From nobody Mon Feb 9 09:09:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98608+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98608+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1673911943; cv=none; d=zohomail.com; s=zohoarc; b=VVvIjaMTBLeod3UXEzsEHNrvXutHhamFrMnexAVu+MiqeqqVhfhSXw3yanmBbw+LzzQq2W8Ec6ZFnuUVTDSbMcSRB3MTdN4tUSn/c2Oe8QSBSaiMozhTz5WDIsDJM7KKSkikIP3B88IMrE5gA0njfcDFiDzrUH7ReAnOF0NzvKU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1673911943; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=OtkgLbNL0m6t3g+ZPCu2144vJzGb6pRJ6VnHixYS8bw=; b=EM1qkDbFitquhMc4UzEfEwU5gM3wscWl0OlHg2WEB/tluXo7H0rJuc6ryoIoQjC1SEmVphTvAc8HzS7Fs8HiU4ntVdZQ1MN9jYEMVhtYwwTlQ1sHst467YNLtkGrbixX0UxLTsiyRKgf4kzGzVB7lr6k90WK3S2mUU/fgGiRqIY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98608+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1673911943066279.1016313199249; Mon, 16 Jan 2023 15:32:23 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id MXQxYY1788612xlcXGLBg3sf; Mon, 16 Jan 2023 15:32:22 -0800 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.183457.1673911935704512234 for ; Mon, 16 Jan 2023 15:32:22 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="312432529" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="312432529" X-Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 15:32:21 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="987930940" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="987930940" X-Received: from huiyanxi-mobl.ccr.corp.intel.com (HELO mxu9-mobl1.ccr.corp.intel.com) ([10.254.211.139]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 15:32:19 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Gerd Hoffmann , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky Subject: [edk2-devel] [PATCH V3 3/4] OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf Date: Tue, 17 Jan 2023 07:31:57 +0800 Message-Id: <20230116233158.1268-4-min.m.xu@intel.com> In-Reply-To: <20230116233158.1268-1-min.m.xu@intel.com> References: <20230116233158.1268-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: v3hHmEE4vyGgeZmxunOPsL1Ux1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1673911942; bh=EcZYapaRDRFuuZgm2nPVxmvlQxF+I/K2Hnu3Ix0Awq0=; h=Cc:Date:From:Reply-To:Subject:To; b=aRQ2KTgfTpGpBl1fu6nYr8G7c3uxwA5Kog7VAeOTHNhEnWhNkjBCrUkkF9PNvnHUNml YxO91zdYtZ4UDht/PqksAjq/+HDtM/5DsWXKEqzJ+uI8AGBds4cYf+0HQpfLpmGaUvyGZ oZ6gro7d2oaYFDuUw6cwpAFWFr+qsr3Zp6s= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1673911945049100014 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4152 In current DXE FV there are 100+ drivers. Some of the drivers are not used in Td guest. (Such as USB support drivers, network related drivers, etc). From the security perspective if a driver is not used, we'd should prevent it from being loaded / started. There are 2 benefits: 1. Reduce the attack surface 2. Improve the boot performance So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which are not needed by a Confidential Computing guest are moved from DXEFV to NCCFV. The following patch will find NCCFV for non-cc guest and build FVHob so that NCCFV drivers can be loaded / started in DXE phase. Cc: Gerd Hoffmann Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 ++- OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++++++++++++----------- 2 files changed, 83 insertions(+), 40 deletions(-) diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 81511e3556a6..0f1e970fbbb3 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -31,6 +31,11 @@ # DEFINE SECURE_BOOT_ENABLE =3D FALSE =20 + # + # Shell can be useful for debugging but should not be enabled for produc= tion + # + DEFINE BUILD_SHELL =3D TRUE + # # Device drivers # @@ -204,7 +209,9 @@ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseV= ariableFlashInfoLib.inf =20 +!if $(BUILD_SHELL) =3D=3D TRUE ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf +!endif ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip= tLib.inf SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf @@ -720,12 +727,13 @@ MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf =20 -!if $(TOOL_CHAIN_TAG) !=3D "XCODE5" +!if $(TOOL_CHAIN_TAG) !=3D "XCODE5" && $(BUILD_SHELL) =3D=3D TRUE OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.in= f { gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE } !endif +!if $(BUILD_SHELL) =3D=3D TRUE ShellPkg/Application/Shell/Shell.inf { ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellComman= dLib.inf @@ -744,6 +752,7 @@ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX6= 4.fdf index a57bbcee8986..73dffc104301 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf +++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf @@ -97,10 +97,14 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPk= gTokenSpaceGuid.PcdOvmfCp 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 -0x100000|0xC00000 +0x100000|0x700000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfDxeMemFvSize FV =3D DXEFV =20 +0x800000|0x500000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfDxeNonCcFvSize +FV =3D NCCFV + ##########################################################################= ################ # Set the SEV-ES specific work area PCDs # @@ -183,7 +187,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf =20 INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf -INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf =20 INF UefiCpuPkg/CpuDxe/CpuDxe.inf @@ -201,17 +204,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRe= alTimeClockRuntimeDxe.inf INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf -INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf -!if $(PVSCSI_ENABLE) =3D=3D TRUE -INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf -!endif -!if $(MPT_SCSI_ENABLE) =3D=3D TRUE -INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf -!endif -!if $(LSI_SCSI_ENABLE) =3D=3D TRUE -INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf -!