1. Patchew
  2. Libvirt
  3. [PATCH rfcv3 00/11] LIBVIRT: X86: TDX support
  4. View patch

[PATCH rfcv3 05/11] qemu: Add command line and validation for TDX type

Zhenzhong Duan posted 11 patches 2 years, 2 months ago
There is a newer version of this series
[PATCH rfcv3 05/11] qemu: Add command line and validation for TDX type
Posted by Zhenzhong Duan 2 years, 2 months ago 
QEMU will provides 'tdx-guest' object which is used to launch encrypted
VMs on Intel platform using TDX feature.

Command line looks like:
$QEMU ... \
  -object tdx-guest,id=lsec0,debug=on,sept-ve-disable=on,mrconfigid=xxx...xxx,mrowner=xxx...xxx,mrownerconfig=xxx...xxx,quote-generation-service=localhost:1234 \
  -machine q35,confidential-guest-support=lsec0

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
 src/qemu/qemu_command.c  | 27 +++++++++++++++++++++++++++
 src/qemu/qemu_validate.c |  7 +++++++
 2 files changed, 34 insertions(+)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 89905378e4..45223746f5 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9645,6 +9645,32 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
 }
 
 
+static int
+qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
+                        virDomainTDXDef *tdx)
+{
+    g_autoptr(virJSONValue) props = NULL;
+    qemuDomainObjPrivate *priv = vm->privateData;
+
+    VIR_DEBUG("policy=0x%x", tdx->policy);
+
+    if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
+                                     "B:debug", !!(tdx->policy & 0x1),
+                                     "b:sept-ve-disable", !!(tdx->policy & 0x10000000),
+                                     "S:mrconfigid", tdx->mrconfigid,
+                                     "S:mrowner", tdx->mrowner,
+                                     "S:mrownerconfig", tdx->mrownerconfig,
+                                     "S:quote-generation-service", tdx->QGS,
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                         virDomainSecDef *sec)
@@ -9660,6 +9686,7 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
         return qemuBuildPVCommandLine(vm, cmd);
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index af630796cd..5a9173e8ff 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1323,6 +1323,13 @@ qemuValidateDomainDef(const virDomainDef *def,
             }
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
+                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("INTEL TDX launch security is not supported with this QEMU binary"));
+                return -1;
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
-- 
2.34.1
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH rfcv3 05/11] qemu: Add command line and validation for TDX type
Posted by Daniel P. Berrangé 2 years, 1 month ago 
On Mon, Nov 27, 2023 at 04:55:15PM +0800, Zhenzhong Duan wrote:
> QEMU will provides 'tdx-guest' object which is used to launch encrypted
> VMs on Intel platform using TDX feature.
> 
> Command line looks like:
> $QEMU ... \
>   -object tdx-guest,id=lsec0,debug=on,sept-ve-disable=on,mrconfigid=xxx...xxx,mrowner=xxx...xxx,mrownerconfig=xxx...xxx,quote-generation-service=localhost:1234 \
>   -machine q35,confidential-guest-support=lsec0
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
>  src/qemu/qemu_command.c  | 27 +++++++++++++++++++++++++++
>  src/qemu/qemu_validate.c |  7 +++++++
>  2 files changed, 34 insertions(+)
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 89905378e4..45223746f5 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -9645,6 +9645,32 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
>  }
>  
>  
> +static int
> +qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
> +                        virDomainTDXDef *tdx)
> +{
> +    g_autoptr(virJSONValue) props = NULL;
> +    qemuDomainObjPrivate *priv = vm->privateData;
> +
> +    VIR_DEBUG("policy=0x%x", tdx->policy);
> +
> +    if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
> +                                     "B:debug", !!(tdx->policy & 0x1),
> +                                     "b:sept-ve-disable", !!(tdx->policy & 0x10000000),

Here you're expanding the policy integer to named cli args.

What is defining the semantics for bits in the policy integer ?

What happens if other bits are set besides 0x1 and 0x10000000 - if we
are not honouring those bits, we need to report an error when
validating the xml


> +                                     "S:mrconfigid", tdx->mrconfigid,
> +                                     "S:mrowner", tdx->mrowner,
> +                                     "S:mrownerconfig", tdx->mrownerconfig,
> +                                     "S:quote-generation-service", tdx->QGS,

This is passing through QEMU JSON directly from the XML which is certainly
not allowed. As mentioned in previous patch, we need to model 'SocketAddress'
QAPI explicitly in the XML schema.

> +                                     NULL) < 0)
> +        return -1;
> +
> +    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
> +        return -1;
> +
> +    return 0;
x> +}
> +
> +
>  static int
>  qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
>                          virDomainSecDef *sec)
> @@ -9660,6 +9686,7 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
>          return qemuBuildPVCommandLine(vm, cmd);
>          break;
>      case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
> +        return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
>      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
>          virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
> diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
> index af630796cd..5a9173e8ff 100644
> --- a/src/qemu/qemu_validate.c
> +++ b/src/qemu/qemu_validate.c
> @@ -1323,6 +1323,13 @@ qemuValidateDomainDef(const virDomainDef *def,
>              }
>              break;
>          case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
> +            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||

This isn't required as it is implied by CAPS_TDX_GUEST

> +                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)) {
> +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                               _("INTEL TDX launch security is not supported with this QEMU binary"));

s/INTEL/Intel/

> +                return -1;
> +            }

This is where we need to valid 'policy' bits are supported.

