[edk2-devel] [PATCH 1/1] OvmfPkg/AmdSev: introduce EMBED_GRUB=FALSE to skip including Grub image

Dov Murik dovmurik at linux.ibm.com
Wed Jul 7 10:42:32 UTC 2021 

The AmdSevX64 target includes an embedded Grub image to support secure
(measured) boot of confidential guests with encrypted root images.

However, it is sometimes convenient to build this target without an
embedded Grub.  We introduce the EMBED_GRUB setting (defaults to TRUE),
which conditions the generation (grub.sh) and inclusion of the Grub
image.  Now building AmdSevX64 with -DEMBED_GRUB=FALSE allows it.

Cc: Laszlo Ersek <lersek at redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Ashish Kalra <ashish.kalra at amd.com>
Cc: Brijesh Singh <brijesh.singh at amd.com>
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Cc: Tobin Feldman-Fitzthum <tobin at linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc | 16 +++++++++++++++-
 OvmfPkg/AmdSev/AmdSevX64.fdf |  2 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 1d487befae08..ba7d6fe6b749 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -25,7 +25,6 @@ [Defines]
   BUILD_TARGETS                  = NOOPT|DEBUG|RELEASE
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = OvmfPkg/AmdSev/AmdSevX64.fdf
-  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh
 
   #
   # Defines for default states.  These can be changed on the command line.
@@ -40,6 +39,19 @@ [Defines]
   #
   DEFINE BUILD_SHELL             = FALSE
 
+  #
+  # Embed Grub into the OVMF image so they are measured together when launching
+  # confidential guest
+  #
+  DEFINE EMBED_GRUB              = TRUE
+
+!if $(EMBED_GRUB) == TRUE
+  #
+  # This step builds the grub.efi binary image if needed
+  #
+  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh
+!endif
+
   #
   # Device drivers
   #
@@ -784,7 +796,9 @@ [Components]
   }
 !endif
   OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+!if $(EMBED_GRUB) == TRUE
   OvmfPkg/AmdSev/Grub/Grub.inf
+!endif
 !if $(BUILD_SHELL) == TRUE
   ShellPkg/Application/Shell/Shell.inf {
     <LibraryClasses>
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 9977b0f00a18..ee3d96bb813f 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -270,7 +270,9 @@ [FV.DXEFV]
 INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 !endif
 INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+!if $(EMBED_GRUB) == TRUE
 INF  OvmfPkg/AmdSev/Grub/Grub.inf
+!endif
 !if $(BUILD_SHELL) == TRUE
 INF  ShellPkg/Application/Shell/Shell.inf
 !endif
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77552): https://edk2.groups.io/g/devel/message/77552
Mute This Topic: https://groups.io/mt/84041501/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list