Secure-Boot related variables include the PK/KEK/DB/DBX and they are
stored in NvVarStore (OVMF_VARS.fd). But QEMU command option -pflash is
not supported in Tdx guest. So when Tdx guest is booted,
EmuVariableFvbRuntimeDxe driver is loaded and the NvVarStore is
initialized with empty content. This patch-set is to initialize the
NvVarStore with the content of Configuration FV (CFV).

Before the NvVarStore is initialized with the content of CFV, CFV's
integrity should be validated. So patch #1/2 are imported to do such
validation.

Code: https://github.com/mxu9/edk2/tree/secure-boot.v1

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

*** BLURB HERE ***

Min M Xu (3):
  OvmfPkg: Move TdxValidateCfv from PeilessStartupLib to PlatformInitLib
  OvmfPkg: Validate Cfv integrity in Tdx guest
  OvmfPkg: Initialize NvVarStore with Configuration FV in Td guest

 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c        |  19 +++
 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf      |   2 +
 OvmfPkg/Include/Library/PlatformInitLib.h     |  17 ++
 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  | 153 ------------------
 .../PeilessStartupInternal.h                  |  17 --
 OvmfPkg/Library/PlatformInitLib/IntelTdx.c    | 153 ++++++++++++++++++
 OvmfPkg/Sec/SecMain.c                         |   8 +
 OvmfPkg/Sec/SecMain.inf                       |   2 +
 8 files changed, 201 insertions(+), 170 deletions(-)

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90586): https://edk2.groups.io/g/devel/message/90586
Mute This Topic: https://groups.io/mt/91835106/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-