> +            break;
>          case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>          case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
>              virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
> -- 
> 2.34.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
RE: [PATCH rfcv3 05/11] qemu: Add command line and validation for TDX type
Posted by Duan, Zhenzhong 2 years ago 

>-----Original Message-----
>From: Daniel P. Berrangé <berrange@redhat.com>
>Subject: Re: [PATCH rfcv3 05/11] qemu: Add command line and validation
>for TDX type
>
>On Mon, Nov 27, 2023 at 04:55:15PM +0800, Zhenzhong Duan wrote:
>> QEMU will provides 'tdx-guest' object which is used to launch encrypted
>> VMs on Intel platform using TDX feature.
>>
>> Command line looks like:
>> $QEMU ... \
>>   -object tdx-guest,id=lsec0,debug=on,sept-ve-
>disable=on,mrconfigid=xxx...xxx,mrowner=xxx...xxx,mrownerconfig=xxx...xxx,q
>uote-generation-service=localhost:1234 \
>>   -machine q35,confidential-guest-support=lsec0
>>
>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
>> ---
>>  src/qemu/qemu_command.c  | 27 +++++++++++++++++++++++++++
>>  src/qemu/qemu_validate.c |  7 +++++++
>>  2 files changed, 34 insertions(+)
>>
>> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
>> index 89905378e4..45223746f5 100644
>> --- a/src/qemu/qemu_command.c
>> +++ b/src/qemu/qemu_command.c
>> @@ -9645,6 +9645,32 @@ qemuBuildPVCommandLine(virDomainObj
>*vm, virCommand *cmd)
>>  }
>>
>>
>> +static int
>> +qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
>> +                        virDomainTDXDef *tdx)
>> +{
>> +    g_autoptr(virJSONValue) props = NULL;
>> +    qemuDomainObjPrivate *priv = vm->privateData;
>> +
>> +    VIR_DEBUG("policy=0x%x", tdx->policy);
>> +
>> +    if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
>> +                                     "B:debug", !!(tdx->policy & 0x1),
>> +                                     "b:sept-ve-disable", !!(tdx->policy & 0x10000000),
>
>Here you're expanding the policy integer to named cli args.
>
>What is defining the semantics for bits in the policy integer ?

They are defined at
https://github.com/intel/qemu-tdx/blob/d20f93da3197fff3a30c3fb9ebdc4303a06a3343/target/i386/kvm/tdx.c#L49

>
>What happens if other bits are set besides 0x1 and 0x10000000 - if we
>are not honouring those bits, we need to report an error when
>validating the xml

Currently other bits are ignored, will fix it.

>
>
>> +                                     "S:mrconfigid", tdx->mrconfigid,
>> +                                     "S:mrowner", tdx->mrowner,
>> +                                     "S:mrownerconfig", tdx->mrownerconfig,
>> +                                     "S:quote-generation-service", tdx->QGS,
>
>This is passing through QEMU JSON directly from the XML which is certainly
>not allowed. As mentioned in previous patch, we need to model
>'SocketAddress'
>QAPI explicitly in the XML schema.

Will do.

>
>> +                                     NULL) < 0)
>> +        return -1;
>> +
>> +    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv-
>>qemuCaps) < 0)
>> +        return -1;
>> +
>> +    return 0;
>x> +}
>> +
>> +
>>  static int
>>  qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
>>                          virDomainSecDef *sec)
>> @@ -9660,6 +9686,7 @@ qemuBuildSecCommandLine(virDomainObj *vm,
>virCommand *cmd,
>>          return qemuBuildPVCommandLine(vm, cmd);
>>          break;
>>      case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
>> +        return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
>>      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>>      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
>>          virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
>> diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
>> index af630796cd..5a9173e8ff 100644
>> --- a/src/qemu/qemu_validate.c
>> +++ b/src/qemu/qemu_validate.c
>> @@ -1323,6 +1323,13 @@ qemuValidateDomainDef(const virDomainDef
>*def,
>>              }
>>              break;
>>          case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
>> +            if (!virQEMUCapsGet(qemuCaps,
>QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
>
>This isn't required as it is implied by CAPS_TDX_GUEST

Will remove.

>
>> +                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)) {
>> +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>> +                               _("INTEL TDX launch security is not supported with this
>QEMU binary"));
>
>s/INTEL/Intel/

Will fix.

>
>> +                return -1;
>> +            }
>
>This is where we need to valid 'policy' bits are supported.

Got it, will do.

Thanks
Zhenzhong

_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.