From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
216.205.24.124 as permitted sender) client-ip=216.205.24.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
with SMTPS id 1626405552612972.1558246736945;
Thu, 15 Jul 2021 20:19:12 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-271-drrspKcZP1qCJVCPxbTTIw-1; Thu, 15 Jul 2021 23:19:09 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
[10.5.11.13])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 468B31084F54;
Fri, 16 Jul 2021 03:19:03 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 4496E60871;
Fri, 16 Jul 2021 03:19:02 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id 823B24E9F4;
Fri, 16 Jul 2021 03:19:01 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
[10.11.54.6])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3BiNr005873 for ;
Thu, 15 Jul 2021 23:11:45 -0400
Received: by smtp.corp.redhat.com (Postfix)
id CDFEE20B899C; Fri, 16 Jul 2021 03:11:44 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18])
by smtp.corp.redhat.com (Postfix) with ESMTPS id C936020B8999
for ; Fri, 16 Jul 2021 03:11:43 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[207.211.31.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E6464800B35
for ; Fri, 16 Jul 2021 03:11:42 +0000 (UTC)
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (Using
TLS) by relay.mimecast.com with ESMTP id
us-mta-275-Xvic8ftOPrWqrAlBFvGBKg-1; Thu, 15 Jul 2021 23:11:40 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:11:38 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:35 -0700
X-MC-Unique: drrspKcZP1qCJVCPxbTTIw-1
X-MC-Unique: Xvic8ftOPrWqrAlBFvGBKg-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="271779108"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="271779108"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774341"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 1/8] qemu: Check if INTEL Trust Domain Extention
support is enabled
Date: Fri, 16 Jul 2021 11:10:29 +0800
Message-Id: <20210716031036.189228-2-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405553948100001
Content-Type: text/plain; charset="utf-8"
Implement TDX check in order to generate domain feature capability
correctly in case the availability of the feature changed.
For INTEL TDX the verification is:
- checking if /sys/firmware/tdx_seam/vendor_id contains the
value "0x8086": meaning TDX is enabled in the host kernel.
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 0d93cc2052..9085c0b875 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4748,6 +4748,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
}
=20
=20
+/*
+ * Check whether INTEL Trust Domain Extention (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestINTEL(void)
+{
+ g_autofree char *modValue =3D NULL;
+
+ if (virFileReadValueString(&modValue, "/sys/firmware/tdx_seam/vendor_i=
d") < 0)
+ return false;
+
+ if (STRNEQ(modValue,"0x8086"))
+ return false;
+
+ return true;
+}
+
+
/*
* Check whether the secure guest functionality is enabled.
* See the specific architecture function for details on the verifications=
made.
@@ -4761,7 +4779,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
return virQEMUCapsKVMSupportsSecureGuestS390();
=20
if (ARCH_IS_X86(arch))
- return virQEMUCapsKVMSupportsSecureGuestAMD();
+ return virQEMUCapsKVMSupportsSecureGuestAMD() ||
+ virQEMUCapsKVMSupportsSecureGuestINTEL();
=20
return false;
}
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405558929841.6494400704723;
Thu, 15 Jul 2021 20:19:18 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-528-I-7dr0-lPTaXWPX6Mo3q8w-1; Thu, 15 Jul 2021 23:19:15 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
[10.5.11.22])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A7D9A18414A5;
Fri, 16 Jul 2021 03:19:10 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 80D39100EBAD;
Fri, 16 Jul 2021 03:19:10 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id C38821801254;
Fri, 16 Jul 2021 03:19:09 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
[10.11.54.5])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3C2Wi005920 for ;
Thu, 15 Jul 2021 23:12:02 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 2B2C3113B7C; Fri, 16 Jul 2021 03:12:02 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 260FF113B72
for ; Fri, 16 Jul 2021 03:11:59 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com
[205.139.110.61])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A6FF780015A
for ; Fri, 16 Jul 2021 03:11:59 +0000 (UTC)
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (Using
TLS) by relay.mimecast.com with ESMTP id
us-mta-464-l9BHS88ONd-tWuT3DNNJlA-1; Thu, 15 Jul 2021 23:11:55 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:11:40 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:38 -0700
X-MC-Unique: I-7dr0-lPTaXWPX6Mo3q8w-1
X-MC-Unique: l9BHS88ONd-tWuT3DNNJlA-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="271779111"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="271779111"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774348"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 2/8] qemu: Add TDX capability
Date: Fri, 16 Jul 2021 11:10:30 +0800
Message-Id: <20210716031036.189228-3-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405559728100001
Content-Type: text/plain; charset="utf-8"
QEMU_CAPS_TDX_GUEST set means TDX supported with this qemu.
