Re: [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline

James Bottomley

On Mon, 2021-07-26 at 00:55 +0000, Yao, Jiewen wrote:
Hi James
"However, this ran into problems when it was decided AmdSev shouldn't
have it's own Library."

I am not clear on the history. Would you please clarify why AmdSev
should not have its own library?
The history predates me. It was already done for the Bhyve package
which also has a modified PlatformBootManagerLib when I came along with
this. However, only having Library in the top level package seems to
be a common edk2 pattern if you run a find.

It looks not reasonable to me. AmdSev is just a feature. A feature
may have its own library. We have enough examples.
We do? Running

find . -name Library -print

only turns up


As not following the top level package only pattern.

Also, the instance name "Grub" is very confusing. I compared
PlatformBootManagerLib and PlatformBootManagerLibGrub. This is just a
customized PlatformBootManagerLib.
It's called Grub because it places Grub in the Fv for combined pre-
attestation. Either SEV or TDX could use this (Although TDX looks
likely not to want to).

For example, XEN feature removing and PIIX4 difference has nothing to
do with Grub...
PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x60), 0x0b); // A
PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x61), 0x0b); // B
PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x62), 0x0a); // C
PciWrite8 (PCI_LIB_ADDRESS (0, 1, 0, 0x63), 0x0a); // D
It's part of the boot path stripping to make sure there's a hard
failure if Grub fails to execute. There's a Bugzilla requiring more of
this because a grub only booting platform library needs fewer
extraneous things which could constitute an attack surface for the
injected secret.

It is a big misleading. Can we move the PlatformBootManagerLibGrub To
AmdSev now?
I think you probably want to ask around older edk2 package maintainers
and see if there's any reason for this pattern, which seems to be
strongly enforced. If no-one can remember, then likely it can be


Join to automatically receive all group messages.