tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-26 23:24:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

OvmfPkg/IntelTdx: Update README

Browse Source 
TDVF's README is updated based on the latest feature.
 - RTMR based measurement is supported in OvmfPkgX64 (Config-A)
 - Features of Config-B have all been implemented, such as removing
   unnecessary attack surfaces.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Min M Xu 2023-02-03 22:04:25 +08:00 committed by mergify[bot]
parent ff8485179c
commit 9d669016d9
1 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
OvmfPkg/IntelTdx/README
View File

@ -26,17 +26,19 @@ There are 2 configurations for TDVF.
- The OvmfX64Pkg.dsc includes SEV/TDX/normal OVMF basic boot capability. - The OvmfX64Pkg.dsc includes SEV/TDX/normal OVMF basic boot capability.
The final binary can run on SEV/TDX/normal OVMF. The final binary can run on SEV/TDX/normal OVMF.
- No changes to existing OvmfPkgX64 image layout. - No changes to existing OvmfPkgX64 image layout.
- No need to add additional security features if they do not exist today.
- No need to remove features if they exist today. - No need to remove features if they exist today.
- RTMR is not supported.
- PEI phase is NOT skipped in either Td or Non-Td. - PEI phase is NOT skipped in either Td or Non-Td.
- RTMR based measurement is supported.
- External inputs from Host VMM are measured, such as TdHob, CFV.
- Other external inputs are measured, such as FW_CFG data, os loader,
initrd, etc.
<b>Config-B:</b> <b>Config-B:</b>
- (*) Add a standalone IntelTdx.dsc to a TDX specific directory for a *full* - Add a standalone IntelTdx.dsc to a TDX specific directory for a *full*
feature TDVF.(Align with existing SEV) feature TDVF.(Align with existing SEV)
- (*) Threat model: VMM is out of TCB. (We need necessary change to prevent - Threat model: VMM is out of TCB. (We need necessary change to prevent
attack from VMM) attack from VMM)
- (*) IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final - IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final
binary can run on TDX/normal OVMF. binary can run on TDX/normal OVMF.
- It might eventually merge with AmdSev.dsc, but NOT at this point of - It might eventually merge with AmdSev.dsc, but NOT at this point of
time. And we don?t know when it will happen. We need sync with AMD in time. And we don?t know when it will happen. We need sync with AMD in
@ -48,13 +50,6 @@ There are 2 configurations for TDVF.
initrd, etc. initrd, etc.
- Need to remove unnecessary attack surfaces, such as network stack. - Need to remove unnecessary attack surfaces, such as network stack.
In current stage, <b>Config-A</b> has been merged into edk2-master branch.
The corresponding pkg file is OvmfPkg/OvmfPkgX64.dsc.
<b>Config-B</b> is split into several waves. The corresponding pkg file is
OvmfPkg/IntelTdx/IntelTdxX64.dsc. The features with (*) have been implemented
and merged into edk2-master branch. Others are in upstreaming progress.
Build Build
------ ------
- Build the TDVF (Config-A) target: - Build the TDVF (Config-A) target: