> On Jul 19, 2024, at 12:35 AM, Gerd Hoffmann <kra...@redhat.com> wrote: > > On Thu, Jul 18, 2024 at 07:57:27PM GMT, Tom Lendacky wrote: >> On 7/16/24 21:30, 韩里洋 wrote: >>> Hi Tom, >>> >>> >>> >>> >>> Thank you for your response. >>> >>> In fact, I'm unable to proceed with the development of the fix patch >>> locally as I don't have a SEV-SNP hardware for experimentation. However, it >>> has proven to be crucial for effectively testing and completing the patch. >>> >>> Given your expertise and potentially available hardware, would your team be >>> able to take over the fixing of this issue? (bugzilla: >>> https://bugzilla.tianocore.org/show_bug.cgi?id=4807 ) >> >> Secure Boot is not supported under SEV-ES and SEV-SNP because SMM is >> required in order for Secure Boot to be secure. > > The other option is initializing the variable store from ROM on each > boot. Which implies there are no persistent EFI variables, which has > its own set of drawbacks. But this is what the IntelTdx build is doing > and AmdSev should be able to do this too. >
Seems like you might be able to just overwrite the secure boot related variables on every boot to a hard coded value. You could have PCDs for the default values of the variables. Thanks, Andrew Fish > take care, > Gerd > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120200): https://edk2.groups.io/g/devel/message/120200 Mute This Topic: https://groups.io/mt/107212942/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
