]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 066d3c8)
OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
authorMin M Xu <min.m.xu@intel.com>
Mon, 16 Jan 2023 23:31:57 +0000 (07:31 +0800)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Wed, 18 Jan 2023 03:04:27 +0000 (03:04 +0000)
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related drivers,
etc).

From the security perspective if a driver is not used, we'd should prevent
it from being loaded / started. There are 2 benefits:
1. Reduce the attack surface
2. Improve the boot performance

So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which
are not needed by a Confidential Computing guest are moved from DXEFV
to NCCFV.

The following patch will find NCCFV for non-cc guest and build FVHob
so that NCCFV drivers can be loaded / started in DXE phase.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
OvmfPkg/IntelTdx/IntelTdxX64.dsc patch | blob | blame | history
OvmfPkg/IntelTdx/IntelTdxX64.fdf patch | blob | blame | history

diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 81511e3556a6b4b36bc753c296a17048424707e6..0f1e970fbbb3f0deadac88ca7eaa84c438695f92 100644 (file)
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -31,6 +31,11 @@
   #\r
   DEFINE SECURE_BOOT_ENABLE      = FALSE\r
 \r
+  #\r
+  # Shell can be useful for debugging but should not be enabled for production\r
+  #\r
+  DEFINE BUILD_SHELL             = TRUE\r
+\r
   #\r
   # Device drivers\r
   #\r
@@ -204,7 +209,9 @@
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf\r
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf\r
 \r
+!if $(BUILD_SHELL) == TRUE\r
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf\r
+!endif\r
   ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf\r
   S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf\r
   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf\r
@@ -720,12 +727,13 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf\r
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf\r
 \r
-!if $(TOOL_CHAIN_TAG) != "XCODE5"\r
+!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE\r
   OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {\r
     <PcdsFixedAtBuild>\r
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE\r
   }\r
 !endif\r
+!if $(BUILD_SHELL) == TRUE\r
   ShellPkg/Application/Shell/Shell.inf {\r
     <LibraryClasses>\r
       ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf\r
@@ -744,6 +752,7 @@
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE\r
       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000\r
   }\r
+!endif\r
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
index a57bbcee89866a743970cf82854c1d43eed6b627..73dffc10430199d91c828c601fd2b0f1ba45ba4f 100644 (file)
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
@@ -97,10 +97,14 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCp
 0x010000|0x010000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize\r
 \r
-0x100000|0xC00000\r
+0x100000|0x700000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize\r
 FV = DXEFV\r
 \r
+0x800000|0x500000\r
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeNonCcFvSize\r
+FV = NCCFV\r
+\r
 ##########################################################################################\r
 # Set the SEV-ES specific work area PCDs\r
 #\r
@@ -183,7 +187,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
 \r
 INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf\r
 INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf\r
 INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf\r
 \r
 INF  UefiCpuPkg/CpuDxe/CpuDxe.inf\r
@@ -201,17 +204,6 @@ INF  PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
 INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf\r
 INF  OvmfPkg/Virtio10Dxe/Virtio10.inf\r
 INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf\r
-INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf\r
-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf\r
-!if $(PVSCSI_ENABLE) == TRUE\r
-INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf\r
-!endif\r
-!if $(MPT_SCSI_ENABLE) == TRUE\r
-INF  OvmfPkg/MptScsiDxe/MptScsiDxe.inf\r
-!endif\r
-!if $(LSI_SCSI_ENABLE) == TRUE\r
-INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf\r
-!endif\r
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
@@ -222,19 +214,14 @@ INF  MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDx
 INF  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
 INF  MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf\r
 INF  MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf\r
-INF  MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf\r
 INF  MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf\r
-INF  MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf\r
 INF  MdeModulePkg/Universal/BdsDxe/BdsDxe.inf\r
 INF  MdeModulePkg/Application/UiApp/UiApp.inf\r
 INF  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf\r
 INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf\r
 INF  MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf\r
 INF  MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf\r
-INF  MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf\r
 INF  MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf\r
-INF  MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf\r
-INF  MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf\r
 INF  OvmfPkg/SataControllerDxe/SataControllerDxe.inf\r
 INF  MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf\r
 INF  MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf\r
@@ -242,34 +229,94 @@ INF  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
 INF  MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf\r
 INF  MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf\r
 INF  MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf\r
-INF  MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf\r
 \r
 INF  OvmfPkg/SioBusDxe/SioBusDxe.inf\r
 INF  MdeModulePkg/Bus/Pci/PciSioSerialDxe/PciSioSerialDxe.inf\r
-INF  MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf\r
 \r
 INF  MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf\r
 INF  OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf\r
 \r
 INF  MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf\r
 INF  OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf\r
+\r
+INF  FatPkg/EnhancedFatDxe/Fat.inf\r
+INF OvmfPkg/TdxDxe/TdxDxe.inf\r
+\r
+INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf\r
+\r
+#\r
+# Variable driver stack (non-SMM)\r
+#\r
+INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf\r
+INF  OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf\r
+INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
+INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+\r
+#\r
+# EFI_CC_MEASUREMENT_PROTOCOL\r
+#\r
+INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf\r
+\r
+################################################################################\r
+\r
+[FV.NCCFV]\r
+FvForceRebase      = FALSE\r
+FvNameGuid         = AE047C6D-BCE9-426C-AE03-A68E3B8A0488\r
+BlockSize          = 0x10000\r
+FvAlignment        = 16\r
+ERASE_POLARITY     = 1\r
+MEMORY_MAPPED      = TRUE\r
+STICKY_WRITE       = TRUE\r
+LOCK_CAP           = TRUE\r
+LOCK_STATUS        = TRUE\r
+WRITE_DISABLED_CAP = TRUE\r
+WRITE_ENABLED_CAP  = TRUE\r
+WRITE_STATUS       = TRUE\r
+WRITE_LOCK_CAP     = TRUE\r
+WRITE_LOCK_STATUS  = TRUE\r
+READ_DISABLED_CAP  = TRUE\r
+READ_ENABLED_CAP   = TRUE\r
+READ_STATUS        = TRUE\r
+READ_LOCK_CAP      = TRUE\r
+READ_LOCK_STATUS   = TRUE\r
+\r
+#\r
+# DXE Phase modules\r
+#\r
+INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf\r
+INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf\r
+INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf\r
+!if $(PVSCSI_ENABLE) == TRUE\r
+INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf\r
+!endif\r
+!if $(MPT_SCSI_ENABLE) == TRUE\r
+INF  OvmfPkg/MptScsiDxe/MptScsiDxe.inf\r
+!endif\r
+!if $(LSI_SCSI_ENABLE) == TRUE\r
+INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf\r
+!endif\r
+INF  MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf\r
+INF  MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf\r
+INF  MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf\r
+INF  MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf\r
+INF  MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf\r
+INF  MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf\r
+INF  MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf\r
 INF  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf\r
 INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf\r
 INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf\r
-\r
-INF  FatPkg/EnhancedFatDxe/Fat.inf\r
 INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf\r
 INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf\r
 \r
-!if $(TOOL_CHAIN_TAG) != "XCODE5"\r
+!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"\r
 INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf\r
 !endif\r
+!if $(BUILD_SHELL) == TRUE\r
 INF  ShellPkg/Application/Shell/Shell.inf\r
+!endif\r
 \r
 INF MdeModulePkg/Logo/LogoDxe.inf\r
 \r
-INF OvmfPkg/TdxDxe/TdxDxe.inf\r
-\r
 #\r
 # Usb Support\r
 #\r
@@ -285,20 +332,6 @@ INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf\r
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf\r
 INF  OvmfPkg/PlatformDxe/Platform.inf\r
-INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf\r
-\r
-#\r
-# Variable driver stack (non-SMM)\r
-#\r
-INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf\r
-INF  OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf\r
-INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
-INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
-\r
-#\r
-# EFI_CC_MEASUREMENT_PROTOCOL\r
-#\r
-INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf\r
 \r
 ################################################################################\r
 \r
@@ -329,6 +362,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
      # compression operation in order to achieve better overall compression.\r
      #\r
      SECTION FV_IMAGE = DXEFV\r
+     SECTION FV_IMAGE = NCCFV\r
    }\r
  }\r
 \r
EFI Development Kit II mirror for PVE