[RFC PATCH 0/7] LIBVIRT: X86: TDX support

Zhenzhong Duan posted 7 patches 2 years, 9 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210618085052.564315-1-zhenzhong.duan@intel.com
There is a newer version of this series
docs/formatdomaincaps.html.in                 |  16 ++++
docs/schemas/domaincaps.rng                   |   9 ++
docs/schemas/domaincommon.rng                 |  19 ++++
src/conf/domain_capabilities.c                |  22 +++++
src/conf/domain_capabilities.h                |  11 +++
src/conf/domain_conf.c                        |  90 ++++++++++++++++++
src/conf/domain_conf.h                        |  16 ++++
src/conf/virconftypes.h                       |   2 +
src/libvirt_private.syms                      |   1 +
src/qemu/qemu_capabilities.c                  |  63 ++++++++++++
src/qemu/qemu_capabilities.h                  |   1 +
src/qemu/qemu_command.c                       |  39 ++++++++
src/qemu/qemu_monitor.c                       |   8 ++
src/qemu/qemu_monitor.h                       |   3 +
src/qemu/qemu_monitor_json.c                  |  53 +++++++++++
src/qemu/qemu_monitor_json.h                  |   3 +
src/qemu/qemu_validate.c                      |  14 +++
tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
tests/domaincapsdata/empty.xml                |   1 +
tests/domaincapsdata/libxl-xenfv.xml          |   1 +
tests/domaincapsdata/libxl-xenpv.xml          |   1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
.../qemu_2.12.0-virt.aarch64.xml              |   1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
.../qemu_2.6.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
.../qemu_4.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
.../qemu_4.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
.../qemu_5.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
.../qemu_5.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
.../genericxml2xmlindata/trust-domain-tdx.xml |  22 +++++
tests/genericxml2xmltest.c                    |   1 +
.../.trust-domain-tdx.xml.swo                 | Bin 0 -> 12288 bytes
tests/qemuxml2argvdata/trust-domain-tdx.args  |  32 +++++++
tests/qemuxml2argvdata/trust-domain-tdx.xml   |  37 +++++++
tests/qemuxml2argvtest.c                      |   3 +
115 files changed, 557 insertions(+)
create mode 100644 tests/genericxml2xmlindata/trust-domain-tdx.xml
create mode 100644 tests/qemuxml2argvdata/.trust-domain-tdx.xml.swo
create mode 100644 tests/qemuxml2argvdata/trust-domain-tdx.args
create mode 100644 tests/qemuxml2argvdata/trust-domain-tdx.xml
[RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Zhenzhong Duan 2 years, 9 months ago
* What's TDX?
TDX stands for Trust Domain Extensions which isolates VMs from
the virtual-machine manager (VMM)/hypervisor and any other software on
the platform.

To support TDX, multiple software components, not only KVM but also QEMU,
guest Linux and virtual bios, need to be updated. For more details, please
check link[1], there are TDX spec links and public repository link at github
for each software component.

This patchset is another software component to extend libvirt to support TDX,
with which one can start a VM from high level rather than running qemu directly.


* The goal of this RFC patch
The purpose of this post is to get feedback early on high level design issue of
libvirt enhancement for TDX. Referenced much on AMD SEV implemention at link[2].


* Patch organization

- patch 1-2: Support query of TDX capabilities.
- patch 3-6: Add a new xml element 'TrustDomain' for TDX support.
- patch   7: Sure kvmSupportsSecureGuest cache updated.

Using these patches we have succesfully booted and tested a guest both with and
without TDX enabled.


[1] https://lkml.org/lkml/2020/11/16/1106
[2] https://github.com/codomania/libvirt/commits/v9

