1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx

Min Xu posted 4 patches 1 year, 3 months ago
Failed in applying to current master (apply log)
EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  11 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 112 ++++++++++-----
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
.../PeilessStartupInternal.h                  |   6 +
.../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
OvmfPkg/OvmfPkg.dec                           |   3 +
9 files changed, 275 insertions(+), 59 deletions(-)
[edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Min Xu 1 year, 3 months ago 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).

From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits: 
1. Reduce the attack surface
2. Improve the boot performance

So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.

When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.

Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v3

v3 changes:
 - Rebase the code base to 7cd55f3009.

v2 changes:
 - Move shell from DXEFV to NCCFV.
 - Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with
   the other ovmf build variants.

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min M Xu (4):
  EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
  OvmfPkg: Add PCDs/GUID for NCCFV
  OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
  OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest

 EmbeddedPkg/Include/Library/PrePiLib.h        |  23 ++-
 EmbeddedPkg/Library/PrePiLib/FwVol.c          |  42 ++++--
 EmbeddedPkg/Library/PrePiLib/PrePiLib.c       |   2 +-
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  11 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 112 ++++++++++-----
 OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   | 134 +++++++++++++++++-
 .../PeilessStartupInternal.h                  |   6 +
 .../PeilessStartupLib/PeilessStartupLib.inf   |   1 +
 OvmfPkg/OvmfPkg.dec                           |   3 +
 9 files changed, 275 insertions(+), 59 deletions(-)

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98605): https://edk2.groups.io/g/devel/message/98605
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Gerd Hoffmann 1 year, 3 months ago 
On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> 
> In current DXE FV there are 100+ drivers. Some of the drivers are not
> used in Td guest. (Such as USB support drivers, network related
> drivers, etc).
> 
> From the security perspective if a driver is not used, we should prevent
> it from being loaded/started. There are 2 benefits: 
> 1. Reduce the attack surface
> 2. Improve the boot performance
> 
> So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> and NCCFV. All the drivers which are not needed by a Confidential
> Computing guest are moved from DXEFV to NCCFV.
> 
> When booting a CC guest only the drivers in DXEFV will be loaded and
> started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> loaded and started.
> 
> Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> Patch#2 adds PCDs/GUID for NCCFV.
> Patch#3 moves cc-unused drivers to NCCFV.
> Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

series:
Acked-by: Gerd Hoffmann <kraxel@redhat.com>

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98667): https://edk2.groups.io/g/devel/message/98667
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Yao, Jiewen 1 year, 3 months ago 
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

Merged https://github.com/tianocore/edk2/pull/3916

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 17, 2023 6:58 PM
> To: Xu, Min M <min.m.xu@intel.com>
> Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>; Aktas,
> Erdem <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>;
> Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>
> Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
> 
> On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> >
> > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > used in Td guest. (Such as USB support drivers, network related
> > drivers, etc).
> >
> > From the security perspective if a driver is not used, we should prevent
> > it from being loaded/started. There are 2 benefits:
> > 1. Reduce the attack surface
> > 2. Improve the boot performance
> >
> > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > and NCCFV. All the drivers which are not needed by a Confidential
> > Computing guest are moved from DXEFV to NCCFV.
> >
> > When booting a CC guest only the drivers in DXEFV will be loaded and
> > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > loaded and started.
> >
> > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> > Patch#2 adds PCDs/GUID for NCCFV.
> > Patch#3 moves cc-unused drivers to NCCFV.
> > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> 
> series:
> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98756): https://edk2.groups.io/g/devel/message/98756
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Ard Biesheuvel 1 year, 3 months ago 
This series has broken the ArmVirtQemuKernel build (see below).

Please fix or revert.



