OvmfPkg/OvmfPkgX64: Set default value of CC_MEASUREMENT_ENABLE to TRUE

CC_MEASUREMENT_ENABLE is designed to control the loading of TdTcg2Dxe
driver which is for EFI_CC_MEASUREMENT_PROTOCOL. TdTcg2Dxe is TD-Guest
specific driver.

From the security perspective a TD-Guest shall always load the TdTcg2Dxe
driver so that EFI_CC_MEASUREMENT_PROTOCOL is installed and booting
events are measured and extended to RTMRs.

TdTcg2Dxe will check if it is running in a TD-Guest. If not then it
returns right now and no EFI_CC_MEASUREMENT_PROTOCOL is installed.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

2 files changed, 3 insertions, 3 deletions

diff --git a/OvmfPkg/IntelTdx/README.md b/OvmfPkg/IntelTdx/README.md
index c168167c12..6e13c1748e 100644
--- a/OvmfPkg/IntelTdx/README.md
+++ b/OvmfPkg/IntelTdx/README.md
@@ -61,8 +61,8 @@ Build
 cd /path/to/edk2

 source edksetup.sh

 

-## without CC_MEASUREMENT enabled

-build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -b RELEASE

+## CC_MEASUREMENT disabled

+build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=FALSE -b RELEASE

 

 ## CC_MEASUREMENT enabled

 build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=TRUE -b RELEASE

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f131328932..efb0eedb04 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -32,7 +32,7 @@
   DEFINE SECURE_BOOT_ENABLE      = FALSE

   DEFINE SMM_REQUIRE             = FALSE

   DEFINE SOURCE_DEBUG_ENABLE     = FALSE

-  DEFINE CC_MEASUREMENT_ENABLE   = FALSE

+  DEFINE CC_MEASUREMENT_ENABLE   = TRUE

 

 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc