OvmfPkg/OvmfPkgX64: Set default value of CC_MEASUREMENT_ENABLE to TRUE

CC_MEASUREMENT_ENABLE is designed to control the loading of TdTcg2Dxe driver which is for EFI_CC_MEASUREMENT_PROTOCOL. TdTcg2Dxe is TD-Guest specific driver. From the security perspective a TD-Guest shall always load the TdTcg2Dxe driver so that EFI_CC_MEASUREMENT_PROTOCOL is installed and booting events are measured and extended to RTMRs. TdTcg2Dxe will check if it is running in a TD-Guest. If not then it returns right now and no EFI_CC_MEASUREMENT_PROTOCOL is installed. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
2025-07-28 16:14:04 +02:00 · 2024-07-10 21:05:53 -04:00 · 2024-07-10 21:05:53 -04:00 · 2b6d0eb434
commit 2b6d0eb434
parent 2e7230f1ba
2 changed files with 3 additions and 3 deletions
--- a/OvmfPkg/IntelTdx/README.md
+++ b/OvmfPkg/IntelTdx/README.md
@ -61,8 +61,8 @@ Build
 cd /path/to/edk2
 source edksetup.sh
-## without CC_MEASUREMENT enabled
+## CC_MEASUREMENT disabled
-build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -b RELEASE
+build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=FALSE -b RELEASE
 ## CC_MEASUREMENT enabled
 build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=TRUE -b RELEASE
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@ -32,7 +32,7 @@
  DEFINE SECURE_BOOT_ENABLE      = FALSE
  DEFINE SMM_REQUIRE             = FALSE
  DEFINE SOURCE_DEBUG_ENABLE     = FALSE
-  DEFINE CC_MEASUREMENT_ENABLE   = FALSE
+  DEFINE CC_MEASUREMENT_ENABLE   = TRUE
 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc