I totally agree with you that from security perspective, the best idea to isolate AMD SEV/Intel TDX from standard OVMF.
Do you want to propose move AMD SEV support to another SEC? > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Dr. David > Alan Gilbert > Sent: Monday, April 12, 2021 4:35 PM > To: Laszlo Ersek <ler...@redhat.com> > Cc: Yao, Jiewen <jiewen....@intel.com>; Xu, Min M <min.m...@intel.com>; > devel@edk2.groups.io; thomas.lenda...@amd.com; j...@linux.ibm.com; > Brijesh Singh <brijesh.si...@amd.com>; Justen, Jordan L > <jordan.l.jus...@intel.com>; Ard Biesheuvel <ardb+tianoc...@kernel.org>; > Paolo Bonzini <pbonz...@redhat.com>; Nathaniel McCallum > <npmccal...@redhat.com> > Subject: Re: [edk2-devel] separate OVMF binary for TDX? [was: OvmfPkg: > Reserve the Secrets and Cpuid page for the SEV-SNP guest] > > * Laszlo Ersek (ler...@redhat.com) wrote: > > On 04/09/21 15:44, Yao, Jiewen wrote: > > > Hi Laszlo > > > Thanks. > > > > > > We did provide a separate binary in the beginning - see > https://github.com/tianocore/edk2-staging/tree/TDVF, with same goal - easy to > maintain and develop. A clean solution, definitely. > > > > > > However, we got requirement to deliver one binary solution together with > > > 1) > normal OVMF, 2) AMD-SEV, 3) Intel-TDX. > > > Now, we are struggling to merge them...... > > > > > > For DXE, we hope to isolate TDX driver whenever it is possible. > > > But we only have one reset vector here. Sigh... > > > > Can we please pry a little bit at that "one binary" requirement? > > > > Ultimately the "guest bundle" is going to be composed by much > > higher-level code, I expect (such as some userspace code, written in > > python or similar); selecting a firmware binary in such an environment > > is surely easier than handling this "polymorphism" in the most > > restrictive software environment imaginable (reset vector assembly code > > in the guest)? > > I think also there's a security argument here; some people like to > measure security in kloc's; so having your secure boot image as small > as possible for the environment you're actually running does make some > sense, which favours the 2 image idea. > > Dave > > > Thanks > > Laszlo > -- > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73950): https://edk2.groups.io/g/devel/message/73950 Mute This Topic: https://groups.io/mt/81969494/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
