RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429

Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology
that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory
Encryption (MKTME) with a new kind of virutal machines guest called a
Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the
confidentiality of TD memory contents and the TD's CPU state from other
software, including the hosting Virtual-Machine Monitor (VMM), unless
explicitly shared by the TD itself.

There are 2 configurations for TDVF to upstream. See below link for
the definitions of the 2 configurations.
https://edk2.groups.io/g/devel/message/76367

This patch-set is to enable the basic feature of Config-B in OvmfPkg.
 - Add a standalone IntelTdxX64.dsc to a TDX specific directory for a
   *full* feature TDVF. (Align with existing SEV)
 - IntelTdxX64.dsc includes TDX/normal OVMF basic boot capability. The
   final binary can run on TDX/normal OVMF.
 - PEI phase is skipped.

By design in Config-B there should be more advanced features, such as:
 - RTMR based measurement and measure boot.
 - Remove unnecessary drivers to reduce attack surface, such as
   network stack.

To make the code review more efficiency, Config-B is split into 2 waves:
 - Basic feature of Config-B
 - Advanced feature of Config-B

Patch 1:
Create standalone IntelTdxX64.dsc / IntelTdxX64.fdf

Patch 2/3:
This patch-set leverage the PrePiLib and MemoryAllocationLib in
EmbeddedPkg. Some new funtions are added to meet the Tdvf Config-B
requirement.

Patch 4/5/6:
They are helper libs used in Tdvf Config-B. TdxStartupLib is the most
important one which brings up Tdx guest from SEC to PEI.

Patch 7:
This patch updates TdxDxe driver for the Tdvf Config-B.

Patch 8:
Now it's time to update SecMain to call TdxStartup () to bring Tdx guest
from SEC to DXE.

Patch 9:
This patch update DxeAcpiTimerLib for the Tdvf Config-B.

Patch 10:
With the introduction of Config-B changes, some Tdx libs should be added in
OvmfPkg's dsc to prevent the broken of building.

Code at: https://github.com/mxu9/edk2/tree/tdvf_wave3

Please be noted:
This patch-set is based on the code base of tdvf_wave2.v4 which is at:
https://github.com/mxu9/edk2/tree/tdvf_wave2.v4

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@hpe.com>
Cc: Daniel Schaefer <daniel.schaefer@hpe.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min Xu (10):
  OvmfPkg: Introduce IntelTdxX64 for TDVF Config-B
  EmbeddedPkg/PrePiLib: Update PrePiLib
  EmbeddedPkg/MemoryAllocationLib: Add null stub for AllocateCopyPool
  OvmfPkg: Add PrePiHobListPointerLibTdx
  OvmfPkg: Add SecPlatformLibQemuTdx
  OvmfPkg: Add TdxStartupLib
  OvmfPkg: Update TdxDxe to set TDX PCDs
  OvmfPkg: Update Sec to support Tdvf Config-B
  OvmfPkg: Update DxeAcpiTimerLib to read HostBridgeDevId in
    PlatformInfoHob
  OvmfPkg: Add Tdx libs to prevent building broken

 EmbeddedPkg/Include/Library/PrePiLib.h        |  21 +-
 EmbeddedPkg/Library/PrePiLib/FwVol.c          | 399 +++++++-
 .../MemoryAllocationLib.c                     |  28 +
 OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
 OvmfPkg/Bhyve/BhyveX64.dsc                    |   3 +
 OvmfPkg/Include/Library/TdxPlatformLib.h      |  38 +
 OvmfPkg/Include/Library/TdxStartupLib.h       |  35 +
 .../IntelTdxX64.dsc}                          |  23 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 548 +++++++++++
 .../PrePiHobListPointer.c                     |  45 +
 .../PrePiHobListPointerLibTdx.inf             |  25 +
 .../IntelTdx/SecPlatformLibQemuTdx/Platform.c | 286 ++++++
 .../SecPlatformLibQemuTdx/TdxPlatformLib.inf  |  49 +
 OvmfPkg/IntelTdx/TdxStartupLib/DxeLoad.c      | 344 +++++++
 OvmfPkg/IntelTdx/TdxStartupLib/Hob.c          | 150 +++
 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartup.c   | 143 +++
 .../TdxStartupLib/TdxStartupInternal.h        |  68 ++
 .../IntelTdx/TdxStartupLib/TdxStartupLib.inf  |  85 ++
 .../TdxStartupLib/TdxStartupLibNull.inf       |  40 +
 .../IntelTdx/TdxStartupLib/TdxStartupNull.c   |  19 +
 .../IntelTdx/TdxStartupLib/X64/PageTables.h   | 206 ++++
 .../TdxStartupLib/X64/VirtualMemory.c         | 915 ++++++++++++++++++
 .../Library/AcpiTimerLib/DxeAcpiTimerLib.c    |  23 +-
 .../Library/AcpiTimerLib/DxeAcpiTimerLib.inf  |   4 +
 OvmfPkg/Microvm/MicrovmX64.dsc                |   5 +
 OvmfPkg/OvmfPkg.dec                           |  11 +
 OvmfPkg/OvmfPkgX64.dsc                        |   1 +
 OvmfPkg/OvmfXen.dsc                           |   3 +
 OvmfPkg/Sec/IntelTdx.c                        |   7 +-
 OvmfPkg/Sec/SecMain.c                         |  17 +
 OvmfPkg/Sec/SecMain.inf                       |   2 +
 OvmfPkg/TdxDxe/TdxDxe.c                       |  12 +
 OvmfPkg/TdxDxe/TdxDxe.inf                     |   3 +
 33 files changed, 3550 insertions(+), 11 deletions(-)
 create mode 100644 OvmfPkg/Include/Library/TdxPlatformLib.h
 create mode 100644 OvmfPkg/Include/Library/TdxStartupLib.h
 copy OvmfPkg/{OvmfPkgX64.dsc => IntelTdx/IntelTdxX64.dsc} (96%)
 create mode 100644 OvmfPkg/IntelTdx/IntelTdxX64.fdf
 create mode 100644 OvmfPkg/IntelTdx/PrePiHobListPointerLibTdx/PrePiHobListPointer.c
 create mode 100644 OvmfPkg/IntelTdx/PrePiHobListPointerLibTdx/PrePiHobListPointerLibTdx.inf
 create mode 100644 OvmfPkg/IntelTdx/SecPlatformLibQemuTdx/Platform.c
 create mode 100644 OvmfPkg/IntelTdx/SecPlatformLibQemuTdx/TdxPlatformLib.inf
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/DxeLoad.c
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/Hob.c
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartup.c
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartupInternal.h
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartupLib.inf
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartupLibNull.inf
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/TdxStartupNull.c
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/X64/PageTables.h
 create mode 100644 OvmfPkg/IntelTdx/TdxStartupLib/X64/VirtualMemory.c

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84804): https://edk2.groups.io/g/devel/message/84804
Mute This Topic: https://groups.io/mt/87720793/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

  Hi,

> Patch 2/3:
> This patch-set leverage the PrePiLib and MemoryAllocationLib in
> EmbeddedPkg. Some new funtions are added to meet the Tdvf Config-B
> requirement.

Care to explain why this is needed?  How is tdvf different from other
pei-less platforms?  Could we just place DXEFV directly in the firmware
image, without wrapping it into FVMAIN_COMPACT for compression?

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84893): https://edk2.groups.io/g/devel/message/84893
Mute This Topic: https://groups.io/mt/87720793/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On December 15, 2021 6:42 PM, Gerd Hoffmann wrote:
> > Patch 2/3:
> > This patch-set leverage the PrePiLib and MemoryAllocationLib in
> > EmbeddedPkg. Some new funtions are added to meet the Tdvf Config-B
> > requirement.
> 
> Care to explain why this is needed?  How is tdvf different from other pei-less
> platforms?  Could we just place DXEFV directly in the firmware image, without
> wrapping it into FVMAIN_COMPACT for compression?
PrePiLib and MemoryAllocationLib in EmbeddedPkg can meet most of the requirement of TDVF Config-B, for example, the hob list functions, fw volume related functions, memory allocation functions, etc. 
But there are still TDVF specific function missed. For Example, EmbeddedPkg assumes the compressed section contains only one FV (DXE FV), so FfsProcessFvFile () can only handle this situation. But in TDVF's image, the compressed section contains 2 FV (PeiFV and DxeFV, this is because of *ONE BINARY* requirement). So FfsProcessFvFileEx () is added to handle this case.
I have to say, *ONE BINARY* requirement restricts us from changing the OVMF image layout, otherwise the current code (legacy guest, SEV guest, etc) will break.

Thanks
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84988): https://edk2.groups.io/g/devel/message/84988
Mute This Topic: https://groups.io/mt/87720793/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-