Introduce Separate-Fv in OvmfPkg/IntelTdx #3916

jyao1 · 2023-01-18T02:25:31Z

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related
drivers, etc).

From the security perspective if a driver is not used, we should prevent
it from being loaded/started. There are 2 benefits:

Reduce the attack surface
Improve the boot performance

So we introduce Separate-Fv which separates DXEFV into 2 FVs: DXEFV
and NCCFV. All the drivers which are not needed by a Confidential
Computing guest are moved from DXEFV to NCCFV.

When booting a CC guest only the drivers in DXEFV will be loaded and
started. For a Non-CC guest both DXEFV and NCCFV drivers will be
loaded and started.

Patch#1 updates EmbeddedPkg/PrePiLib with FFS_CHECK_SECTION_HOOK.
Patch#2 adds PCDs/GUID for NCCFV.
Patch#3 moves cc-unused drivers to NCCFV.
Patch#4 update PeilessStartupLib to find NCCFV for non-cc guest.

Code: https://github.com/mxu9/edk2/tree/Separate-Fv.v3

v3 changes:

Rebase the code base to 7cd55f3.

v2 changes:

Move shell from DXEFV to NCCFV.
Wrap shell into "!if $(BUILD_SHELL) == TRUE" for consistency with
the other ovmf build variants.

Cc: Leif Lindholm quic_llindhol@quicinc.com
Cc: Ard Biesheuvel ardb+tianocore@kernel.org
Cc: Abner Chang abner.chang@amd.com
Cc: Daniel Schaefer git@danielschaefer.me
Cc: Gerd Hoffmann kraxel@redhat.com
Cc: Erdem Aktas erdemaktas@google.com
Cc: James Bottomley jejb@linux.ibm.com
Cc: Jiewen Yao jiewen.yao@intel.com
Cc: Tom Lendacky thomas.lendacky@amd.com
Signed-off-by: Min Xu min.m.xu@intel.com

Min M Xu (4):
EmbeddedPkg/PrePiLib: Add FFS_CHECK_SECTION_HOOK when finding section
OvmfPkg: Add PCDs/GUID for NCCFV
OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
OvmfPkg/PeilessStartupLib: Find NCCFV in non-td guest

EmbeddedPkg/Include/Library/PrePiLib.h | 23 ++-
EmbeddedPkg/Library/PrePiLib/FwVol.c | 42 ++++--
EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 2 +-
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 11 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 112 ++++++++++-----
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 134 +++++++++++++++++-
.../PeilessStartupInternal.h | 6 +
.../PeilessStartupLib/PeilessStartupLib.inf | 1 +
OvmfPkg/OvmfPkg.dec | 3 +
9 files changed, 275 insertions(+), 59 deletions(-)

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 EmbeddedPkg/PrePiLib provides the service of finding sections based on the input SectionType. But sometimes there maybe multiple sections with the same SectionType. FFS_CHECK_SECTION_HOOK is a hook which can be called to do additional check. Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@amd.com> Cc: Daniel Schaefer <git@danielschaefer.me> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Ard Biesheuvel <ardb+tianocore@kernel.org> Signed-off-by: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 NCCFV refers to Non-Confidential-Computing-FV. It includes the DXE phase drivers which are only loaded/started in non-cc guest. Hence the PCDs / GUID for NCCFV are defined in OvmfPkg.dec. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 In current DXE FV there are 100+ drivers. Some of the drivers are not used in Td guest. (Such as USB support drivers, network related drivers, etc). From the security perspective if a driver is not used, we'd should prevent it from being loaded / started. There are 2 benefits: 1. Reduce the attack surface 2. Improve the boot performance So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which are not needed by a Confidential Computing guest are moved from DXEFV to NCCFV. The following patch will find NCCFV for non-cc guest and build FVHob so that NCCFV drivers can be loaded / started in DXE phase. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152 As described in BZ#4152, NCCFV includes the DXE phase drivers for non-cc guest. PeilessStartupLib is updated to find NCCFV for non-cc guest. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

mxu9 added 4 commits January 18, 2023 10:23

jyao1 added the push Auto push patch series in PR if all checks pass label Jan 18, 2023

mergify bot merged commit 70d1481 into tianocore:master Jan 18, 2023

jyao1 deleted the patch branch January 18, 2023 03:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Introduce Separate-Fv in OvmfPkg/IntelTdx #3916

Introduce Separate-Fv in OvmfPkg/IntelTdx #3916

jyao1 commented Jan 18, 2023

Introduce Separate-Fv in OvmfPkg/IntelTdx #3916

Introduce Separate-Fv in OvmfPkg/IntelTdx #3916

Conversation

jyao1 commented Jan 18, 2023