Signed-off-by: Chenyi Qiang
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 9085c0b875..6a29ec607a 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -637,6 +637,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
"confidential-guest-support",
"query-display-options",
"s390-pv-guest",
+ "tdx-guest",
);
=20
=20
@@ -1356,6 +1357,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[=
] =3D {
{ "virtio-gpu-gl-pci", QEMU_CAPS_VIRTIO_GPU_GL_PCI },
{ "virtio-vga-gl", QEMU_CAPS_VIRTIO_VGA_GL },
{ "s390-pv-guest", QEMU_CAPS_S390_PV_GUEST },
+ { "tdx-guest", QEMU_CAPS_TDX_GUEST},
};
=20
=20
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index f99bb211e0..2aa38f55e9 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -617,6 +617,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for =
syntax-check */
QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT, /* -machine confidential-=
guest-support */
QEMU_CAPS_QUERY_DISPLAY_OPTIONS, /* 'query-display-options' qmp comman=
d present */
QEMU_CAPS_S390_PV_GUEST, /* -object s390-pv-guest,... */
+ QEMU_CAPS_TDX_GUEST, /* -object tdx-guest,... */
=20
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405146515731.6405586940215;
Thu, 15 Jul 2021 20:12:26 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-442-9_4lSyKKOcWX8_ybef68nw-1; Thu, 15 Jul 2021 23:12:23 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
[10.5.11.14])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8E315100B3AF;
Fri, 16 Jul 2021 03:12:18 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 6B1245D9C6;
Fri, 16 Jul 2021 03:12:18 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0C65A4A712;
Fri, 16 Jul 2021 03:12:18 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
[10.11.54.4])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3BrFq005901 for ;
Thu, 15 Jul 2021 23:11:53 -0400
Received: by smtp.corp.redhat.com (Postfix)
id A3FA2209D036; Fri, 16 Jul 2021 03:11:53 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 9FB9C20962CA
for ; Fri, 16 Jul 2021 03:11:50 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com
[205.139.110.61])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9717880270A
for ; Fri, 16 Jul 2021 03:11:50 +0000 (UTC)
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-420-ESXM3BkqMoqEj-smtbME7g-1;
Thu, 15 Jul 2021 23:11:46 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:11:43 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:40 -0700
X-MC-Unique: 9_4lSyKKOcWX8_ybef68nw-1
X-MC-Unique: ESXM3BkqMoqEj-smtbME7g-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="190345519"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="190345519"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774363"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 3/8] conf: expose TDX feature in domain capabilities
Date: Fri, 16 Jul 2021 11:10:31 +0800
Message-Id: <20210716031036.189228-4-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405148514100001
Content-Type: text/plain; charset="utf-8"
Extend qemu TDX capability to domain capabilities.
Signed-off-by: Chenyi Qiang
Signed-off-by: Zhenzhong Duan
---
docs/formatdomaincaps.html.in | 17 +++++++++++++++++
docs/schemas/domaincaps.rng | 9 +++++++++
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/qemu/qemu_capabilities.c | 16 ++++++++++++++++
5 files changed, 44 insertions(+)
diff --git a/docs/formatdomaincaps.html.in b/docs/formatdomaincaps.html.in
index 62f1940e6a..3f057af515 100644
--- a/docs/formatdomaincaps.html.in
+++ b/docs/formatdomaincaps.html.in
@@ -570,6 +570,7 @@
<cbitpos>47</cbitpos>
<reduced-phys-bits>1</reduced-phys-bits>
</sev>
+ <tdx supported=3D'yes'/>
</features>
</domainCapabilities>
@@ -635,6 +636,22 @@
a look at SEV in domain=
XML
=20
+
+
+ Trust Domain Extensions(TDX) capabilities are exposed under the
+ tdx
element.
+ TDX is an Intel technology that extends Virtual Machines Extensions (V=
MX)
+ to with a new kind of virtual machine guest called Trust Domain (TD). =
A TD
+ runs in a CPU model which protects the confidentiality of its memory c=
ontents
+ and its CPU state from any other software, including the hosting Virtu=
al Machine
+ Monitor (VMM), unless explicitly shared by the TD itself.
+
+
+ For more details on the TDX feature, please follow resources in the
+ Intel developer's document. In order to use TDX with libvirt have
+ a look at TDX in domain=
XML
+
+
cbitpos
- When memory encryption is enabled, one of the physical address b=
its
diff --git a/docs/schemas/domaincaps.rng b/docs/schemas/domaincaps.rng
index d7ee60dd16..60001b3c43 100644
--- a/docs/schemas/domaincaps.rng
+++ b/docs/schemas/domaincaps.rng
@@ -253,6 +253,9 @@
[
]
+
+ [
+ ]
=20
@@ -307,6 +310,12 @@
=20
+
+
+ [
+ ]
+
+
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index 83d3320980..2380eacde9 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -43,6 +43,7 @@ VIR_ENUM_IMPL(virDomainCapsFeature,
"backingStoreInput",
"backup",
"s390-pv",
+ "tdx",
);
=20
static virClass *virDomainCapsClass;
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index 34b9b8a693..cd3f5be472 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -180,6 +180,7 @@ typedef enum {
VIR_DOMAIN_CAPS_FEATURE_BACKING_STORE_INPUT,
VIR_DOMAIN_CAPS_FEATURE_BACKUP,
VIR_DOMAIN_CAPS_FEATURE_S390_PV,
+ VIR_DOMAIN_CAPS_FEATURE_TDX,
=20
VIR_DOMAIN_CAPS_FEATURE_LAST
} virDomainCapsFeature;
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 6a29ec607a..e9906a2f32 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6351,6 +6351,21 @@ virQEMUCapsFillDomainFeatureS390PVCaps(virQEMUCaps *=
qemuCaps,
}
=20
=20
+static void
+virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
+ virDomainCaps *domCaps)
+{
+ if (ARCH_IS_X86(qemuCaps->arch)) {
