Add check in virt-host-validate for secure guest support
on x86 for Intel Trust Domain Extentions.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
tools/virt-host-validate-common.c | 22 +++++++++++++++++++++-
tools/virt-host-validate-common.h | 1 +
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index c8a23e2e99..4f0698b8ce 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -43,7 +43,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
"svm",
"sie",
"158",
- "sev");
+ "sev",
+ "tdx_host_platform");
static bool quiet;
@@ -471,6 +472,7 @@ int virHostValidateSecureGuests(const char *hvname,
g_autoptr(virBitmap) flags = NULL;
bool hasFac158 = false;
bool hasAMDSev = false;
+ bool hasIntelTDX = false;
virArch arch = virArchFromHost();
g_autofree char *cmdline = NULL;
static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
@@ -482,6 +484,8 @@ int virHostValidateSecureGuests(const char *hvname,
hasFac158 = true;
else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
hasAMDSev = true;
+ else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_TDX))
+ hasIntelTDX = true;
virHostMsgCheck(hvname, "%s", _("for secure guest support"));
if (ARCH_IS_S390(arch)) {
@@ -539,6 +543,22 @@ int virHostValidateSecureGuests(const char *hvname,
"disabled in firmware.");
return VIR_HOST_VALIDATE_FAILURE(level);
}
+ } else if (hasIntelTDX) {
+ if (virFileReadValueString(&mod_value, "/sys/module/kvm_intel/parameters/tdx") < 0) {
+ virHostMsgFail(level, "Intel Trust Domain Extentions not "
+ "supported by the currently used kernel");
+ return VIR_HOST_VALIDATE_FAILURE(level);
+ }
+
+ if (mod_value[0] != 'Y') {
+ virHostMsgFail(level,
+ "Intel Trust Domain Extentions appears to be "
+ "disabled in kernel. Add kvm_intel.tdx=Y "
+ "to the kernel cmdline arguments");
+ return VIR_HOST_VALIDATE_FAILURE(level);
+ }
+ virHostMsgPass();
+ return 1;
}
virHostMsgFail(level,
diff --git a/tools/virt-host-validate-common.h b/tools/virt-host-validate-common.h
index 9334fa8588..c64f5669dc 100644
--- a/tools/virt-host-validate-common.h
+++ b/tools/virt-host-validate-common.h
@@ -39,6 +39,7 @@ typedef enum {
VIR_HOST_VALIDATE_CPU_FLAG_SIE,
VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158,
VIR_HOST_VALIDATE_CPU_FLAG_SEV,
+ VIR_HOST_VALIDATE_CPU_FLAG_TDX,
VIR_HOST_VALIDATE_CPU_FLAG_LAST,
} virHostValidateCPUFlag;
--
2.34.1On Fri, May 24, 2024 at 02:21:16PM +0800, Zhenzhong Duan wrote:
> Add check in virt-host-validate for secure guest support
> on x86 for Intel Trust Domain Extentions.
>
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
> tools/virt-host-validate-common.c | 22 +++++++++++++++++++++-
> tools/virt-host-validate-common.h | 1 +
> 2 files changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
> index c8a23e2e99..4f0698b8ce 100644
> --- a/tools/virt-host-validate-common.c
> +++ b/tools/virt-host-validate-common.c
> @@ -43,7 +43,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
> "svm",
> "sie",
> "158",
> - "sev");
> + "sev",
> + "tdx_host_platform");
I don't think we need to be quiet so verbose here. I think it is
sufficient to just call it 'tdx'.
