Merged https://github.com/tianocore/edk2/pull/2858
> -----Original Message----- > From: Xu, Min M <min.m...@intel.com> > Sent: Wednesday, May 4, 2022 8:14 AM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m...@intel.com>; Brijesh Singh <brijesh.si...@amd.com>; > Aktas, Erdem <erdemak...@google.com>; Gerd Hoffmann > <kra...@redhat.com>; James Bottomley <j...@linux.ibm.com>; Yao, Jiewen > <jiewen....@intel.com>; Tom Lendacky <thomas.lenda...@amd.com> > Subject: [PATCH V2 1/1] OvmfPkg: Add README for TDVF > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3249 > > Add README for TDVF. > > Cc: Brijesh Singh <brijesh.si...@amd.com> > Cc: Erdem Aktas <erdemak...@google.com> > Cc: Gerd Hoffmann <kra...@redhat.com> > Cc: James Bottomley <j...@linux.ibm.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Tom Lendacky <thomas.lenda...@amd.com> > Signed-off-by: Min Xu <min.m...@intel.com> > --- > OvmfPkg/IntelTdx/README | 88 > +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 88 insertions(+) > create mode 100644 OvmfPkg/IntelTdx/README > > diff --git a/OvmfPkg/IntelTdx/README b/OvmfPkg/IntelTdx/README > new file mode 100644 > index 000000000000..20426a4f0bf8 > --- /dev/null > +++ b/OvmfPkg/IntelTdx/README > @@ -0,0 +1,88 @@ > +TDVF Overview > +------------- > + > +<b>Intel Trust Domain Extension (TDX)</b> is Intel Architecture extension > +to provide trusted, isolated VM execution by removing CSP software > +(hypervisor etc) from the TCB. <b>TDX Virtual Firmware (TDVF)</b> is an > +EDK II based project to enable UEFI support for TDX based Virtual > +Machines. It provides the capability to launch a TD. > + > +The <b>Intel® TDX Virtual Firmware Design Guide</b> is at > +https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > virtual-firmware-design-guide-rev-1.01.pdf. > + > +More information can be found at: > +https://www.intel.com/content/www/us/en/developer/articles/technical/intel > -trust-domain-extensions.html > + > + > +Configurations and Features > +---------------------------- > + > +There are 2 configurations for TDVF. > + > +<b>Config-A:</b> > + - Merge the *basic* TDVF feature to existing OvmfX64Pkg.dsc. (Align > + with existing SEV) > + - Threat model: VMM is NOT out of TCB. (We don’t make things worse) > + - The OvmfX64Pkg.dsc includes SEV/TDX/normal OVMF basic boot capability. > + The final binary can run on SEV/TDX/normal OVMF. > + - No changes to existing OvmfPkgX64 image layout. > + - No need to add additional security features if they do not exist today. > + - No need to remove features if they exist today. > + - RTMR is not supported. > + - PEI phase is NOT skipped in either Td or Non-Td. > + > +<b>Config-B:</b> > + - (*) Add a standalone IntelTdx.dsc to a TDX specific directory for a *full* > + feature TDVF.(Align with existing SEV) > + - (*) Threat model: VMM is out of TCB. (We need necessary change to prevent > + attack from VMM) > + - (*) IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final > + binary can run on TDX/normal OVMF. > + - It might eventually merge with AmdSev.dsc, but NOT at this point of > + time. And we don’t know when it will happen. We need sync with AMD in > + the community after both of us think the solutions are mature to merge. > + - Need to add necessary security feature as mandatory requirement, such > + as RTMR based Trusted Boot support. > + - Need to measure the external input from Host VMM, such as TdHob, CFV. > + - Need to measure other external input, such as FW_CFG data, os loader, > + initrd, etc. > + - Need to remove unnecessary attack surfaces, such as network stack. > + > +In current stage, <b>Config-A</b> has been merged into edk2-master branch. > +The corresponding pkg file is OvmfPkg/OvmfPkgX64.dsc. > + > +<b>Config-B</b> is split into several waves. The corresponding pkg file is > +OvmfPkg/IntelTdx/IntelTdxX64.dsc. The features with (*) have been > implemented > +and merged into edk2-master branch. Others are in upstreaming progress. > + > +Build > +------ > +- Build the TDVF (Config-A) target: > +`cd /path/to/edk2` > +`source edksetup.sh` > +`build.sh -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5` > + > +- Build the TDVF (Config-B) target: > +`cd /path/to/edk2` > +`set PACKAGES_PATH=/path/to/edk2/OvmfPkg` > +`source edksetup.sh` > +`build.sh -p OvmfPkg/IntelTdx/IntelTdxX64.dsc -a X64 -t GCC5` > + > +Usage > +----- > + > +Assuming TDX-QEMU/TDX-KVM are already built, one can start a TD virtual > +machine as [launching-td-guest](https://github.com/intel/qemu-tdx/blob/tdx- > qemu-upstream-rfc-v3/docs/system/i386/tdx.rst#launching-a-td-tdx-vm): > + > +`qemu_system_x86 \` > +` -machine ...,confidential-guest-support=tdx0 \` > +` -object tdx-guest,id=tdx0,[sept-ve-disable=off] \` > +` -drive if=pflash,format=raw,unit=0,file=/path/to/OVMF_CODE.fd \` > +` -drive if=pflash,format=raw,unit=1,file=/path/to/OVMF_VARS.fd \` > + > +Note: > +TDX-QEMU/TDX-KVM are still in upstreaming progress. Please refer to: > + - kvm : https://github.com/intel/tdx/tree/kvm-upstream > + - qemu : https://github.com/intel/qemu-tdx/blob/tdx-qemu-upstream-rfc-v3 > + > +Once above 2 upstreaming are completed a minimum qemu/kvm version will > be updated here. > -- > 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89554): https://edk2.groups.io/g/devel/message/89554 Mute This Topic: https://groups.io/mt/90878274/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
