qemu: fix capabilities reporting for TDX

[PATCH 2/2] qemu: always report TDX feature caps on x86

Posted by Daniel P. Berrangé via Devel 22 hours ago

From: Daniel P. Berrangé <berrange@redhat.com>

Currently domain capabilities will only ever report

    <tdx supported='yes'/>

so it is not possible to determine whether libvirt itself is
new enough to have TDX support or not, vs the host OS lacking
it.

For SEV and s390 prot-virt, the capability is always reported
whether supported or not, so do likewise for TDX, so other
x86 hosts get:

    <tdx supported='no'/>

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/qemu/qemu_capabilities.c                          | 11 +++++++----
 .../domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml  |  1 +
 tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml       |  1 +
 .../domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml  |  1 +
 tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml       |  1 +
 tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml    |  1 +
 tests/domaincapsdata/qemu_10.0.0.x86_64.xml           |  1 +
 .../qemu_10.1.0-tcg.x86_64+inteltdx.xml               |  1 +
 tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml       |  1 +
 tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml       |  1 +
 tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml    |  1 +
 tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml    |  1 +
 tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_7.2.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.0.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.1.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_8.2.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.0.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.1.0.x86_64.xml            |  1 +
 tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml |  1 +
 tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml |  1 +
 tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml        |  1 +
 tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml     |  1 +
 tests/domaincapsdata/qemu_9.2.0.x86_64.xml            |  1 +
 45 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 67fe5d7acf..2eae52f8c4 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -7120,11 +7120,14 @@ static void
 virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
                                     virDomainCaps *domCaps)
 {
-    if (domCaps->arch == VIR_ARCH_X86_64 &&
-        domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
-        virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
-        virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
+    if (domCaps->arch == VIR_ARCH_X86_64) {
+        if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
+            virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
+            virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
             domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES;
+        else
+            domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;
+    }
 }
 