>
> static bool quiet;
>
> @@ -471,6 +472,7 @@ int virHostValidateSecureGuests(const char *hvname,
> g_autoptr(virBitmap) flags = NULL;
> bool hasFac158 = false;
> bool hasAMDSev = false;
> + bool hasIntelTDX = false;
> virArch arch = virArchFromHost();
> g_autofree char *cmdline = NULL;
> static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
> @@ -482,6 +484,8 @@ int virHostValidateSecureGuests(const char *hvname,
> hasFac158 = true;
> else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
> hasAMDSev = true;
> + else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_TDX))
> + hasIntelTDX = true;
>
> virHostMsgCheck(hvname, "%s", _("for secure guest support"));
> if (ARCH_IS_S390(arch)) {
> @@ -539,6 +543,22 @@ int virHostValidateSecureGuests(const char *hvname,
> "disabled in firmware.");
> return VIR_HOST_VALIDATE_FAILURE(level);
> }
> + } else if (hasIntelTDX) {
> + if (virFileReadValueString(&mod_value, "/sys/module/kvm_intel/parameters/tdx") < 0) {
> + virHostMsgFail(level, "Intel Trust Domain Extentions not "
> + "supported by the currently used kernel");
> + return VIR_HOST_VALIDATE_FAILURE(level);
> + }
> +
> + if (mod_value[0] != 'Y') {
> + virHostMsgFail(level,
> + "Intel Trust Domain Extentions appears to be "
> + "disabled in kernel. Add kvm_intel.tdx=Y "
> + "to the kernel cmdline arguments");
> + return VIR_HOST_VALIDATE_FAILURE(level);
> + }
> + virHostMsgPass();
> + return 1;
> }
>
> virHostMsgFail(level,
> diff --git a/tools/virt-host-validate-common.h b/tools/virt-host-validate-common.h
> index 9334fa8588..c64f5669dc 100644
> --- a/tools/virt-host-validate-common.h
> +++ b/tools/virt-host-validate-common.h
> @@ -39,6 +39,7 @@ typedef enum {
> VIR_HOST_VALIDATE_CPU_FLAG_SIE,
> VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158,
> VIR_HOST_VALIDATE_CPU_FLAG_SEV,
> + VIR_HOST_VALIDATE_CPU_FLAG_TDX,
>
> VIR_HOST_VALIDATE_CPU_FLAG_LAST,
> } virHostValidateCPUFlag;
> --
> 2.34.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>-----Original Message----- >From: Daniel P. Berrangé <berrange@redhat.com> >Subject: Re: [PATCH rfcv4 01/13] tools: Secure guest check for Intel in virt- >host-validate > >On Fri, May 24, 2024 at 02:21:16PM +0800, Zhenzhong Duan wrote: >> Add check in virt-host-validate for secure guest support >> on x86 for Intel Trust Domain Extentions. >> >> Suggested-by: Daniel P. Berrangé <berrange@redhat.com> >> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> >> --- >> tools/virt-host-validate-common.c | 22 +++++++++++++++++++++- >> tools/virt-host-validate-common.h | 1 + >> 2 files changed, 22 insertions(+), 1 deletion(-) >> >> diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate- >common.c >> index c8a23e2e99..4f0698b8ce 100644 >> --- a/tools/virt-host-validate-common.c >> +++ b/tools/virt-host-validate-common.c >> @@ -43,7 +43,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag, >> "svm", >> "sie", >> "158", >> - "sev"); >> + "sev", >> + "tdx_host_platform"); > >I don't think we need to be quiet so verbose here. I think it is >sufficient to just call it 'tdx'. This string is used to compare with output of /proc/cpuinfo. So we can't use 'tdx', or else string compare will fail. Thanks Zhenzhong
On Thu, Jun 06, 2024 at 10:27:39AM +0000, Duan, Zhenzhong wrote: > > > >-----Original Message----- > >From: Daniel P. Berrangé <berrange@redhat.com> > >Subject: Re: [PATCH rfcv4 01/13] tools: Secure guest check for Intel in virt- > >host-validate > > > >On Fri, May 24, 2024 at 02:21:16PM +0800, Zhenzhong Duan wrote: > >> Add check in virt-host-validate for secure guest support > >> on x86 for Intel Trust Domain Extentions. > >> > >> Suggested-by: Daniel P. Berrangé <berrange@redhat.com> > >> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> > >> --- > >> tools/virt-host-validate-common.c | 22 +++++++++++++++++++++- > >> tools/virt-host-validate-common.h | 1 + > >> 2 files changed, 22 insertions(+), 1 deletion(-) > >> > >> diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate- > >common.c > >> index c8a23e2e99..4f0698b8ce 100644 > >> --- a/tools/virt-host-validate-common.c > >> +++ b/tools/virt-host-validate-common.c > >> @@ -43,7 +43,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag, > >> "svm", > >> "sie", > >> "158", > >> - "sev"); > >> + "sev", > >> + "tdx_host_platform"); > > > >I don't think we need to be quiet so verbose here. I think it is > >sufficient to just call it 'tdx'. > > This string is used to compare with output of /proc/cpuinfo. > So we can't use 'tdx', or else string compare will fail. Ah yes, nevermind then. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2024 Red Hat, Inc.