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_S=
UPPORT) &&
+ virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
+ virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
+ domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] =3D VIR_TRISTAT=
E_BOOL_YES;
+ else
+ domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] =3D VIR_TRISTAT=
E_BOOL_NO;
+ }
+}
+
+
int
virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virArch hostarch,
@@ -6398,6 +6413,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureS390PVCaps(qemuCaps, domCaps);
+ virQEMUCapsFillDomainFeatureTDXCaps(qemuCaps, domCaps);
=20
return 0;
}
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405564455934.3074825198138;
Thu, 15 Jul 2021 20:19:24 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-546-9BhmDiPrOjix2D1X-tMZoQ-1; Thu, 15 Jul 2021 23:19:19 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
[10.5.11.11])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4D12018414A2;
Fri, 16 Jul 2021 03:19:14 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 2D27769CB9;
Fri, 16 Jul 2021 03:19:14 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id E9C7A1801257;
Fri, 16 Jul 2021 03:19:13 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
[10.11.54.3])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3CAY1005938 for ;
Thu, 15 Jul 2021 23:12:10 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 0D2DE117C2F6; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 07CE8117C2F4
for ; Fri, 16 Jul 2021 03:12:08 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[207.211.31.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1D2DE858287
for ; Fri, 16 Jul 2021 03:12:08 +0000 (UTC)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-483-TFVvhBiGPWa6MjmGU2-A7Q-1;
Thu, 15 Jul 2021 23:12:03 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:11:59 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:43 -0700
X-MC-Unique: 9BhmDiPrOjix2D1X-tMZoQ-1
X-MC-Unique: TFVvhBiGPWa6MjmGU2-A7Q-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="296308774"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="296308774"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774397"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 4/8] conf: add tdx as launch security type
Date: Fri, 16 Jul 2021 11:10:32 +0800
Message-Id: <20210716031036.189228-5-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405565950100001
Content-Type: text/plain; charset="utf-8"
When 'tdx' is used, the VM will launched with Intel TDX feature enabled.
TDX feature supports running encrypted VM (Trust Domain, TD) under the
control of KVM. A TD runs in a CPU model which protects the
confidentiality of its memory and its CPU state from other software
There is a child element 'policy' and three optional element for tdx type.
In 'policy', bit 0 is used to enable TDX debug, other bits are reserved
currently. mrconfigid, mrowner and mrownerconfig are hex string of 48 * 2
length each.
For example:
0x0001
xxx...xxx
xxx...xxx
xxx...xxx
Signed-off-by: Zhenzhong Duan
---
docs/schemas/domaincommon.rng | 16 ++++++++++++
src/conf/domain_conf.c | 47 +++++++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 9 +++++++
src/conf/virconftypes.h | 2 ++
4 files changed, 74 insertions(+)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index b81c51728d..fd77601886 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -486,6 +486,7 @@
sev
s390-pv
+ tdx
@@ -519,6 +520,21 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 92ab22d3fd..9510aa7b1f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1402,6 +1402,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
"",
"sev",
"s390-pv",
+ "tdx",
);
=20
static virClass *virDomainObjClass;
@@ -3502,6 +3503,10 @@ virDomainSecDefFree(virDomainSecDef *def)
g_free(def->data.sev.dh_cert);
g_free(def->data.sev.session);
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ g_free(def->data.tdx.mrconfigid);
+ g_free(def->data.tdx.mrowner);
+ g_free(def->data.tdx.mrownerconfig);
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -14773,6 +14778,29 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
}
=20
=20
+static int
+virDomainTDXDefParseXML(virDomainTDXDef *def,
+ xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt)
+ unsigned long policy;
+
+ if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("failed to get launch security policy for "
+ "launch security type TDX"));
+ return -1;
+ }
+
+ def->policy =3D policy;
+ def->mrconfigid =3D virXPathString("string(./mrconfigid)", ctxt);
+ def->mrowner =3D virXPathString("string(./mrowner)", ctxt);
+ def->mrownerconfig =3D virXPathString("string(./mrownerconfig)", ctxt);
+
+ return 0;
+}
+
+
static virDomainSecDef *
virDomainSecDefParseXML(xmlNodePtr lsecNode,
xmlXPathContextPtr ctxt)
@@ -14792,6 +14820,10 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
if (virDomainSEVDefParseXML(&sec->data.sev, lsecNode, ctxt) < 0)
return NULL;
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (virDomainTDXDefParseXML(&sec->data.tdx, ctxt) < 0)
+ return NULL;
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
if ((n =3D virXPathNodeSet("./*", ctxt, NULL)) < 0)
return NULL;
@@ -26932,6 +26964,21 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSec=
Def *sec)
break;
}
=20
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX: {
+ virDomainTDXDef *tdx =3D &sec->data.tdx;
+
+ virBufferAsprintf(&childBuf, "0x%04x\n", tdx->pol=
icy);
+
+ if (tdx->mrconfigid)
+ virBufferEscapeString(&childBuf, "%s\=
n", tdx->mrconfigid);
+ if (tdx->mrowner)
+ virBufferEscapeString(&childBuf, "%s\n", td=
x->mrowner);
+ if (tdx->mrownerconfig)
