[edk2-devel] [PATCH V2 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx

Min Xu posted 4 patches 1 year, 3 months ago
Failed in applying to current master (apply log)
There is a newer version of this series
EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  11 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 112 ++++++++++-----
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
.../PeilessStartupInternal.h                  |   6 +
.../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
OvmfPkg/OvmfPkg.dec                           |   3 +
9 files changed, 275 insertions(+), 59 deletions(-)
[edk2-devel] [PATCH V2 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Min Xu 1 year, 3 months ago
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).

From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits: 
1. Reduce the attack surface
2. Improve the boot performance

So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.

When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.

Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v2

v2 changes:
 - Move shell from DXEFV to NCCFV.
 - Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with
   the other ovmf build variants.

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min M Xu (4):
  EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
  OvmfPkg: Add PCDs/GUID for NCCFV
  OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
  OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest

 EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
 EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
 EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  11 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 112 ++++++++++-----
 OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
 .../PeilessStartupInternal.h                  |   6 +
 .../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
 OvmfPkg/OvmfPkg.dec                           |   3 +
 9 files changed, 275 insertions(+), 59 deletions(-)

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97295): https://edk2.groups.io/g/devel/message/97295
Mute This Topic: https://groups.io/mt/95640156/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-