 
diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
index b7debc22a5..c6ccb1cf9d 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64+amdsev.xml
@@ -954,6 +954,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
index e543997db2..97f57d9517 100644
--- a/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-q35.x86_64.xml
@@ -1853,6 +1853,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
index 134f2c5847..063dfff42e 100644
--- a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64+amdsev.xml
@@ -1938,6 +1938,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml
index 494152ea41..847869fd76 100644
--- a/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0-tcg.x86_64.xml
@@ -1938,6 +1938,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml
index 093ce552e8..e078b61b16 100644
--- a/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.x86_64+amdsev.xml
@@ -954,6 +954,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_10.0.0.x86_64.xml b/tests/domaincapsdata/qemu_10.0.0.x86_64.xml
index bcb0bc56e0..c979f72c7f 100644
--- a/tests/domaincapsdata/qemu_10.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.0.0.x86_64.xml
@@ -1853,6 +1853,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
index c5a4542f98..7b0fb06a06 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
@@ -2177,6 +2177,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='yes'>
       <flc>yes</flc>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml
index cbbe141e3d..0709035d73 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64.xml
@@ -2324,6 +2324,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml
index 2f2835e080..adc3171a88 100644
--- a/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_10.2.0-tcg.x86_64.xml
@@ -2324,6 +2324,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
index 3637f37a0f..e012c147b1 100644
--- a/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
@@ -1157,6 +1157,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='no'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
index f575585760..d8efb8a905 100644
--- a/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
@@ -1959,6 +1959,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='no'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_6.2.0.x86_64.xml b/tests/domaincapsdata/qemu_6.2.0.x86_64.xml
index fc849d0d30..f138cc9a01 100644
--- a/tests/domaincapsdata/qemu_6.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_6.2.0.x86_64.xml
@@ -1157,6 +1157,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='no'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
index 7a524ee5f8..9c4736071d 100644
--- a/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
@@ -1185,6 +1185,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='yes'>
       <flc>no</flc>
diff --git a/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
index ce77e930c0..4a5179551e 100644
--- a/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
@@ -1984,6 +1984,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='yes'>
       <flc>no</flc>
diff --git a/tests/domaincapsdata/qemu_7.0.0.x86_64.xml b/tests/domaincapsdata/qemu_7.0.0.x86_64.xml
index 9621a12a3a..269a3ad6c2 100644
--- a/tests/domaincapsdata/qemu_7.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.0.0.x86_64.xml
@@ -1185,6 +1185,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='yes'>
       <flc>no</flc>
diff --git a/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
index d7c39ea11e..4620b8146b 100644
--- a/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
@@ -1152,6 +1152,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
index e255480051..5fd8dbe775 100644
--- a/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
@@ -1932,6 +1932,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.1.0.x86_64.xml b/tests/domaincapsdata/qemu_7.1.0.x86_64.xml
index 098c0f42c1..884f403622 100644
--- a/tests/domaincapsdata/qemu_7.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.1.0.x86_64.xml
@@ -1152,6 +1152,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml b/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
index ba8ecd6a95..a162c239d2 100644
--- a/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-hvf.x86_64+hvf.xml
@@ -1159,6 +1159,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
index 4b8849cd99..961ff998ff 100644
--- a/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
@@ -1159,6 +1159,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
index 2aa72f1b10..1ba28743a5 100644
--- a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64+hvf.xml
@@ -1639,6 +1639,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
index 2aa72f1b10..1ba28743a5 100644
--- a/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
@@ -1639,6 +1639,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_7.2.0.x86_64.xml b/tests/domaincapsdata/qemu_7.2.0.x86_64.xml
index c02c5e6555..95ab14e86d 100644
--- a/tests/domaincapsdata/qemu_7.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_7.2.0.x86_64.xml
@@ -1159,6 +1159,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <launchSecurity supported='no'/>
diff --git a/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml
index 8a5277934d..978181a189 100644
--- a/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0-q35.x86_64.xml
@@ -1241,6 +1241,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml
index 9348304998..9dbcf2d903 100644
--- a/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0-tcg.x86_64.xml
@@ -1734,6 +1734,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.0.0.x86_64.xml b/tests/domaincapsdata/qemu_8.0.0.x86_64.xml
index f68a87f2e0..72ec08a143 100644
--- a/tests/domaincapsdata/qemu_8.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.0.0.x86_64.xml
@@ -1241,6 +1241,7 @@
     <backup supported='yes'/>
     <async-teardown supported='no'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml
index a9a113326a..deb305fddc 100644
--- a/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0-q35.x86_64.xml
@@ -1499,6 +1499,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml
index f1f41fbe96..9fb3da8876 100644
--- a/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0-tcg.x86_64.xml
@@ -1755,6 +1755,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.1.0.x86_64.xml b/tests/domaincapsdata/qemu_8.1.0.x86_64.xml
index 13541e8421..d7a78be468 100644
--- a/tests/domaincapsdata/qemu_8.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.1.0.x86_64.xml
@@ -1499,6 +1499,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml
index dabdf47c6b..55a064b979 100644
--- a/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-q35.x86_64.xml
@@ -1501,6 +1501,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml
index 7538570678..c7b3b5e594 100644
--- a/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0-tcg.x86_64.xml
@@ -1722,6 +1722,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_8.2.0.x86_64.xml b/tests/domaincapsdata/qemu_8.2.0.x86_64.xml
index ffcfc42b08..98c6be67ba 100644
--- a/tests/domaincapsdata/qemu_8.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_8.2.0.x86_64.xml
@@ -1501,6 +1501,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml
index 7289d5fbdc..862b647f5a 100644
--- a/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0-q35.x86_64.xml
@@ -1501,6 +1501,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml
index 141edc67f3..f29be31e20 100644
--- a/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0-tcg.x86_64.xml
@@ -1651,6 +1651,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.0.0.x86_64.xml b/tests/domaincapsdata/qemu_9.0.0.x86_64.xml
index 5a636f06a8..962ed89b0a 100644
--- a/tests/domaincapsdata/qemu_9.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.0.0.x86_64.xml
@@ -1501,6 +1501,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml
index 4003af73de..896643346b 100644
--- a/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-q35.x86_64.xml
@@ -1637,6 +1637,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml
index 2fdeeb143a..a19cc09abc 100644
--- a/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0-tcg.x86_64.xml
@@ -1756,6 +1756,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.1.0.x86_64.xml b/tests/domaincapsdata/qemu_9.1.0.x86_64.xml
index ba78d5d24d..408006f2ad 100644
--- a/tests/domaincapsdata/qemu_9.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.1.0.x86_64.xml
@@ -1637,6 +1637,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
index 099c503551..09b753dcd1 100644
--- a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64+amdsev.xml
@@ -834,6 +834,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml
index f83af00819..848918ee63 100644
--- a/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-q35.x86_64.xml
@@ -1695,6 +1695,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
index 28b9647f14..677c677e98 100644
--- a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64+amdsev.xml
@@ -1803,6 +1803,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml
index f3469cdade..2590f41d4f 100644
--- a/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0-tcg.x86_64.xml
@@ -1803,6 +1803,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
diff --git a/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml b/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml
index 462365ee12..a65c587e5d 100644
--- a/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml
+++ b/tests/domaincapsdata/qemu_9.2.0.x86_64+amdsev.xml
@@ -834,6 +834,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='yes'>
       <cbitpos>51</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
diff --git a/tests/domaincapsdata/qemu_9.2.0.x86_64.xml b/tests/domaincapsdata/qemu_9.2.0.x86_64.xml
index 756e2cf90a..f183fe119f 100644
--- a/tests/domaincapsdata/qemu_9.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_9.2.0.x86_64.xml
@@ -1695,6 +1695,7 @@
     <backup supported='yes'/>
     <async-teardown supported='yes'/>
     <ps2 supported='yes'/>
+    <tdx supported='no'/>
     <sev supported='no'/>
     <sgx supported='no'/>
     <hyperv supported='yes'>
-- 
2.51.1

Re: [PATCH 2/2] qemu: always report TDX feature caps on x86

Posted by Peter Krempa via Devel 20 hours ago

On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
> From: Daniel P. Berrangé <berrange@redhat.com>
> 
> Currently domain capabilities will only ever report
> 
>     <tdx supported='yes'/>
> 
> so it is not possible to determine whether libvirt itself is
> new enough to have TDX support or not, vs the host OS lacking
> it.
> 
> For SEV and s390 prot-virt, the capability is always reported
> whether supported or not, so do likewise for TDX, so other
> x86 hosts get:
> 
>     <tdx supported='no'/>
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

[...]

