Secure-Boot related variables include the PK/KEK/DB/DBX and they are
stored in NvVarStore (OVMF_VARS.fd). But QEMU command option -pflash is
not supported in Tdx guest. So when Tdx guest is booted,
EmuVariableFvbRuntimeDxe driver is loaded and the NvVarStore is
initialized with empty content. This patch-set is to initialize the
NvVarStore with the content of Configuration FV (CFV).
Before the NvVarStore is initialized with the content of CFV, CFV's
integrity should be validated. So patch #1/2 are imported to do such
validation.
Code: https://github.com/mxu9/edk2/tree/secure-boot.v1
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
*** BLURB HERE ***
Min M Xu (3):
OvmfPkg: Move TdxValidateCfv from PeilessStartupLib to PlatformInitLib
OvmfPkg: Validate Cfv integrity in Tdx guest
OvmfPkg: Initialize NvVarStore with Configuration FV in Td guest
OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c | 19 +++
OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf | 2 +
OvmfPkg/Include/Library/PlatformInitLib.h | 17 ++
OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ------------------
.../PeilessStartupInternal.h | 17 --
OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 153 ++++++++++++++++++
OvmfPkg/Sec/SecMain.c | 8 +
OvmfPkg/Sec/SecMain.inf | 2 +
8 files changed, 201 insertions(+), 170 deletions(-)
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90586): https://edk2.groups.io/g/devel/message/90586
Mute This Topic: https://groups.io/mt/91835106/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-