<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
In function ‘RelocatePeCoffImage’:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
error: too few arguments to function ‘FfsFindSectionData’
  158 |   Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
&SectionData);
      |            ^~~~~~~~~~~~~~~~~~
In file included from
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
note: declared here
   81 | FfsFindSectionData (
      | ^~~~~~~~~~~~~~~~~~
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
error: too few arguments to function ‘FfsFindSectionData’
  160 |     Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
&SectionData);
      |              ^~~~~~~~~~~~~~~~~~
In file included from
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
note: declared here
   81 | FfsFindSectionData (
      | ^~~~~~~~~~~~~~~~~~
make: *** [GNUmakefile:397:
<https://ci.linaro.org/job/leg-virt-tianocore-edk2-upstream/ws/edk2/Build/ArmVirtQemuKernel-AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable/OUTPUT/PrePi.obj]>
Error 1

On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
>
> Merged https://github.com/tianocore/edk2/pull/3916
>
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Tuesday, January 17, 2023 6:58 PM
> > To: Xu, Min M <min.m.xu@intel.com>
> > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>; Ard
> > Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>; Aktas,
> > Erdem <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > <thomas.lendacky@amd.com>
> > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
> >
> > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > >
> > > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > > used in Td guest. (Such as USB support drivers, network related
> > > drivers, etc).
> > >
> > > From the security perspective if a driver is not used, we should prevent
> > > it from being loaded/started. There are 2 benefits:
> > > 1. Reduce the attack surface
> > > 2. Improve the boot performance
> > >
> > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > > and NCCFV. All the drivers which are not needed by a Confidential
> > > Computing guest are moved from DXEFV to NCCFV.
> > >
> > > When booting a CC guest only the drivers in DXEFV will be loaded and
> > > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > > loaded and started.
> > >
> > > Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
> > > Patch#2 adds PCDs/GUID for NCCFV.
> > > Patch#3 moves cc-unused drivers to NCCFV.
> > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> >
> > series:
> > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> >
> > take care,
> >   Gerd
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98795): https://edk2.groups.io/g/devel/message/98795
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Min Xu 1 year, 3 months ago 
I will submit a patch-set to fix it soon.

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 7:08 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io; Leif
> Lindholm <quic_llindhol@quicinc.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Abner Chang <abner.chang@amd.com>;
> Daniel Schaefer <git@danielschaefer.me>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
> 
> This series has broken the ArmVirtQemuKernel build (see below).
> 
> Please fix or revert.
> 
> 
> 
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
> In function ‘RelocatePeCoffImage’:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
> error: too few arguments to function ‘FfsFindSectionData’
>   158 |   Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
> &SectionData);
>       |            ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
>    81 | FfsFindSectionData (
>       | ^~~~~~~~~~~~~~~~~~
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
> error: too few arguments to function ‘FfsFindSectionData’
>   160 |     Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
> &SectionData);
>       |              ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
>    81 | FfsFindSectionData (
>       | ^~~~~~~~~~~~~~~~~~
> make: *** [GNUmakefile:397:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/Build/ArmVirtQemuKernel-
> AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRe
> locatable/OUTPUT/PrePi.obj]>
> Error 1
> 
> On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
> >
> > Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> >
> > Merged https://github.com/tianocore/edk2/pull/3916
> >
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> > > Sent: Tuesday, January 17, 2023 6:58 PM
> > > To: Xu, Min M <min.m.xu@intel.com>
> > > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>;
> > > Ard Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> > > Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> > > <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom
> > > Lendacky <thomas.lendacky@amd.com>
> > > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in
> > > OvmfPkg/IntelTdx
> > >
> > > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > > >
> > > > In current DXE FV there are 100+ drivers. Some of the drivers are
> > > > not used in Td guest. (Such as USB support drivers, network
> > > > related drivers, etc).
> > > >
> > > > From the security perspective if a driver is not used, we should
> > > > prevent it from being loaded/started. There are 2 benefits:
> > > > 1. Reduce the attack surface
> > > > 2. Improve the boot performance
> > > >
> > > > So we introduce Separate-Fv which separates DXEFV into 2 FVs:
> > > > DXEFV and NCCFV. All the drivers which are not needed by a
> > > > Confidential Computing guest are moved from DXEFV to NCCFV.
> > > >
> > > > When booting a CC guest only the drivers in DXEFV will be loaded
> > > > and started. For a Non-CC guest both DXEFV and NCCFV drivers will
> > > > be loaded and started.
> > > >
> > > > Patch#1 updates EmbeddedPkg/PrePiLib with
> FFS_CHECK_SECTION_HOOK.
> > > > Patch#2 adds PCDs/GUID for NCCFV.
> > > > Patch#3 moves cc-unused drivers to NCCFV.
> > > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> > >
> > > series:
> > > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> > >
> > > take care,
> > >   Gerd
> >
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98840): https://edk2.groups.io/g/devel/message/98840
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Yao, Jiewen 1 year, 3 months ago 
Hey Ard
I am worried about the CI for ArmVirtPkg.
Can we add such ArmVirtPkg build into CI?