+ virBufferEscapeString(&childBuf, "%s\n", tdx->mrownerconfig);
+
+ break;
+ }
+
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
=20
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 5c22f252d0..b29045d0c4 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2646,6 +2646,7 @@ typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
VIR_DOMAIN_LAUNCH_SECURITY_PV,
+ VIR_DOMAIN_LAUNCH_SECURITY_TDX,
=20
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity;
@@ -2661,10 +2662,18 @@ struct _virDomainSEVDef {
unsigned int reduced_phys_bits;
};
=20
+struct _virDomainTDXDef {
+ unsigned int policy;
+ char *mrconfigid;
+ char *mrowner;
+ char *mrownerconfig;
+};
+
struct _virDomainSecDef {
virDomainLaunchSecurity sectype;
union {
virDomainSEVDef sev;
+ virDomainTDXDef tdx;
} data;
};
=20
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 21420ba8ea..e920f9a945 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -202,6 +202,8 @@ typedef struct _virDomainResourceDef virDomainResourceD=
ef;
=20
typedef struct _virDomainSEVDef virDomainSEVDef;
=20
+typedef struct _virDomainTDXDef virDomainTDXDef;
+
typedef struct _virDomainSecDef virDomainSecDef;
=20
typedef struct _virDomainShmemDef virDomainShmemDef;
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405140958650.4066594354695;
Thu, 15 Jul 2021 20:12:20 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-152-PFpAvUZ1ND-uouqaPOrptA-1; Thu, 15 Jul 2021 23:12:18 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
[10.5.11.14])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5DC781835AC4;
Fri, 16 Jul 2021 03:12:13 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 3AC505D9C6;
Fri, 16 Jul 2021 03:12:13 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id 82DAC1809CB2;
Fri, 16 Jul 2021 03:12:11 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
[10.11.54.3])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3CAiA005939 for ;
Thu, 15 Jul 2021 23:12:10 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 0D3CE117C2F7; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 07FFB117C2F5
for ; Fri, 16 Jul 2021 03:12:07 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 91982185A794
for ; Fri, 16 Jul 2021 03:12:07 +0000 (UTC)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-483-wc9fR0cUMxusjqu_KimTOQ-2;
Thu, 15 Jul 2021 23:12:05 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:11:59 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:56 -0700
X-MC-Unique: PFpAvUZ1ND-uouqaPOrptA-1
X-MC-Unique: wc9fR0cUMxusjqu_KimTOQ-2
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="296308775"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="296308775"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774416"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 5/8] qemu: Add command line and validation for TDX type
Date: Fri, 16 Jul 2021 11:10:33 +0800
Message-Id: <20210716031036.189228-6-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405142496100001
Content-Type: text/plain; charset="utf-8"
QEMU will provides 'tdx-guest' object which is used to launch encrypted
VMs on Intel platform using TDX feature. A typical TDX guest launch
command line looks like:
$QEMU ... \
-object tdx-guest,id=3Dtdx0,debug=3Don \
-machine q35,confidential-guest-support=3Dtdx0,kvm-type=3Dtdx
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_command.c | 33 +++++++++++++++++++++++++++++++++
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_namespace.c | 1 +
src/qemu/qemu_process.c | 1 +
src/qemu/qemu_validate.c | 10 ++++++++++
5 files changed, 46 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index db78deb122..2bc8173d58 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6979,6 +6979,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0");
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0,kvm=
-type=3Dtdx");
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -9897,6 +9900,33 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand =
*cmd)
}
=20
=20
+static int
+qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
+ virDomainTDXDef *tdx)
+{
+ g_autoptr(virJSONValue) props =3D NULL;
+ g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER;
+ qemuDomainObjPrivate *priv =3D vm->privateData;
+
+ VIR_DEBUG("policy=3D0x%x", tdx->policy);
+
+ if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
+ "B:debug", !!(tdx->policy & 1),
+ "S:mrconfigid", tdx->mrconfigid,
+ "S:mrowner", tdx->mrowner,
+ "S:mrownerconfig", tdx->mrownerconfig,
+ NULL) < 0)
+ return -1;
+
+ if (qemuBuildObjectCommandlineFromJSON(&buf, props, priv->qemuCaps) < =
0)
+ return -1;
+
+ virCommandAddArg(cmd, "-object");
+ virCommandAddArgBuffer(cmd, &buf);
+ return 0;
+}
+
+
static int
qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
virDomainSecDef *sec)
@@ -9911,6 +9941,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand =
*cmd,
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
return qemuBuildPVCommandLine(vm, cmd);
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 77c452746f..e144b36f94 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1070,6 +1070,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 42865a6497..e902f0eecc 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -608,6 +608,7 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
VIR_DEBUG("Set up launch security for SEV");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index f2a523e4f7..b5324c85a1 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6706,6 +6706,7 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainO=
bj *vm)
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
return qemuProcessPrepareSEVGuestInput(vm);
