versions: Bump OVMF for TDX

Let's update the OVMF for TDX version to what's the latest tested
release of the Intel TDX tools with Kata Containers.

This change requires a newer version of `nasm` than the one provided by
the container used to build the project.  This change will also be
needed for SEV-SNP and was originally done by Alex Carter (thanks!).

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>

tools/packaging/static-build/ovmf/Dockerfile

@@ -14,9 +14,15 @@ RUN apt-get update && \
         git \
         iasl  \
         make \
-        nasm \
         python \
         python3 \
         python3-distutils \
         uuid-dev && \
-    apt-get clean && rm -rf /var/lib/lists/
+    apt-get clean && rm -rf /var/lib/lists/ && \
+    cd /tmp && curl -fsLO https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.gz && \
+    tar xf nasm-2.15.05.tar.gz && \
+    cd nasm-2.15.05 && \
+    ./configure && \
+    make -j"$(nproc)" && \
+    make install && \
+    cd /tmp && rm -r nasm-2.15.05*

tools/packaging/static-build/ovmf/build-ovmf.sh

@@ -56,7 +56,7 @@ fi
 info "Building ovmf"
 build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}"
 if [ "${ovmf_build}" == "tdx" ]; then
-	build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M"
+	build_cmd+=" -D DEBUG_ON_SERIAL_PORT=FALSE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D SECURE_BOOT_ENABLE=TRUE -D TDX_ACCEPT_PAGE_SIZE=2M"
 fi
 
 eval "${build_cmd}"
@@ -70,7 +70,6 @@ if [ "${ovmf_build}" == "tdx" ]; then
 	build_path_arch="${build_path_target_toolchain}/X64"
 	stat "${build_path_fv}/OVMF_CODE.fd"
 	stat "${build_path_fv}/OVMF_VARS.fd"
-	stat "${build_path_arch}/DumpTdxEventLog.efi"
 fi
 
 #need to leave tmp dir
@@ -87,7 +86,6 @@ install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}"
 if [ "${ovmf_build}" == "tdx" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
-	install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir}
 fi
 
 local_dir=${PWD}

tools/packaging/static-build/ovmf/build.sh

@@ -24,11 +24,7 @@ ovmf_package="${ovmf_package:-}"
 package_output_dir="${package_output_dir:-}"
 
 if [ -z "$ovmf_repo" ]; then
-       if [ "${ovmf_build}" == "tdx" ]; then
-	       ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}")
-       else
 	ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}")
-       fi
 fi
 
 [ -n "$ovmf_repo" ] || die "failed to get ovmf repo"

versions.yaml

@@ -279,11 +279,11 @@ externals:
       package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
       package_output_dir: "AmdSev"
     tdx:
-      url: "https://github.com/tianocore/edk2-staging"
+      # yamllint disable-line rule:line-length
-      description: "TDVF build needed for TDX measured direct boot."
+      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
-      version: "2022-tdvf-ww28.5"
+      version: "edk2-stable202211"
-      package: "OvmfPkg/OvmfPkgX64.dsc"
+      package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc"
-      package_output_dir: "OvmfX64"
+      package_output_dir: "IntelTdx"
 
   td-shim:
     description: "Confidential Containers Shim Firmware"