On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 > > In current DXE FV there are 100+ drivers. Some of the drivers are not > used in Td guest. (Such as USB support drivers, network related > drivers, etc). > > From the security perspective if a driver is not used, we should prevent > it from being loaded/started. There are 2 benefits: > 1. Reduce the attack surface > 2. Improve the boot performance > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV > and NCCFV. All the drivers which are not needed by a Confidential > Computing guest are moved from DXEFV to NCCFV. > > When booting a CC guest only the drivers in DXEFV will be loaded and > started. For a Non-CC guest both DXEFV and NCCFV drivers will be > loaded and started. > > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK. > Patch#2 adds PCDs/GUID for NCCFV. > Patch#3 moves cc-unused drivers to NCCFV. > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
series: Acked-by: Gerd Hoffmann <kra...@redhat.com> take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98667): https://edk2.groups.io/g/devel/message/98667 Mute This Topic: https://groups.io/mt/96319661/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-