On Sun, 2021-07-25 at 10:52 +0300, Dov Murik wrote: > And I do have one question: > > May I know what is criteria to put a SEV module to OvmfPkg\AmdSev > > or OvmfPkg directly? > > > > My original understanding is: > > If a module is required by OvmfPkg{Ia32,Ia32X64,X64}.{dsc,fdf}, > > then it should be OvmfPkg. > > If a module is only required by OvmfPkg\AmdSev\AmdSevX64.{dsc,fdf}, > > Then it should be in OvmfPkg\AmdSev. > > > > Am I right? > > > > I actually don't know the criteria. What you say sounds reasonable. > I'll also let James (who introduced the AmdSevX64 target) say what he > thinks.
The original reason for the AmdSev package was actually for attestation: The only way to get attested boot using a standard VM image for SEV and SEV-ES was to pull grub inside the measurement envelope and have a stripped down hard failing boot path, so if the key didn't decode the encrypted boot volume for some reason, the whole thing would fail without revealing the injected secret. This stripped down hard failing boot path is much easier to construct as a separate target. Essentially that means that lots of SEV exists outside the AmdSev directory and things should only be in it if they're either modified to support the encrypted volume boot path or are only required by it. However, this ran into problems when it was decided AmdSev shouldn't have it's own Library, so the modified boot path now lives in OvmfPkg/Library/PlatformBootManagerLibGrub, so now it's unclear even to me what the criteria are. James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78160): https://edk2.groups.io/g/devel/message/78160 Mute This Topic: https://groups.io/mt/84375116/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-