diff options
| author | Min M Xu <min.m.xu@intel.com> | 2023-01-17 07:31:57 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-01-18 03:04:27 +0000 |
| commit | c3f4f5a949a9e94bafe081c24dbd4110834b11ea (patch) | |
| tree | 0057b57f71f677bdd47123b129f65a9843e967a3 /OvmfPkg/AmdSev | |
| parent | 066d3c8004e2004c9699ec4c5d6f4fb67ab7d231 (diff) | |
| download | edk2-c3f4f5a949a9e94bafe081c24dbd4110834b11ea.tar.gz | |
OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152
In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related drivers,
etc).
From the security perspective if a driver is not used, we'd should prevent
it from being loaded / started. There are 2 benefits:
1. Reduce the attack surface
2. Improve the boot performance
So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which
are not needed by a Confidential Computing guest are moved from DXEFV
to NCCFV.
The following patch will find NCCFV for non-cc guest and build FVHob
so that NCCFV drivers can be loaded / started in DXE phase.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'OvmfPkg/AmdSev')
0 files changed, 0 insertions, 0 deletions