On November 15, 2022 6:48 PM, Gerd Hoffmann wrote: > Hi, > > > So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers > > which are not needed by a Confidential Computing guest are moved from > > DXEFV to NCCFV. > > > INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf > > -INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf > > Why keep virtio-blk in DXEFV but drop virtio-scsi? > > > -INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf > > -INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf > > These are needed too for virtio-scsi. That is because virtio-scsi is not needed in Td guest in current stage. So it is moved to NCCFV. If in the future it is needed, VirtioScsi/ScsiBusDxe/ScsiDiskDxe can be moved back to DXEFV. > > > +INF FatPkg/EnhancedFatDxe/Fat.inf > > +INF ShellPkg/Application/Shell/Shell.inf > > Why add the shell to DXEFV? Shouldn't this go to NCCFV? The intention of Separate-Fv is to provide a mechanism that if some DXE phase drivers are not needed by a CC guest, they will be moved to NCCFV. So that (1) reduce attack surface (2)improve boot performance. We call it a minimal but complete cc-guest driver set. So we are facing a problem that how to define such a minimal but complete cc-guest driver set. The usage scenario changes, the driver set changes. For example if some CSP think Smbios is mandatory, then he can customize his own DXEFV/NCCFV by moving Smbios drivers from NCCFV to DXEFV. Back to the shell, it can be put in DXEFV or in NCCFV. It depends on the CSP's choice. > > Also please wrap this into '!if $(BUILD_SHELL) == TRUE' for consistency with > the other ovmf build variants. Thanks for reminder. It will be wrapped in the next version. > Thanks Min
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96409): https://edk2.groups.io/g/devel/message/96409 Mute This Topic: https://groups.io/mt/95038268/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