Zhenzhong Duan (7):
  qemu: provide support to query the TDX capabilities
  conf: expose TDX feature in domain capabilities
  conf: introduce TrustDomain element in domain
  qemu: add support to launch TDX guest
  qemu: add support to TDVF firmware loader
  qemu: force special features enabled for TDX guest
  qemu: Check if INTEL Trust Domain Extention support is enabled

 docs/formatdomaincaps.html.in                 |  16 ++++
 docs/schemas/domaincaps.rng                   |   9 ++
 docs/schemas/domaincommon.rng                 |  19 ++++
 src/conf/domain_capabilities.c                |  22 +++++
 src/conf/domain_capabilities.h                |  11 +++
 src/conf/domain_conf.c                        |  90 ++++++++++++++++++
 src/conf/domain_conf.h                        |  16 ++++
 src/conf/virconftypes.h                       |   2 +
 src/libvirt_private.syms                      |   1 +
 src/qemu/qemu_capabilities.c                  |  63 ++++++++++++
 src/qemu/qemu_capabilities.h                  |   1 +
 src/qemu/qemu_command.c                       |  39 ++++++++
 src/qemu/qemu_monitor.c                       |   8 ++
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  |  53 +++++++++++
 src/qemu/qemu_monitor_json.h                  |   3 +
 src/qemu/qemu_validate.c                      |  14 +++
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
 .../qemu_2.12.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
 .../qemu_2.6.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
 .../genericxml2xmlindata/trust-domain-tdx.xml |  22 +++++
 tests/genericxml2xmltest.c                    |   1 +
 .../.trust-domain-tdx.xml.swo                 | Bin 0 -> 12288 bytes
 tests/qemuxml2argvdata/trust-domain-tdx.args  |  32 +++++++
 tests/qemuxml2argvdata/trust-domain-tdx.xml   |  37 +++++++
 tests/qemuxml2argvtest.c                      |   3 +
 115 files changed, 557 insertions(+)
 create mode 100644 tests/genericxml2xmlindata/trust-domain-tdx.xml
 create mode 100644 tests/qemuxml2argvdata/.trust-domain-tdx.xml.swo
 create mode 100644 tests/qemuxml2argvdata/trust-domain-tdx.args
 create mode 100644 tests/qemuxml2argvdata/trust-domain-tdx.xml

-- 
2.25.1

Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Peter Krempa 2 years, 9 months ago
On Fri, Jun 18, 2021 at 16:50:45 +0800, Zhenzhong Duan wrote:
> * What's TDX?
> TDX stands for Trust Domain Extensions which isolates VMs from
> the virtual-machine manager (VMM)/hypervisor and any other software on
> the platform.
> 
> To support TDX, multiple software components, not only KVM but also QEMU,
> guest Linux and virtual bios, need to be updated. For more details, please
> check link[1], there are TDX spec links and public repository link at github
> for each software component.
> 
> This patchset is another software component to extend libvirt to support TDX,
> with which one can start a VM from high level rather than running qemu directly.
> 
> 
> * The goal of this RFC patch
> The purpose of this post is to get feedback early on high level design issue of
> libvirt enhancement for TDX. Referenced much on AMD SEV implemention at link[2].
> 
> 
> * Patch organization
> 
> - patch 1-2: Support query of TDX capabilities.
> - patch 3-6: Add a new xml element 'TrustDomain' for TDX support.
> - patch   7: Sure kvmSupportsSecureGuest cache updated.
> 
> Using these patches we have succesfully booted and tested a guest both with and
> without TDX enabled.
> 
> 
> [1] https://lkml.org/lkml/2020/11/16/1106
> [2] https://github.com/codomania/libvirt/commits/v9

Could you please also point to the relevant qemu patches?

The first commit mentions 'query-tdx-capabilities' which is not in qemu
upstream yet.

