From 2b6d0eb43439891e641750cd5054b1bc3fb40e72 Mon Sep 17 00:00:00 2001 From: Min M Xu Date: Wed, 10 Jul 2024 21:05:53 -0400 Subject: [PATCH] OvmfPkg/OvmfPkgX64: Set default value of CC_MEASUREMENT_ENABLE to TRUE CC_MEASUREMENT_ENABLE is designed to control the loading of TdTcg2Dxe driver which is for EFI_CC_MEASUREMENT_PROTOCOL. TdTcg2Dxe is TD-Guest specific driver. From the security perspective a TD-Guest shall always load the TdTcg2Dxe driver so that EFI_CC_MEASUREMENT_PROTOCOL is installed and booting events are measured and extended to RTMRs. TdTcg2Dxe will check if it is running in a TD-Guest. If not then it returns right now and no EFI_CC_MEASUREMENT_PROTOCOL is installed. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Erdem Aktas Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/README.md | 4 ++-- OvmfPkg/OvmfPkgX64.dsc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/IntelTdx/README.md b/OvmfPkg/IntelTdx/README.md index c168167c1271..6e13c1748ee3 100644 --- a/OvmfPkg/IntelTdx/README.md +++ b/OvmfPkg/IntelTdx/README.md @@ -61,8 +61,8 @@ Build cd /path/to/edk2 source edksetup.sh -## without CC_MEASUREMENT enabled -build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -b RELEASE +## CC_MEASUREMENT disabled +build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=FALSE -b RELEASE ## CC_MEASUREMENT enabled build -p OvmfPkg/OvmfPkgX64.dsc -a X64 -t GCC5 -D CC_MEASUREMENT_ENABLE=TRUE -b RELEASE diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index f13132893284..efb0eedb0459 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -32,7 +32,7 @@ DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE SMM_REQUIRE = FALSE DEFINE SOURCE_DEBUG_ENABLE = FALSE - DEFINE CC_MEASUREMENT_ENABLE = FALSE + DEFINE CC_MEASUREMENT_ENABLE = TRUE !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc