On Mon, 2021-04-12 at 11:54 +0000, Yao, Jiewen wrote: > I totally agree with you that from security perspective, the best > idea to isolate AMD SEV/Intel TDX from standard OVMF.
There's a big difference between building tuned binaries and separating the subsystems entirely. Ideally we don't want customers running images to have to build them differently for Intel or AMD (a bit like how QEMU/KVM hide the VM differences from users), and Confidential Computing shares a huge amount of interface similarity, so we wouldn't want that separated. I think the rule should be that if both Intel and AMD expose a feature in different ways, OVMF tries to expose a uniform API for that feature over two differing implementations. > Do you want to propose move AMD SEV support to another SEC? You mean have an entirely separate SEC for AMD, OVMF and Intel? I really wouldn't do that: much that's in the SEC: page table setup, memory mapping and decompression is common to all of them. This all follows for a lot of the components. To build separate binaries, we just need separate dsc and fdf files. Then I think the goal would be to share as much as possible to avoid duplicating the maintenance and possibly diverging the user API. James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73960): https://edk2.groups.io/g/devel/message/73960 Mute This Topic: https://groups.io/mt/81969494/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