RE: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Duan, Zhenzhong 2 years, 9 months ago
> -----Original Message-----
> From: Peter Krempa <pkrempa@redhat.com>
> Sent: Friday, June 18, 2021 7:07 PM
> To: Duan, Zhenzhong <zhenzhong.duan@intel.com>
> Cc: libvir-list@redhat.com; Yamahata, Isaku <isaku.yamahata@intel.com>;
> Tian, Jun J <jun.j.tian@intel.com>; Qiang, Chenyi <chenyi.qiang@intel.com>
> Subject: Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
> 
> On Fri, Jun 18, 2021 at 16:50:45 +0800, Zhenzhong Duan wrote:
> > * What's TDX?
> > TDX stands for Trust Domain Extensions which isolates VMs from the
> > virtual-machine manager (VMM)/hypervisor and any other software on the
> > platform.
> >
> > To support TDX, multiple software components, not only KVM but also
> > QEMU, guest Linux and virtual bios, need to be updated. For more
> > details, please check link[1], there are TDX spec links and public
> > repository link at github for each software component.
> >
> > This patchset is another software component to extend libvirt to
> > support TDX, with which one can start a VM from high level rather than
> running qemu directly.
> >
> >
> > * The goal of this RFC patch
> > The purpose of this post is to get feedback early on high level design
> > issue of libvirt enhancement for TDX. Referenced much on AMD SEV
> implemention at link[2].
> >
> >
> > * Patch organization
> >
> > - patch 1-2: Support query of TDX capabilities.
> > - patch 3-6: Add a new xml element 'TrustDomain' for TDX support.
> > - patch   7: Sure kvmSupportsSecureGuest cache updated.
> >
> > Using these patches we have succesfully booted and tested a guest both
> > with and without TDX enabled.
> >
> >
> > [1] https://lkml.org/lkml/2020/11/16/1106
> > [2] https://github.com/codomania/libvirt/commits/v9
> 
> Could you please also point to the relevant qemu patches?
> 
> The first commit mentions 'query-tdx-capabilities' which is not in qemu
> upstream yet.
Hi Peter,

Sorry, seems qemu patches link is missed in [1]. List all links below for your reference.

kvm TDX branch: https://github.com/intel/tdx/tree/kvm
TDX guest branch: https://github.com/intel/tdx/tree/guest
TDVF branch: https://github.com/tianocore/edk2-staging/tree/TDVF
qemu TDX branch: https://github.com/intel/qemu-tdx/tree/tdx

Thanks
Zhenzhong


Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Peter Krempa 2 years, 9 months ago
On Mon, Jun 21, 2021 at 02:14:32 +0000, Duan, Zhenzhong wrote:
> > -----Original Message-----
> > From: Peter Krempa <pkrempa@redhat.com>
> > Sent: Friday, June 18, 2021 7:07 PM
> > To: Duan, Zhenzhong <zhenzhong.duan@intel.com>
> > Cc: libvir-list@redhat.com; Yamahata, Isaku <isaku.yamahata@intel.com>;
> > Tian, Jun J <jun.j.tian@intel.com>; Qiang, Chenyi <chenyi.qiang@intel.com>
> > Subject: Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
> > 
> > On Fri, Jun 18, 2021 at 16:50:45 +0800, Zhenzhong Duan wrote:
> > > * What's TDX?
> > > TDX stands for Trust Domain Extensions which isolates VMs from the
> > > virtual-machine manager (VMM)/hypervisor and any other software on the
> > > platform.
> > >
> > > To support TDX, multiple software components, not only KVM but also
> > > QEMU, guest Linux and virtual bios, need to be updated. For more
> > > details, please check link[1], there are TDX spec links and public
> > > repository link at github for each software component.
> > >
> > > This patchset is another software component to extend libvirt to
> > > support TDX, with which one can start a VM from high level rather than
> > running qemu directly.
> > >
> > >
> > > * The goal of this RFC patch
> > > The purpose of this post is to get feedback early on high level design
> > > issue of libvirt enhancement for TDX. Referenced much on AMD SEV
> > implemention at link[2].
> > >
> > >
> > > * Patch organization
> > >
> > > - patch 1-2: Support query of TDX capabilities.
> > > - patch 3-6: Add a new xml element 'TrustDomain' for TDX support.
> > > - patch   7: Sure kvmSupportsSecureGuest cache updated.
> > >
> > > Using these patches we have succesfully booted and tested a guest both
> > > with and without TDX enabled.
> > >
> > >
> > > [1] https://lkml.org/lkml/2020/11/16/1106
> > > [2] https://github.com/codomania/libvirt/commits/v9
> > 
> > Could you please also point to the relevant qemu patches?
> > 
> > The first commit mentions 'query-tdx-capabilities' which is not in qemu
> > upstream yet.
> Hi Peter,
> 
> Sorry, seems qemu patches link is missed in [1]. List all links below for your reference.
> 
> kvm TDX branch: https://github.com/intel/tdx/tree/kvm
> TDX guest branch: https://github.com/intel/tdx/tree/guest
> TDVF branch: https://github.com/tianocore/edk2-staging/tree/TDVF
> qemu TDX branch: https://github.com/intel/qemu-tdx/tree/tdx

In my quick search I didn't find any reference to those patches on
the qemu-devel mailing list. Please note that libvirt accepts only
features which are supported by the upstream releases [1] of the
hypervisor in question.