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 7482bedee6..309d48e62f 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1234,6 +1234,16 @@ qemuValidateDomainDef(const virDomainDef *def,
return -1;
}
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GU=
EST_SUPPORT) ||
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) ||
+ !virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("INTEL TDX launch security is not support=
ed with "
+ "this QEMU binary"));
+ return -1;
+ }
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
216.205.24.124 as permitted sender) client-ip=216.205.24.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
with SMTPS id 1626405566577338.2845979418099;
Thu, 15 Jul 2021 20:19:26 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-387-FtqGjCI9M9yLgJk95rxNYQ-1; Thu, 15 Jul 2021 23:19:23 -0400
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
[10.5.11.23])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CE759804308;
Fri, 16 Jul 2021 03:19:17 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id A45FA26FA2;
Fri, 16 Jul 2021 03:19:17 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7483E4EA37;
Fri, 16 Jul 2021 03:19:17 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
[10.11.54.6])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3CCba005964 for ;
Thu, 15 Jul 2021 23:12:13 -0400
Received: by smtp.corp.redhat.com (Postfix)
id D6E8E20B8999; Fri, 16 Jul 2021 03:12:12 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22])
by smtp.corp.redhat.com (Postfix) with ESMTPS id D16B120B8998
for ; Fri, 16 Jul 2021 03:12:09 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[205.139.110.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 33F7118812C2
for ; Fri, 16 Jul 2021 03:12:09 +0000 (UTC)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-476-Ver-S-UUPqG1JT5okmbSYA-1;
Thu, 15 Jul 2021 23:12:05 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:12:01 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:11:58 -0700
X-MC-Unique: FtqGjCI9M9yLgJk95rxNYQ-1
X-MC-Unique: Ver-S-UUPqG1JT5okmbSYA-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="296308777"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="296308777"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774428"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 6/8] qemu: force special parameters enabled for TDX
guest
Date: Fri, 16 Jul 2021 11:10:34 +0800
Message-Id: <20210716031036.189228-7-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405567818100003
Content-Type: text/plain; charset="utf-8"
TDX guest requires some special parameters to boot, They are:
"-machine q35-*"
"pic=3Dno"
"kernel_irqchip=3Dsplit"
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_command.c | 2 +-
src/qemu/qemu_validate.c | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2bc8173d58..c53b0e237d 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6980,7 +6980,7 @@ qemuBuildMachineCommandLine(virCommand *cmd,
virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
- virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0,kvm=
-type=3Dtdx");
+ virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0,kvm=
-type=3Dtdx,pic=3Dno");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 309d48e62f..2cb05dc5b2 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1243,6 +1243,17 @@ qemuValidateDomainDef(const virDomainDef *def,
"this QEMU binary"));
return -1;
}
+ if (!qemuDomainIsQ35(def)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX is supported with q35 machine =
types only"));
+ return -1;
+ }
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_KERNEL_IRQCHIP=
) ||
+ def->features[VIR_DOMAIN_FEATURE_IOAPIC] !=3D VIR_DOMAIN_=
IOAPIC_QEMU) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("INTEL TDX launch security needs split ke=
rnel irqchip"));
+ return -1;
+ }
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405182812763.3088385184652;
Thu, 15 Jul 2021 20:13:02 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-268-6YhhqE5QPdCVPW15B888HA-1; Thu, 15 Jul 2021 23:12:26 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
[10.5.11.15])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 22297100B3B2;
Fri, 16 Jul 2021 03:12:21 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id DF70C1ABDF;
Fri, 16 Jul 2021 03:12:20 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id A99E51809CB5;
Fri, 16 Jul 2021 03:12:20 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
[10.11.54.4])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3CDs9005969 for ;
Thu, 15 Jul 2021 23:12:13 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 4254F209D036; Fri, 16 Jul 2021 03:12:13 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 3DCB820962CA
for ; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[207.211.31.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 481BC80D090
for ; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-597-9z6Q6uWCM5S6YNp-FlG1Uw-1;
Thu, 15 Jul 2021 23:12:06 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:12:03 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:12:01 -0700
X-MC-Unique: 6YhhqE5QPdCVPW15B888HA-1
X-MC-Unique: 9z6Q6uWCM5S6YNp-FlG1Uw-1
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="296308781"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="296308781"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774444"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 7/8] qemu: Add general loader support
Date: Fri, 16 Jul 2021 11:10:35 +0800
Message-Id: <20210716031036.189228-8-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405184379100001
Content-Type: text/plain; charset="utf-8"
Intel TDX requires a general loader to hold its firmware TDVF.
Add new loader type VIR_DOMAIN_LOADER_TYPE_GENERIC and
