From nobody Mon Feb  9 19:06:31 2026
Delivered-To: importer@patchew.org
Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied
 by domain of lists.libvirt.org) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain
 of lists.libvirt.org)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=intel.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1701076052371370.53931944508724;
 Mon, 27 Nov 2023 01:07:32 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id CC43619B8; Mon, 27 Nov 2023 04:07:31 -0500 (EST)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id A27D219AE;
	Mon, 27 Nov 2023 03:59:54 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 906F218BE; Mon, 27 Nov 2023 03:59:34 -0500 (EST)
Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.115])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7EF89193F
	for <devel@lists.libvirt.org>; Mon, 27 Nov 2023 03:58:41 -0500 (EST)
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 27 Nov 2023 00:57:25 -0800
Received: from spr-s2600bt.bj.intel.com ([10.240.192.124])
  by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 27 Nov 2023 00:57:22 -0800
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-3.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.4
X-IronPort-AV: E=McAfee;i="6600,9927,10906"; a="392413775"
X-IronPort-AV: E=Sophos;i="6.04,230,1695711600";
   d="scan'208";a="392413775"
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.04,230,1695711600";
   d="scan'208";a="9716783"
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
To: devel@lists.libvirt.org
Subject: [PATCH rfcv3 05/11] qemu: Add command line and validation for TDX
 type
Date: Mon, 27 Nov 2023 16:55:15 +0800
Message-Id: <20231127085521.6813-6-zhenzhong.duan@intel.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231127085521.6813-1-zhenzhong.duan@intel.com>
References: <20231127085521.6813-1-zhenzhong.duan@intel.com>
MIME-Version: 1.0
Message-ID-Hash: Z4N7HA6G7I7LNHYQ5VJ6BSQLAV2PGHCK
X-Message-ID-Hash: Z4N7HA6G7I7LNHYQ5VJ6BSQLAV2PGHCK
X-MailFrom: zhenzhong.duan@intel.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0
CC: phrdina@redhat.com, pkrempa@redhat.com, jjongsma@redhat.com,
 jsuchane@redhat.com, chenyi.qiang@intel.com, isaku.yamahata@intel.com,
 xiaoyao.li@intel.com, chao.p.peng@intel.com, edwin.zhai@intel.com,
 Zhenzhong Duan <zhenzhong.duan@intel.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/Z4N7HA6G7I7LNHYQ5VJ6BSQLAV2PGHCK/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1701076053254000001

QEMU will provides 'tdx-guest' object which is used to launch encrypted
VMs on Intel platform using TDX feature.

Command line looks like:
$QEMU ... \
  -object tdx-guest,id=3Dlsec0,debug=3Don,sept-ve-disable=3Don,mrconfigid=
=3Dxxx...xxx,mrowner=3Dxxx...xxx,mrownerconfig=3Dxxx...xxx,quote-generation=
-service=3Dlocalhost:1234 \
  -machine q35,confidential-guest-support=3Dlsec0

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
 src/qemu/qemu_command.c  | 27 +++++++++++++++++++++++++++
 src/qemu/qemu_validate.c |  7 +++++++
 2 files changed, 34 insertions(+)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 89905378e4..45223746f5 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9645,6 +9645,32 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand =
*cmd)
 }
=20
=20
+static int
+qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
+                        virDomainTDXDef *tdx)
+{
+    g_autoptr(virJSONValue) props =3D NULL;
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+
+    VIR_DEBUG("policy=3D0x%x", tdx->policy);
+
+    if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
+                                     "B:debug", !!(tdx->policy & 0x1),
+                                     "b:sept-ve-disable", !!(tdx->policy &=
 0x10000000),
+                                     "S:mrconfigid", tdx->mrconfigid,
+                                     "S:mrowner", tdx->mrowner,
+                                     "S:mrownerconfig", tdx->mrownerconfig,
+                                     "S:quote-generation-service", tdx->QG=
S,
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                         virDomainSecDef *sec)
@@ -9660,6 +9686,7 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand =
*cmd,
         return qemuBuildPVCommandLine(vm, cmd);
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index af630796cd..5a9173e8ff 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1323,6 +1323,13 @@ qemuValidateDomainDef(const virDomainDef *def,
             }
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GU=
EST_SUPPORT) ||
+                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("INTEL TDX launch security is not support=
ed with this QEMU binary"));
+                return -1;
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sec=
type);
--=20
2.34.1
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org