diff options
| author | Min M Xu <min.m.xu@intel.com> | 2023-02-03 22:04:25 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-02-04 13:19:10 +0000 |
| commit | 9d669016d968b0f3e17ce7df16ae51d85b0adfcf (patch) | |
| tree | fcacd909aeb71967fce133cf4c89389d91c574e7 | |
| parent | ff8485179c1cb847bff17725fd95043976108a54 (diff) | |
| download | edk2-9d669016d968b0f3e17ce7df16ae51d85b0adfcf.tar.gz edk2-9d669016d968b0f3e17ce7df16ae51d85b0adfcf.tar.bz2 edk2-9d669016d968b0f3e17ce7df16ae51d85b0adfcf.zip | |
OvmfPkg/IntelTdx: Update README
TDVF's README is updated based on the latest feature.
- RTMR based measurement is supported in OvmfPkgX64 (Config-A)
- Features of Config-B have all been implemented, such as removing
unnecessary attack surfaces.
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
| -rw-r--r-- | OvmfPkg/IntelTdx/README | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/OvmfPkg/IntelTdx/README b/OvmfPkg/IntelTdx/README index cc01ebca5c..7307ede78f 100644 --- a/OvmfPkg/IntelTdx/README +++ b/OvmfPkg/IntelTdx/README @@ -26,17 +26,19 @@ There are 2 configurations for TDVF. - The OvmfX64Pkg.dsc includes SEV/TDX/normal OVMF basic boot capability.
The final binary can run on SEV/TDX/normal OVMF.
- No changes to existing OvmfPkgX64 image layout.
- - No need to add additional security features if they do not exist today.
- No need to remove features if they exist today.
- - RTMR is not supported.
- PEI phase is NOT skipped in either Td or Non-Td.
+ - RTMR based measurement is supported.
+ - External inputs from Host VMM are measured, such as TdHob, CFV.
+ - Other external inputs are measured, such as FW_CFG data, os loader,
+ initrd, etc.
<b>Config-B:</b>
- - (*) Add a standalone IntelTdx.dsc to a TDX specific directory for a *full*
+ - Add a standalone IntelTdx.dsc to a TDX specific directory for a *full*
feature TDVF.(Align with existing SEV)
- - (*) Threat model: VMM is out of TCB. (We need necessary change to prevent
+ - Threat model: VMM is out of TCB. (We need necessary change to prevent
attack from VMM)
- - (*) IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final
+ - IntelTdx.dsc includes TDX/normal OVMF basic boot capability. The final
binary can run on TDX/normal OVMF.
- It might eventually merge with AmdSev.dsc, but NOT at this point of
time. And we don?t know when it will happen. We need sync with AMD in
@@ -48,13 +50,6 @@ There are 2 configurations for TDVF. initrd, etc.
- Need to remove unnecessary attack surfaces, such as network stack.
-In current stage, <b>Config-A</b> has been merged into edk2-master branch.
-The corresponding pkg file is OvmfPkg/OvmfPkgX64.dsc.
-
-<b>Config-B</b> is split into several waves. The corresponding pkg file is
-OvmfPkg/IntelTdx/IntelTdxX64.dsc. The features with (*) have been implemented
-and merged into edk2-master branch. Others are in upstreaming progress.
-
Build
------
- Build the TDVF (Config-A) target:
|