VIR_DOMAIN_OS_DEF_FIRMWARE_GENERIC to support this feature.
XML looks like:
/path/to/TDVF-binary
Qemu command line looks like:
$QEMU ... \
-device loader,file=3D/path/to/TDVF-binary
Signed-off-by: Zhenzhong Duan
---
docs/schemas/domaincommon.rng | 1 +
src/conf/domain_conf.c | 2 ++
src/conf/domain_conf.h | 2 ++
src/qemu/qemu_capabilities.c | 3 +++
src/qemu/qemu_command.c | 5 +++++
src/qemu/qemu_namespace.c | 1 +
6 files changed, 14 insertions(+)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index fd77601886..9d0b51ee12 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -319,6 +319,7 @@
rom
pflash
+ generic
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 9510aa7b1f..fbbbe708d4 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1311,6 +1311,7 @@ VIR_ENUM_IMPL(virDomainLoader,
"none",
"rom",
"pflash",
+ "generic",
);
=20
VIR_ENUM_IMPL(virDomainIOAPIC,
@@ -1333,6 +1334,7 @@ VIR_ENUM_IMPL(virDomainOsDefFirmware,
"none",
"bios",
"efi",
+ "generic",
);
=20
VIR_ENUM_IMPL(virDomainOsDefFirmwareFeature,
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index b29045d0c4..99b74683a0 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2163,6 +2163,7 @@ typedef enum {
VIR_DOMAIN_LOADER_TYPE_NONE =3D 0,
VIR_DOMAIN_LOADER_TYPE_ROM,
VIR_DOMAIN_LOADER_TYPE_PFLASH,
+ VIR_DOMAIN_LOADER_TYPE_GENERIC,
=20
VIR_DOMAIN_LOADER_TYPE_LAST
} virDomainLoader;
@@ -2246,6 +2247,7 @@ typedef enum {
VIR_DOMAIN_OS_DEF_FIRMWARE_NONE =3D 0,
VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS =3D VIR_DOMAIN_LOADER_TYPE_ROM,
VIR_DOMAIN_OS_DEF_FIRMWARE_EFI =3D VIR_DOMAIN_LOADER_TYPE_PFLASH,
+ VIR_DOMAIN_OS_DEF_FIRMWARE_GENERIC =3D VIR_DOMAIN_LOADER_TYPE_GENERIC,
=20
VIR_DOMAIN_OS_DEF_FIRMWARE_LAST
} virDomainOsDefFirmware;
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index e9906a2f32..d3c30a17e7 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5888,6 +5888,9 @@ virQEMUCapsFillDomainLoaderCaps(virDomainCapsLoader *=
capsLoader,
VIR_DOMAIN_CAPS_ENUM_SET(capsLoader->type,
VIR_DOMAIN_LOADER_TYPE_PFLASH);
=20
+ VIR_DOMAIN_CAPS_ENUM_SET(capsLoader->type,
+ VIR_DOMAIN_LOADER_TYPE_GENERIC);
+
=20
VIR_DOMAIN_CAPS_ENUM_SET(capsLoader->readonly,
VIR_TRISTATE_BOOL_YES,
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index c53b0e237d..99812e37d8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9640,6 +9640,11 @@ qemuBuildDomainLoaderCommandLine(virCommand *cmd,
qemuBuldDomainLoaderPflashCommandLine(cmd, loader, qemuCaps);
break;
=20
+ case VIR_DOMAIN_LOADER_TYPE_GENERIC:
+ virCommandAddArg(cmd, "-device");
+ virCommandAddArgFormat(cmd, "loader,file=3D%s", loader->path);
+ break;
+
case VIR_DOMAIN_LOADER_TYPE_NONE:
case VIR_DOMAIN_LOADER_TYPE_LAST:
/* nada */
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index e902f0eecc..aa635b1375 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -569,6 +569,7 @@ qemuDomainSetupLoader(virDomainObj *vm,
if (loader) {
switch ((virDomainLoader) loader->type) {
case VIR_DOMAIN_LOADER_TYPE_ROM:
+ case VIR_DOMAIN_LOADER_TYPE_GENERIC:
*paths =3D g_slist_prepend(*paths, g_strdup(loader->path));
break;
=20
--=20
2.25.1
From nobody Mon May 6 13:37:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=intel.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1626405150543714.3175751072191;
Thu, 15 Jul 2021 20:12:30 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-128-YQXS-F0uO-i4y0NINwMoJg-1; Thu, 15 Jul 2021 23:12:27 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
[10.5.11.22])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 12EE25074F;
Fri, 16 Jul 2021 03:12:22 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id E1E1110016FD;
Fri, 16 Jul 2021 03:12:21 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id AD57818005A2;
Fri, 16 Jul 2021 03:12:21 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
[10.11.54.5])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 16G3CBBP005948 for ;
Thu, 15 Jul 2021 23:12:11 -0400
Received: by smtp.corp.redhat.com (Postfix)
id E6D45113B7C; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id E1DB4113B76
for ; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com
[205.139.110.61])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C65B280015A
for ; Fri, 16 Jul 2021 03:12:10 +0000 (UTC)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (Using TLS)
by relay.mimecast.com with ESMTP id us-mta-476-pXUzq6NrOA2-AlTzyUBCiw-2;
Thu, 15 Jul 2021 23:12:06 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
15 Jul 2021 20:12:05 -0700
Received: from duan-server-s2600bt.bj.intel.com ([10.240.192.114])
by fmsmga003-auth.fm.intel.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 20:12:03 -0700
X-MC-Unique: YQXS-F0uO-i4y0NINwMoJg-1
X-MC-Unique: pXUzq6NrOA2-AlTzyUBCiw-2
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="296308784"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="296308784"
X-IronPort-AV: E=Sophos;i="5.84,244,1620716400"; d="scan'208";a="495774455"
From: Zhenzhong Duan
To: libvir-list@redhat.com
Subject: [RFC PATCH v2 8/8] qemu: Add firmware descriptor support for TDX
Date: Fri, 16 Jul 2021 11:10:36 +0800
Message-Id: <20210716031036.189228-9-zhenzhong.duan@intel.com>
In-Reply-To: <20210716031036.189228-1-zhenzhong.duan@intel.com>
References: <20210716031036.189228-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: libvir-list@redhat.com
Cc: isaku.yamahata@intel.com, pkrempa@redhat.com, jun.j.tian@intel.com,
chenyi.qiang@intel.com, phrdina@redhat.com, zhenzhong.duan@intel.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1626405150981100001
Content-Type: text/plain; charset="utf-8"
Add a firmware descriptor support for TDVF, then libvirt can
auto match TDVF fimware with td-guest.
