As the tdx launch security type support is added, expose it in domain
capabilities so that domain definition validation check can take
effect.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
 src/qemu/qemu_capabilities.c                             | 2 ++
 tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml | 6 +++++-
 tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml | 6 +++++-
 tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml     | 6 +++++-
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index f4f77a491c..d2b59ba1f4 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6776,6 +6776,8 @@ virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
     if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) &&
         virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT))
         VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_PV);
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST))
+        VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_TDX);
 
     if (launchSecurity->sectype.values == 0) {
         launchSecurity->supported = VIR_TRISTATE_BOOL_NO;
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
index 61aa1aafd0..fafa28ecbe 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
@@ -774,6 +774,10 @@
         <value>xmm_input</value>
       </enum>
     </hyperv>
-    <launchSecurity supported='no'/>
+    <launchSecurity supported='yes'>
+      <enum name='sectype'>
+        <value>tdx</value>
+      </enum>
+    </launchSecurity>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
index 1d2795c4df..eba8023fc8 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
@@ -1821,6 +1821,10 @@
         <value>xmm_input</value>
       </enum>
     </hyperv>
-    <launchSecurity supported='no'/>
+    <launchSecurity supported='yes'>
+      <enum name='sectype'>
+        <value>tdx</value>
+      </enum>
+    </launchSecurity>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
index 6048a66b87..9ea7d779b5 100644
--- a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
@@ -774,6 +774,10 @@
         <value>xmm_input</value>
       </enum>
     </hyperv>
-    <launchSecurity supported='no'/>
+    <launchSecurity supported='yes'>
+      <enum name='sectype'>
+        <value>tdx</value>
+      </enum>
+    </launchSecurity>
   </features>
 </domainCapabilities>
-- 
2.34.1

On Mon, Jun 30, 2025 at 02:17:21PM +0800, Zhenzhong Duan wrote:
> As the tdx launch security type support is added, expose it in domain
> capabilities so that domain definition validation check can take
> effect.
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
>  src/qemu/qemu_capabilities.c                             | 2 ++
>  tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml | 6 +++++-
>  tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml | 6 +++++-
>  tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml     | 6 +++++-
>  4 files changed, 17 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|