Implement TDX check in order to generate domain feature capability
correctly in case the availability of the feature changed.

For INTEL TDX the verification is:
 - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
   value 'Y': meaning TDX is enabled in the host kernel.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 21f93c6774..7cccc28e80 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5112,6 +5112,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
 }
 
 
+/*
+ * Check whether INTEL Trust Domain Extention (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestINTEL(void)
+{
+    g_autofree char *modValue = NULL;
+
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_intel/parameters/tdx") < 0)
+        return false;
+
+    if (modValue[0] != 'Y')
+        return false;
+
+    return true;
+}
+
+
 /*
  * Check whether the secure guest functionality is enabled.
  * See the specific architecture function for details on the verifications made.
@@ -5125,7 +5143,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
         return virQEMUCapsKVMSupportsSecureGuestS390();
 
     if (ARCH_IS_X86(arch))
-        return virQEMUCapsKVMSupportsSecureGuestAMD();
+        return virQEMUCapsKVMSupportsSecureGuestAMD() ||
+               virQEMUCapsKVMSupportsSecureGuestINTEL();
 
     return false;
 }
-- 
2.34.1

On Fri, May 24, 2024 at 02:21:17PM +0800, Zhenzhong Duan wrote:
> Implement TDX check in order to generate domain feature capability
> correctly in case the availability of the feature changed.
> 
> For INTEL TDX the verification is:
>  - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
>    value 'Y': meaning TDX is enabled in the host kernel.
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
>  1 file changed, 20 insertions(+), 1 deletion(-)
> 
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 21f93c6774..7cccc28e80 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -5112,6 +5112,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
>  }
>  
>  
> +/*
> + * Check whether INTEL Trust Domain Extention (x86) is enabled
> + */
> +static bool
> +virQEMUCapsKVMSupportsSecureGuestINTEL(void)
> +{
> +    g_autofree char *modValue = NULL;
> +
> +    if (virFileReadValueString(&modValue, "/sys/module/kvm_intel/parameters/tdx") < 0)
> +        return false;
> +
> +    if (modValue[0] != 'Y')
> +        return false;
> +
> +    return true;
> +}
> +
> +
>  /*
>   * Check whether the secure guest functionality is enabled.
>   * See the specific architecture function for details on the verifications made.
> @@ -5125,7 +5143,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>          return virQEMUCapsKVMSupportsSecureGuestS390();
>  
>      if (ARCH_IS_X86(arch))
> -        return virQEMUCapsKVMSupportsSecureGuestAMD();
> +        return virQEMUCapsKVMSupportsSecureGuestAMD() ||
> +               virQEMUCapsKVMSupportsSecureGuestINTEL();

You were just copying our existing pattern here which is good practice,
but I think our existing pattern was wrong. We should have named it after
the technology, not the vendor. IOW, lets call your new function

  virQEMUCapsKVMSupportsSecureGuestTDX()


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

>-----Original Message-----
>From: Daniel P. Berrangé <berrange@redhat.com>
>Subject: Re: [PATCH rfcv4 02/13] qemu: Check if INTEL Trust Domain
>Extention support is enabled
>
>On Fri, May 24, 2024 at 02:21:17PM +0800, Zhenzhong Duan wrote:
>> Implement TDX check in order to generate domain feature capability
>> correctly in case the availability of the feature changed.
>>
>> For INTEL TDX the verification is:
>>  - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
>>    value 'Y': meaning TDX is enabled in the host kernel.
>>
>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
>> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>> ---
>>  src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
>>  1 file changed, 20 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> index 21f93c6774..7cccc28e80 100644
>> --- a/src/qemu/qemu_capabilities.c
>> +++ b/src/qemu/qemu_capabilities.c
>> @@ -5112,6 +5112,24 @@
>virQEMUCapsKVMSupportsSecureGuestAMD(void)
>>  }
>>
>>
>> +/*
>> + * Check whether INTEL Trust Domain Extention (x86) is enabled
>> + */
>> +static bool
>> +virQEMUCapsKVMSupportsSecureGuestINTEL(void)
>> +{
>> +    g_autofree char *modValue = NULL;
>> +
>> +    if (virFileReadValueString(&modValue,
>"/sys/module/kvm_intel/parameters/tdx") < 0)
>> +        return false;
>> +
>> +    if (modValue[0] != 'Y')
>> +        return false;
>> +
>> +    return true;
>> +}
>> +
>> +
>>  /*
>>   * Check whether the secure guest functionality is enabled.
>>   * See the specific architecture function for details on the verifications
>made.
>> @@ -5125,7 +5143,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>>          return virQEMUCapsKVMSupportsSecureGuestS390();
>>
>>      if (ARCH_IS_X86(arch))
>> -        return virQEMUCapsKVMSupportsSecureGuestAMD();
>> +        return virQEMUCapsKVMSupportsSecureGuestAMD() ||
>> +               virQEMUCapsKVMSupportsSecureGuestINTEL();
>
>You were just copying our existing pattern here which is good practice,
>but I think our existing pattern was wrong. We should have named it after
>the technology, not the vendor. IOW, lets call your new function
>
>  virQEMUCapsKVMSupportsSecureGuestTDX()

Go it.

Thanks
Zhenzhong