BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
In current DXE FV there are 100+ drivers. Some of the drivers are not used in Td guest. (Such as USB support drivers, network related drivers, etc). >From the security perspective if a driver is not used, we should prevent it from being loaded/started. There are 2 benefits: 1. Reduce the attack surface 2. Improve the boot performance So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which are not needed by a Confidential Computing guest are moved from DXEFV to NCCFV. When booting a CC guest only the drivers in DXEFV will be loaded and started. For a Non-CC guest both DXEFV and NCCFV drivers will be loaded and started. Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK. Patch#2 adds PCDs/GUID for NCCFV. Patch#3 moves cc-unused drivers to NCCFV. Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest. Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v3 v3 changes: - Rebase the code base to 7cd55f3009. v2 changes: - Move shell from DXEFV to NCCFV. - Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with the other ovmf build variants. Cc: Leif Lindholm <quic_llind...@quicinc.com> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> Cc: Abner Chang <abner.ch...@amd.com> Cc: Daniel Schaefer <g...@danielschaefer.me> Cc: Gerd Hoffmann <kra...@redhat.com> Cc: Erdem Aktas <erdemak...@google.com> Cc: James Bottomley <j...@linux.ibm.com> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Tom Lendacky <thomas.lenda...@amd.com> Signed-off-by: Min Xu <min.m...@intel.com> Min M Xu (4): EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section OvmfPkg: Add PCDs/GUID for NCCFV OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest EmbeddedPkg/Include/Library/PrePiLib.h | 23 ++- EmbeddedPkg/Library/PrePiLib/FwVol.c | 42 ++++-- EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 2 +- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 +- OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++----- OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 134 +++++++++++++++++- .../PeilessStartupInternal.h | 6 + .../PeilessStartupLib/PeilessStartupLib.inf | 1 + OvmfPkg/OvmfPkg.dec | 3 + 9 files changed, 275 insertions(+), 59 deletions(-) -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98605): https://edk2.groups.io/g/devel/message/98605 Mute This Topic: https://groups.io/mt/96319661/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