Thus if the qemu part indeed wasn't yet posted for review to qemu-devel
you should do so if you want this series to be accepted in libvirt.

[1] Pushed upstream waiting for the next release is okay.

RE: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Yamahata, Isaku 2 years, 9 months ago

> -----Original Message-----
> From: Peter Krempa <pkrempa@redhat.com>
> Sent: Monday, June 21, 2021 1:06 AM
> To: Duan, Zhenzhong <zhenzhong.duan@intel.com>
> Cc: libvir-list@redhat.com; Yamahata, Isaku <isaku.yamahata@intel.com>; Tian, Jun J <jun.j.tian@intel.com>; Qiang, Chenyi
> <chenyi.qiang@intel.com>
> Subject: Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
...
> > > > Using these patches we have succesfully booted and tested a guest both
> > > > with and without TDX enabled.
> > > >
> > > >
> > > > [1] https://lkml.org/lkml/2020/11/16/1106
> > > > [2] https://github.com/codomania/libvirt/commits/v9
> > >
> > > Could you please also point to the relevant qemu patches?
> > >
> > > The first commit mentions 'query-tdx-capabilities' which is not in qemu
> > > upstream yet.
> > Hi Peter,
> >
> > Sorry, seems qemu patches link is missed in [1]. List all links below for your reference.
> >
> > kvm TDX branch: https://github.com/intel/tdx/tree/kvm
> > TDX guest branch: https://github.com/intel/tdx/tree/guest
> > TDVF branch: https://github.com/tianocore/edk2-staging/tree/TDVF
> > qemu TDX branch: https://github.com/intel/qemu-tdx/tree/tdx
> 
> In my quick search I didn't find any reference to those patches on
> the qemu-devel mailing list. Please note that libvirt accepts only
> features which are supported by the upstream releases [1] of the
> hypervisor in question.
> 
> Thus if the qemu part indeed wasn't yet posted for review to qemu-devel
> you should do so if you want this series to be accepted in libvirt.
> 
> [1] Pushed upstream waiting for the next release is okay.

For qemu-devel, here is the reference.
https://lore.kernel.org/qemu-devel/cover.1613188118.git.isaku.yamahata@intel.com/
I'm not sure why lists.nongnu.org search doesn't show result with TDX keyword.

Thanks,
Isaku Yamahata


Re: [RFC PATCH 0/7] LIBVIRT: X86: TDX support
Posted by Peter Krempa 2 years, 9 months ago
On Mon, Jun 21, 2021 at 19:28:26 +0000, Yamahata, Isaku wrote:

[...]

> > > Sorry, seems qemu patches link is missed in [1]. List all links below for your reference.
> > >
> > > kvm TDX branch: https://github.com/intel/tdx/tree/kvm
> > > TDX guest branch: https://github.com/intel/tdx/tree/guest
> > > TDVF branch: https://github.com/tianocore/edk2-staging/tree/TDVF
> > > qemu TDX branch: https://github.com/intel/qemu-tdx/tree/tdx
> > 
> > In my quick search I didn't find any reference to those patches on
> > the qemu-devel mailing list. Please note that libvirt accepts only
> > features which are supported by the upstream releases [1] of the
> > hypervisor in question.
> > 
> > Thus if the qemu part indeed wasn't yet posted for review to qemu-devel
> > you should do so if you want this series to be accepted in libvirt.
> > 
> > [1] Pushed upstream waiting for the next release is okay.
> 
> For qemu-devel, here is the reference.
> https://lore.kernel.org/qemu-devel/cover.1613188118.git.isaku.yamahata@intel.com/
> I'm not sure why lists.nongnu.org search doesn't show result with TDX keyword.

The qemu patchset you've mentioned doesn't seem to correspond entirely
to what this libvirt patchset is adding.

I was looking for the 'query-tdx-capabilities' QMP command which is used
in patch 1 of the libvirt series, but the patchset you've mentioned
doesn't add it at all.

As noted libvirt requires that the features exposed by libvirt are
accepted by upstream qemu before adding support for them, to prevent
maintenance of diverged or non-existing features.