Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On January 14, 2022 4:32 PM, Gerd Hoffmann wrote: > > > I don't see that PEI-less boot is required for that. Sure, when > > > stripping down the build and removing all the features which require > > > PEIMs there isn't much left to do for the PEI phase. So it makes > > > sense to look into droppi

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi, > > I don't see that PEI-less boot is required for that. Sure, when stripping > > down > > the build and removing all the features which require PEIMs there isn't much > > left to do for the PEI phase. So it makes sense to look into dropping PEI > > altogether. But it's more a "nice to h

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On January 11, 2022 5:23 PM, Gerd Hoffmann wrote: > > > > Well, if you want avoid the refactoring because of the risk there is > > > still the option to have tdx config-b use the normal PEI boot flow. > > > Then revisit refactoring and adding support for PEI-less boot later. > > > > > I think it s

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi, > > Well, if you want avoid the refactoring because of the risk there is still > > the > > option to have tdx config-b use the normal PEI boot flow. > > Then revisit refactoring and adding support for PEI-less boot later. > > > I think it still makes sense (Adding a basic PlatformInitLib w

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On January 10, 2022 3:56 PM, Gerd Hoffmann wrote: > On Fri, Jan 07, 2022 at 06:13:37AM +, Xu, Min M wrote: > > On January 3, 2022 4:02 PM, Gerd Hoffmann wrote: > > > > > > > PCDs cannot be set in SEC phase, so the values should be saved in > > > > a Hob (for example, PLATFORM_INFO_HOB). In earl

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On Fri, Jan 07, 2022 at 06:13:37AM +, Xu, Min M wrote: > On January 3, 2022 4:02 PM, Gerd Hoffmann wrote: > > > > > PCDs cannot be set in SEC phase, so the values should be saved in a > > > Hob (for example, PLATFORM_INFO_HOB). In early DXE phase these values > > > are set to the PCDs. This is

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On January 3, 2022 4:02 PM, Gerd Hoffmann wrote: > > > PCDs cannot be set in SEC phase, so the values should be saved in a > > Hob (for example, PLATFORM_INFO_HOB). In early DXE phase these values > > are set to the PCDs. This is how TdxDxe does today. > > > > Other tasks can be done in SEC phase.

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi, > PCDs cannot be set in SEC phase, so the values should be saved in a > Hob (for example, PLATFORM_INFO_HOB). In early DXE phase these values > are set to the PCDs. This is how TdxDxe does today. > > Other tasks can be done in SEC phase. I think there should be a lib > (for example, Platfor

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi > > > > Why? Booting non-tdx guests without PEI shouldn't be fundamentally > > > different from a TDX guest. Memory detection needs fw_cfg instead > > > of the td_hob, and you have to skip some tdx setup steps, but that > should be it. > > > Code for all that exists in PlatformPei, it only ne

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi, > > Why? Booting non-tdx guests without PEI shouldn't be fundamentally > > different from a TDX guest. Memory detection needs fw_cfg instead of the > > td_hob, and you have to skip some tdx setup steps, but that should be it. > > Code for all that exists in PlatformPei, it only needs to be

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On December 16, 2021 10:25 PM, Gerd Hoffmann wrote: > > > Oh, wow. So you compile in PEI, then decide at runtime whenever you > > > use it or not? > > Yes. > > In OvmfPkgX64.dsc above code will not be built into the image. So it follows > the SEC->PEI->DXE flow. > > In IntelTdxX64.dsc, it if is Td

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

Hi, > > Oh, wow. So you compile in PEI, then decide at runtime whenever you use it > > or not? > Yes. > In OvmfPkgX64.dsc above code will not be built into the image. So it follows > the SEC->PEI->DXE flow. > In IntelTdxX64.dsc, it if is Tdx guest, it jumps from SEC to DXE (see > TdxStartup (

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On December 15, 2021 6:28 PM, Gerd Hoffmann wrote: > On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote: > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 > > > > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of > > jumping to SecStartupPhase2 (), TdxStartup () is

Re: [edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

On Tue, Dec 14, 2021 at 09:41:24PM +0800, Min Xu wrote: > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 > > Tdvf Config-B skip PEI phase to reduce attack surface. So instead of > jumping to SecStartupPhase2 (), TdxStartup () is called. This function > brings up Tdx guest from SEC phase

[edk2-devel] [PATCH 08/10] OvmfPkg: Update Sec to support Tdvf Config-B

RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 Tdvf Config-B skip PEI phase to reduce attack surface. So instead of jumping to SecStartupPhase2 (), TdxStartup () is called. This function brings up Tdx guest from SEC phase to DXE phase. Cc: Michael D Kinney Cc: Brijesh Singh Cc: Erdem