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon= figDxe.inf @@ -222,19 +214,14 @@ INF MdeModulePkg/Universal/MonotonicCounterRuntimeDx= e/MonotonicCounterRuntimeDx INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf INF MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf INF MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf -INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.= inf INF MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf -INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.= inf INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf INF MdeModulePkg/Application/UiApp/UiApp.inf INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf -INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf -INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf -INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf @@ -242,34 +229,94 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe= .inf INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf -INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe= .inf =20 INF OvmfPkg/SioBusDxe/SioBusDxe.inf INF MdeModulePkg/Bus/Pci/PciSioSerialDxe/PciSioSerialDxe.inf -INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf =20 INF MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf INF OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf =20 INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf + +INF FatPkg/EnhancedFatDxe/Fat.inf +INF OvmfPkg/TdxDxe/TdxDxe.inf + +INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf + +# +# Variable driver stack (non-SMM) +# +INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf +INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf +INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + +# +# EFI_CC_MEASUREMENT_PROTOCOL +# +INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + +##########################################################################= ###### + +[FV.NCCFV] +FvForceRebase =3D FALSE +FvNameGuid =3D AE047C6D-BCE9-426C-AE03-A68E3B8A0488 +BlockSize =3D 0x10000 +FvAlignment =3D 16 +ERASE_POLARITY =3D 1 +MEMORY_MAPPED =3D TRUE +STICKY_WRITE =3D TRUE +LOCK_CAP =3D TRUE +LOCK_STATUS =3D TRUE +WRITE_DISABLED_CAP =3D TRUE +WRITE_ENABLED_CAP =3D TRUE +WRITE_STATUS =3D TRUE +WRITE_LOCK_CAP =3D TRUE +WRITE_LOCK_STATUS =3D TRUE +READ_DISABLED_CAP =3D TRUE +READ_ENABLED_CAP =3D TRUE +READ_STATUS =3D TRUE +READ_LOCK_CAP =3D TRUE +READ_LOCK_STATUS =3D TRUE + +# +# DXE Phase modules +# +INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf +INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf +INF OvmfPkg/VirtioRngDxe/VirtioRng.inf +!if $(PVSCSI_ENABLE) =3D=3D TRUE +INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf +!endif +!if $(MPT_SCSI_ENABLE) =3D=3D TRUE +INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf +!endif +!if $(LSI_SCSI_ENABLE) =3D=3D TRUE +INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf +!endif +INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.= inf +INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.= inf +INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf +INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf +INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe= .inf +INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorD= xe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphics= ResourceTableDxe.inf - -INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf =20 -!if $(TOOL_CHAIN_TAG) !=3D "XCODE5" +!if $(BUILD_SHELL) =3D=3D TRUE && $(TOOL_CHAIN_TAG) !=3D "XCODE5" INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand= .inf !endif +!if $(BUILD_SHELL) =3D=3D TRUE INF ShellPkg/Application/Shell/Shell.inf +!endif =20 INF MdeModulePkg/Logo/LogoDxe.inf =20 -INF OvmfPkg/TdxDxe/TdxDxe.inf - # # Usb Support # @@ -285,20 +332,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf -INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf - -# -# Variable driver stack (non-SMM) -# -INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf -INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf -INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf -INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf - -# -# EFI_CC_MEASUREMENT_PROTOCOL -# -INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf =20 ##########################################################################= ###### =20 @@ -329,6 +362,7 @@ FILE FV_IMAGE =3D 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { # compression operation in order to achieve better overall compressio= n. # SECTION FV_IMAGE =3D DXEFV + SECTION FV_IMAGE =3D NCCFV } } =20 --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98608): https://edk2.groups.io/g/devel/message/98608 Mute This Topic: https://groups.io/mt/96319665/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-