Re: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx

Gerd Hoffmann


So, my judgement is by removing PEI, we can reduce the risk introduce
by PEI Core + PEI Arch PEIM*. Reducing code == Reducing Security Risk.
Yes, PEI Core goes away.

No, PEI Arch PEIM (aka OvmfPkg/PlatformPei) wouldn't go away, you would
only move the code to SEC or DXE phase, the platform initialization has
to happen somewhere.

Moving code to DXE has its problems as outlines by James at length.

Moving code to SEC has its problems too. SEC is a much more restricted
environment. A direct consequence is that you have re-invented
multiprocessor job scheduling (using tdx mailbox) instead of using
standard mp service for parallel accept. I do not account that as
"reducing complexity". And I've not yet seen the other changes you
have done for pei-less tdvf ...

take care,

Join to automatically receive all group messages.