[edk2-devel] [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline
James Bottomley
jejb at linux.ibm.com
Mon Jul 26 14:50:10 UTC 2021
On Mon, 2021-07-26 at 00:55 +0000, Yao, Jiewen wrote:
> Hi James
> "However, this ran into problems when it was decided AmdSev shouldn't
> have it's own Library."
>
> I am not clear on the history. Would you please clarify why AmdSev
> should not have its own library?
The history predates me. It was already done for the Bhyve package
which also has a modified PlatformBootManagerLib when I came along with
this. However, only having Library in the top level package seems to
be a common edk2 pattern if you run a find.
> It looks not reasonable to me. AmdSev is just a feature. A feature
> may have its own library. We have enough examples.
We do? Running
find . -name Library -print
only turns up
./FmpDevicePkg/Test/UnitTest/Library
As not following the top level package only pattern.
> Also, the instance name "Grub" is very confusing. I compared
> PlatformBootManagerLib and PlatformBootManagerLibGrub. This is just a
> customized PlatformBootManagerLib.
It's called Grub because it places Grub in the Fv for combined pre-
attestation. Either SEV or TDX could use this (Although TDX looks
likely not to want to).
> For example, XEN feature removing and PIIX4 difference has nothing to
> do with Grub...
> =================
> PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x60), 0x0b); // A
> PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x61), 0x0b); // B
> PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x62), 0x0a); // C
> PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x63), 0x0a); // D
> =================
It's part of the boot path stripping to make sure there's a hard
failure if Grub fails to execute. There's a Bugzilla requiring more of
this because a grub only booting platform library needs fewer
extraneous things which could constitute an attack surface for the
injected secret.
> It is a big misleading. Can we move the PlatformBootManagerLibGrub To
> AmdSev now?
I think you probably want to ask around older edk2 package maintainers
and see if there's any reason for this pattern, which seems to be
strongly enforced. If no-one can remember, then likely it can be
broken.
James
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78175): https://edk2.groups.io/g/devel/message/78175
Mute This Topic: https://groups.io/mt/84375116/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list