> $(FW_BASE_ADDRESS)
> > +SET gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataOffset =
> $(VARS_OFFSET)
> > +SET gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize =
> $(VARS_LIVE_SIZE)
>
> I'd suggest to use $(VARS_SIZE) here.
As I explained above CFV only includes the provisioned data. So VARS_LIVE_SIZE
is used. VARS_SIZE is the whole size of VarStore.
>
Thanks!
Min
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79974): https://edk2.groups.io/g/devel/message/79974
Mute This Topic: https://groups.io/mt/85242567/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list