Signed-off-by: Zhenzhong Duan
---
docs/schemas/domaincommon.rng | 1 +
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_firmware.c | 101 +++++++++++++++++++++++++++++++++-
src/qemu/qemu_validate.c | 7 +++
4 files changed, 108 insertions(+), 3 deletions(-)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 9d0b51ee12..8232025bf7 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -275,6 +275,7 @@
bios
efi
+ generic
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index d3c30a17e7..a01d4c26db 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5934,6 +5934,8 @@ virQEMUCapsFillDomainOSCaps(virDomainCapsOS *os,
VIR_DOMAIN_CAPS_ENUM_SET(os->firmware, VIR_DOMAIN_OS_DEF_FIRMWARE_=
BIOS);
if (autoFirmwares & (1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_EFI))
VIR_DOMAIN_CAPS_ENUM_SET(os->firmware, VIR_DOMAIN_OS_DEF_FIRMWARE_=
EFI);
+ if (autoFirmwares & (1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_GENERIC))
+ VIR_DOMAIN_CAPS_ENUM_SET(os->firmware, VIR_DOMAIN_OS_DEF_FIRMWARE_=
GENERIC);
=20
if (virQEMUCapsFillDomainLoaderCaps(capsLoader, secure,
firmwaresAlt ? firmwaresAlt : firm=
wares,
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index e144b36f94..28e006eb82 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -84,12 +84,18 @@ struct _qemuFirmwareMappingMemory {
char *filename;
};
=20
+typedef struct _qemuFirmwareMappingGeneric qemuFirmwareMappingGeneric;
+struct _qemuFirmwareMappingGeneric {
+ char *filename;
+};
+
=20
typedef enum {
QEMU_FIRMWARE_DEVICE_NONE =3D 0,
QEMU_FIRMWARE_DEVICE_FLASH,
QEMU_FIRMWARE_DEVICE_KERNEL,
QEMU_FIRMWARE_DEVICE_MEMORY,
+ QEMU_FIRMWARE_DEVICE_GENERIC,
=20
QEMU_FIRMWARE_DEVICE_LAST
} qemuFirmwareDevice;
@@ -101,6 +107,7 @@ VIR_ENUM_IMPL(qemuFirmwareDevice,
"flash",
"kernel",
"memory",
+ "generic",
);
=20
=20
@@ -112,6 +119,7 @@ struct _qemuFirmwareMapping {
qemuFirmwareMappingFlash flash;
qemuFirmwareMappingKernel kernel;
qemuFirmwareMappingMemory memory;
+ qemuFirmwareMappingGeneric generic;
} data;
};
=20
@@ -135,6 +143,7 @@ typedef enum {
QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC,
QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC,
+ QEMU_FIRMWARE_FEATURE_INTEL_TDX,
=20
QEMU_FIRMWARE_FEATURE_LAST
} qemuFirmwareFeature;
@@ -151,7 +160,8 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
"requires-smm",
"secure-boot",
"verbose-dynamic",
- "verbose-static"
+ "verbose-static",
+ "intel-tdx"
);
=20
=20
@@ -213,6 +223,13 @@ qemuFirmwareMappingMemoryFreeContent(qemuFirmwareMappi=
ngMemory *memory)
}
=20
=20
+static void
+qemuFirmwareMappingGenericFreeContent(qemuFirmwareMappingGeneric *generic)
+{
+ g_free(generic->filename);
+}
+
+
static void
qemuFirmwareMappingFreeContent(qemuFirmwareMapping *mapping)
{
@@ -226,6 +243,9 @@ qemuFirmwareMappingFreeContent(qemuFirmwareMapping *map=
ping)
case QEMU_FIRMWARE_DEVICE_MEMORY:
qemuFirmwareMappingMemoryFreeContent(&mapping->data.memory);
break;
+ case QEMU_FIRMWARE_DEVICE_GENERIC:
+ qemuFirmwareMappingGenericFreeContent(&mapping->data.generic);
+ break;
case QEMU_FIRMWARE_DEVICE_NONE:
case QEMU_FIRMWARE_DEVICE_LAST:
break;
@@ -424,6 +444,25 @@ qemuFirmwareMappingMemoryParse(const char *path,
}
=20
=20
+static int
+qemuFirmwareMappingGenericParse(const char *path,
+ virJSONValue *doc,
+ qemuFirmwareMappingGeneric *generic)
+{
+ const char *filename;
+
+ if (!(filename =3D virJSONValueObjectGetString(doc, "filename"))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("missing 'filename' in '%s'"),
+ path);
+ }
+
+ generic->filename =3D g_strdup(filename);
+
+ return 0;
+}
+
+
static int
qemuFirmwareMappingParse(const char *path,
virJSONValue *doc,
@@ -469,6 +508,10 @@ qemuFirmwareMappingParse(const char *path,
if (qemuFirmwareMappingMemoryParse(path, mapping, &fw->mapping.dat=
a.memory) < 0)
return -1;
break;
+ case QEMU_FIRMWARE_DEVICE_GENERIC:
+ if (qemuFirmwareMappingGenericParse(path, mapping, &fw->mapping.da=
ta.generic) < 0)
+ return -1;
+ break;
=20
case QEMU_FIRMWARE_DEVICE_NONE:
case QEMU_FIRMWARE_DEVICE_LAST:
@@ -740,6 +783,19 @@ qemuFirmwareMappingMemoryFormat(virJSONValue *mapping,
}
=20
=20
+static int
+qemuFirmwareMappingGenericFormat(virJSONValue *mapping,
+ qemuFirmwareMappingGeneric *generic)
+{
+ if (virJSONValueObjectAppendString(mapping,
+ "filename",
+ generic->filename) < 0)
+ return -1;
+
+ return 0;
+}
+
+
static int
qemuFirmwareMappingFormat(virJSONValue *doc,
qemuFirmware *fw)
@@ -764,6 +820,10 @@ qemuFirmwareMappingFormat(virJSONValue *doc,
if (qemuFirmwareMappingMemoryFormat(mapping, &fw->mapping.data.mem=