I feel disappointed that a simple build error cannot be caught by CI.


Hey Min/Ard
I think the reason is that the API in EmbeddedPkg/PrePiLib library is changed. That makes it compatible. It is a bad idea, IMHO.

A better way is to keep old API - FfsFindSectionData(), and add a new API - FfsFindSectionDataWithHook().
That can keep the compatibility, and we don’t worry about any unknown consumer.

Thank you
Yao Jiewen



> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 7:08 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io; Leif
> Lindholm <quic_llindhol@quicinc.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Abner Chang <abner.chang@amd.com>;
> Daniel Schaefer <git@danielschaefer.me>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
> 
> This series has broken the ArmVirtQemuKernel build (see below).
> 
> Please fix or revert.
> 
> 
> 
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:
> In function ‘RelocatePeCoffImage’:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:158:12:
> error: too few arguments to function ‘FfsFindSectionData’
>   158 |   Status = FfsFindSectionData (EFI_SECTION_PE32, FileHandle,
> &SectionData);
>       |            ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
>    81 | FfsFindSectionData (
>       | ^~~~~~~~~~~~~~~~~~
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:160:14:
> error: too few arguments to function ‘FfsFindSectionData’
>   160 |     Status = FfsFindSectionData (EFI_SECTION_TE, FileHandle,
> &SectionData);
>       |              ^~~~~~~~~~~~~~~~~~
> In file included from
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/ArmVirtPkg/PrePi/PrePi.c>:13:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/EmbeddedPkg/Include/Library/PrePiLib.h>:81:1:
> note: declared here
>    81 | FfsFindSectionData (
>       | ^~~~~~~~~~~~~~~~~~
> make: *** [GNUmakefile:397:
> <https://ci.linaro.org/job/leg-virt-tianocore-edk2-
> upstream/ws/edk2/Build/ArmVirtQemuKernel-
> AARCH64/DEBUG_GCC5/AARCH64/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreR
> elocatable/OUTPUT/PrePi.obj]>
> Error 1
> 
> On Wed, 18 Jan 2023 at 04:05, Yao, Jiewen <jiewen.yao@intel.com> wrote:
> >
> > Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> >
> > Merged https://github.com/tianocore/edk2/pull/3916
> >
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> > > Sent: Tuesday, January 17, 2023 6:58 PM
> > > To: Xu, Min M <min.m.xu@intel.com>
> > > Cc: devel@edk2.groups.io; Leif Lindholm <quic_llindhol@quicinc.com>;
> Ard
> > > Biesheuvel <ardb+tianocore@kernel.org>; Abner Chang
> > > <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> Aktas,
> > > Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>;
> > > Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > > <thomas.lendacky@amd.com>
> > > Subject: Re: [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
> > >
> > > On Tue, Jan 17, 2023 at 07:31:54AM +0800, Min Xu wrote:
> > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
> > > >
> > > > In current DXE FV there are 100+ drivers. Some of the drivers are not
> > > > used in Td guest. (Such as USB support drivers, network related
> > > > drivers, etc).
> > > >
> > > > From the security perspective if a driver is not used, we should prevent
> > > > it from being loaded/started. There are 2 benefits:
> > > > 1. Reduce the attack surface
> > > > 2. Improve the boot performance
> > > >
> > > > So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
> > > > and NCCFV. All the drivers which are not needed by a Confidential
> > > > Computing guest are moved from DXEFV to NCCFV.
> > > >
> > > > When booting a CC guest only the drivers in DXEFV will be loaded and
> > > > started. For a Non-CC guest both DXEFV and NCCFV drivers will be
> > > > loaded and started.
> > > >
> > > > Patch#1 updates EmbeddedPkg/PrePiLib with
> FFS_CHECK_SECTION_HOOK.
> > > > Patch#2 adds PCDs/GUID for NCCFV.
> > > > Patch#3 moves cc-unused drivers to NCCFV.
> > > > Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.
> > >
> > > series:
> > > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
> > >
> > > take care,
> > >   Gerd
> >
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98799): https://edk2.groups.io/g/devel/message/98799
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Gerd Hoffmann 1 year, 3 months ago 
On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> Hey Ard
> I am worried about the CI for ArmVirtPkg.
> Can we add such ArmVirtPkg build into CI?

CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
the other ones are not covered right now.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98808): https://edk2.groups.io/g/devel/message/98808
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Ard Biesheuvel 1 year, 3 months ago 
On Wed, 18 Jan 2023 at 14:43, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> > Hey Ard
> > I am worried about the CI for ArmVirtPkg.
> > Can we add such ArmVirtPkg build into CI?
>
> CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
> the other ones are not covered right now.
>

The following platforms are not built by CI:

ArmVirtPkg/ArmVirtQemuKernel.dsc
ArmVirtPkg/ArmVirtKvmTool.dsc
ArmVirtPkg/ArmVirtCloudHv.dsc
ArmVirtPkg/ArmVirtXen.dsc

Maybe Michael can explain whether this can be added easily? I couldn't
quite figure out from the existing scripts whether we can just list
multiple DSCs per package.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98815): https://edk2.groups.io/g/devel/message/98815
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Yao, Jiewen 1 year, 3 months ago 
I think it is feasible.

For example, https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI includes multiple xxxBuild.py. Each GetDscName() will return different dsc.

But https://github.com/tianocore/edk2/tree/master/ArmVirtPkg/PlatformCI only includes one xxxBuild.py. 

As long as we can adopt same mechanism in OvmfPkg, the ArmVirtPkg can support multiple dsc.
I believe that will help to catch such build issue earlier, if we enable them.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard
> Biesheuvel
> Sent: Wednesday, January 18, 2023 11:35 PM
> To: Gerd Hoffmann <kraxel@redhat.com>; Michael Kubacki
> <mikuback@linux.microsoft.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Xu, Min M
> <min.m.xu@intel.com>; Leif Lindholm <quic_llindhol@quicinc.com>; Abner
> Chang <abner.chang@amd.com>; Daniel Schaefer <git@danielschaefer.me>;
> Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>; Tom Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in
> OvmfPkg/IntelTdx
> 
> On Wed, 18 Jan 2023 at 14:43, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > On Wed, Jan 18, 2023 at 12:07:52PM +0000, Yao, Jiewen wrote:
> > > Hey Ard
> > > I am worried about the CI for ArmVirtPkg.
> > > Can we add such ArmVirtPkg build into CI?
> >
> > CI builds one of the ArmVirtPkg configs (ArmVirtQemu.dsc specifically),
> > the other ones are not covered right now.
> >
> 
> The following platforms are not built by CI:
> 
> ArmVirtPkg/ArmVirtQemuKernel.dsc
> ArmVirtPkg/ArmVirtKvmTool.dsc
> ArmVirtPkg/ArmVirtCloudHv.dsc
> ArmVirtPkg/ArmVirtXen.dsc
> 
> Maybe Michael can explain whether this can be added easily? I couldn't
> quite figure out from the existing scripts whether we can just list
> multiple DSCs per package.
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98817): https://edk2.groups.io/g/devel/message/98817
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 0/4] Introduce Separate-Fv in OvmfPkg/IntelTdx
Posted by Ard Biesheuvel 1 year, 3 months ago 
On Wed, 18 Jan 2023 at 17:41, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> I think it is feasible.
>
> For example, https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI includes multiple xxxBuild.py. Each GetDscName() will return different dsc.
>
> But https://github.com/tianocore/edk2/tree/master/ArmVirtPkg/PlatformCI only includes one xxxBuild.py.
>
> As long as we can adopt same mechanism in OvmfPkg, the ArmVirtPkg can support multiple dsc.
> I believe that will help to catch such build issue earlier, if we enable them.
>

Ah interesting - I didn't realize there are multiple xxxBuild.py
files. I'll try to implement the same for ArmVirtPkg


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98821): https://edk2.groups.io/g/devel/message/98821
Mute This Topic: https://groups.io/mt/96319661/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.