BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).
From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits:
1. Reduce the attack surface
2. Improve the boot performance
So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.
When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.
Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v2
v2 changes:
- Move shell from DXEFV to NCCFV.
- Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with
the other ovmf build variants.
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Min M Xu (4):
EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
OvmfPkg: Add PCDs/GUID for NCCFV
OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest
EmbeddedPkg/Include/Library/PrePiLib.h | 23 ++-
EmbeddedPkg/Library/PrePiLib/FwVol.c | 42 ++++--
EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 2 +-
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++-----
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 134 +++++++++++++++++-
.../PeilessStartupInternal.h | 6 +
.../PeilessStartupLib/PeilessStartupLib.inf | 1 +
OvmfPkg/OvmfPkg.dec | 3 +
9 files changed, 275 insertions(+), 59 deletions(-)
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97295): https://edk2.groups.io/g/devel/message/97295
Mute This Topic: https://groups.io/mt/95640156/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-