On Sun, 2021-07-25 at 10:52 +0300, Dov Murik wrote:
And I do have one question:The original reason for the AmdSev package was actually forMay I know what is criteria to put a SEV module to OvmfPkg\AmdSevI actually don't know the criteria. What you say sounds reasonable.
attestation: The only way to get attested boot using a standard VM
image for SEV and SEV-ES was to pull grub inside the measurement
envelope and have a stripped down hard failing boot path, so if the key
didn't decode the encrypted boot volume for some reason, the whole
thing would fail without revealing the injected secret. This stripped
down hard failing boot path is much easier to construct as a separate
Essentially that means that lots of SEV exists outside the AmdSev
directory and things should only be in it if they're either modified to
support the encrypted volume boot path or are only required by it.
However, this ran into problems when it was decided AmdSev shouldn't
have it's own Library, so the modified boot path now lives in
OvmfPkg/Library/PlatformBootManagerLibGrub, so now it's unclear even to
me what the criteria are.