ory) < 0)
return -1;
break;
+ case QEMU_FIRMWARE_DEVICE_GENERIC:
+ if (qemuFirmwareMappingGenericFormat(mapping, &fw->mapping.data.ge=
neric) < 0)
+ return -1;
+ break;
=20
case QEMU_FIRMWARE_DEVICE_NONE:
case QEMU_FIRMWARE_DEVICE_LAST:
@@ -905,6 +965,7 @@ qemuFirmwareOSInterfaceTypeFromOsDefFirmware(int fw)
case VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS:
return QEMU_FIRMWARE_OS_INTERFACE_BIOS;
case VIR_DOMAIN_OS_DEF_FIRMWARE_EFI:
+ case VIR_DOMAIN_OS_DEF_FIRMWARE_GENERIC:
return QEMU_FIRMWARE_OS_INTERFACE_UEFI;
case VIR_DOMAIN_OS_DEF_FIRMWARE_NONE:
case VIR_DOMAIN_OS_DEF_FIRMWARE_LAST:
@@ -932,6 +993,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
bool supportsSEVES =3D false;
bool supportsSecureBoot =3D false;
bool hasEnrolledKeys =3D false;
+ bool supportsTDX =3D false;
int reqSecureBoot;
int reqEnrolledKeys;
=20
@@ -995,6 +1057,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
hasEnrolledKeys =3D true;
break;
=20
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+ supportsTDX =3D true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1069,8 +1135,14 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
return false;
}
break;
- case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (!supportsTDX) {
+ VIR_DEBUG("Domain requires TDX, firmware '%s' doesn't supp=
ort it",
+ path);
+ return false;
+ }
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -1093,6 +1165,7 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
const qemuFirmwareMappingFlash *flash =3D &fw->mapping.data.flash;
const qemuFirmwareMappingKernel *kernel =3D &fw->mapping.data.kernel;
const qemuFirmwareMappingMemory *memory =3D &fw->mapping.data.memory;
+ const qemuFirmwareMappingGeneric *generic =3D &fw->mapping.data.generi=
c;
size_t i;
=20
switch (fw->mapping.device) {
@@ -1149,6 +1222,17 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
def->os.loader->path);
break;
=20
+ case QEMU_FIRMWARE_DEVICE_GENERIC:
+ if (!def->os.loader)
+ def->os.loader =3D g_new0(virDomainLoaderDef, 1);
+
+ def->os.loader->type =3D VIR_DOMAIN_LOADER_TYPE_GENERIC;
+ def->os.loader->path =3D g_strdup(generic->filename);
+
+ VIR_DEBUG("decided on loader '%s'",
+ def->os.loader->path);
+ break;
+
case QEMU_FIRMWARE_DEVICE_NONE:
case QEMU_FIRMWARE_DEVICE_LAST:
break;
@@ -1183,6 +1267,7 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_LAST:
break;
}
@@ -1216,6 +1301,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_LAST:
break;
}
@@ -1411,6 +1497,7 @@ qemuFirmwareGetSupported(const char *machine,
qemuFirmware *fw =3D firmwares[i];
const qemuFirmwareMappingFlash *flash =3D &fw->mapping.data.flash;
const qemuFirmwareMappingMemory *memory =3D &fw->mapping.data.memo=
ry;
+ const qemuFirmwareMappingGeneric *generic =3D &fw->mapping.data.ge=
neric;
const char *fwpath =3D NULL;
const char *nvrampath =3D NULL;
size_t j;
@@ -1421,7 +1508,10 @@ qemuFirmwareGetSupported(const char *machine,
for (j =3D 0; j < fw->ninterfaces; j++) {
switch (fw->interfaces[j]) {
case QEMU_FIRMWARE_OS_INTERFACE_UEFI:
- *supported |=3D 1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_EFI;
+ if (fw->mapping.device =3D=3D QEMU_FIRMWARE_DEVICE_GENERIC)
+ *supported |=3D 1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_GEN=
ERIC;
+ else
+ *supported |=3D 1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_EFI;
break;
case QEMU_FIRMWARE_OS_INTERFACE_BIOS:
*supported |=3D 1ULL << VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS;
@@ -1449,6 +1539,7 @@ qemuFirmwareGetSupported(const char *machine,
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_LAST:
break;
}
@@ -1464,6 +1555,10 @@ qemuFirmwareGetSupported(const char *machine,
fwpath =3D memory->filename;
break;
=20
+ case QEMU_FIRMWARE_DEVICE_GENERIC:
+ fwpath =3D generic->filename;
+ break;
+
case QEMU_FIRMWARE_DEVICE_KERNEL:
case QEMU_FIRMWARE_DEVICE_NONE:
case QEMU_FIRMWARE_DEVICE_LAST:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 2cb05dc5b2..ca507868ad 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1254,6 +1254,13 @@ qemuValidateDomainDef(const virDomainDef *def,
_("INTEL TDX launch security needs split ke=
rnel irqchip"));
return -1;
}
+ if ((!def->os.loader ||
+ def->os.loader->type !=3D VIR_DOMAIN_LOADER_TYPE_GENERIC) =
&&
+ def->os.firmware !=3D VIR_DOMAIN_OS_DEF_FIRMWARE_GENERIC) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("INTEL TDX launch security needs generic =
loader type"));
+ return -1;
+ }
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
--=20
2.25.1