> ---
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 67fe5d7acf..2eae52f8c4 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -7120,11 +7120,14 @@ static void
>  virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
>                                      virDomainCaps *domCaps)
>  {
> -    if (domCaps->arch == VIR_ARCH_X86_64 &&
> -        domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> -        virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> -        virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> +    if (domCaps->arch == VIR_ARCH_X86_64) {
> +        if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> +            virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> +            virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
>              domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES;
> +        else
> +            domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;

IMO we should say that it's not supported even on non-x86 arches rather
than make it seem like the feature doesn't exist.

> +    }

Re: [PATCH 2/2] qemu: always report TDX feature caps on x86

Posted by Daniel P. Berrangé via Devel 20 hours ago

On Thu, Nov 20, 2025 at 02:25:05PM +0100, Peter Krempa wrote:
> On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
> > From: Daniel P. Berrangé <berrange@redhat.com>
> > 
> > Currently domain capabilities will only ever report
> > 
> >     <tdx supported='yes'/>
> > 
> > so it is not possible to determine whether libvirt itself is
> > new enough to have TDX support or not, vs the host OS lacking
> > it.
> > 
> > For SEV and s390 prot-virt, the capability is always reported
> > whether supported or not, so do likewise for TDX, so other
> > x86 hosts get:
> > 
> >     <tdx supported='no'/>
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> 
> [...]
> 
> > ---
> > diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> > index 67fe5d7acf..2eae52f8c4 100644
> > --- a/src/qemu/qemu_capabilities.c
> > +++ b/src/qemu/qemu_capabilities.c
> > @@ -7120,11 +7120,14 @@ static void
> >  virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
> >                                      virDomainCaps *domCaps)
> >  {
> > -    if (domCaps->arch == VIR_ARCH_X86_64 &&
> > -        domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > -        virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > -        virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> > +    if (domCaps->arch == VIR_ARCH_X86_64) {
> > +        if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > +            virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > +            virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> >              domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES;
> > +        else
> > +            domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;
> 
> IMO we should say that it's not supported even on non-x86 arches rather
> than make it seem like the feature doesn't exist.

I did that to be consistent with virQEMUCapsFillDomainFeatureS390PVCaps.

Do you think we should report s390 prot-virt as not-avail on x86 too ?


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH 2/2] qemu: always report TDX feature caps on x86

Posted by Peter Krempa via Devel 19 hours ago

On Thu, Nov 20, 2025 at 13:34:13 +0000, Daniel P. Berrangé wrote:
> On Thu, Nov 20, 2025 at 02:25:05PM +0100, Peter Krempa wrote:
> > On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
> > > From: Daniel P. Berrangé <berrange@redhat.com>
> > > 
> > > Currently domain capabilities will only ever report
> > > 
> > >     <tdx supported='yes'/>
> > > 
> > > so it is not possible to determine whether libvirt itself is
> > > new enough to have TDX support or not, vs the host OS lacking
> > > it.
> > > 
> > > For SEV and s390 prot-virt, the capability is always reported
> > > whether supported or not, so do likewise for TDX, so other
> > > x86 hosts get:
> > > 
> > >     <tdx supported='no'/>
> > > 
> > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > 
> > [...]
> > 
> > > ---
> > > diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> > > index 67fe5d7acf..2eae52f8c4 100644
> > > --- a/src/qemu/qemu_capabilities.c
> > > +++ b/src/qemu/qemu_capabilities.c
> > > @@ -7120,11 +7120,14 @@ static void
> > >  virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
> > >                                      virDomainCaps *domCaps)
> > >  {
> > > -    if (domCaps->arch == VIR_ARCH_X86_64 &&
> > > -        domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > > -        virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > > -        virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> > > +    if (domCaps->arch == VIR_ARCH_X86_64) {
> > > +        if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > > +            virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > > +            virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> > >              domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES;
> > > +        else
> > > +            domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;
> > 
> > IMO we should say that it's not supported even on non-x86 arches rather
> > than make it seem like the feature doesn't exist.
> 
> I did that to be consistent with virQEMUCapsFillDomainFeatureS390PVCaps.
> 
> Do you think we should report s390 prot-virt as not-avail on x86 too

Well yes. Libvirt does already have that feature and that feature
doesn't work on that host. IMO there's no difference if you have a box
where the feature doesn't work or have a kernel that doesn't support it.

If, as you mentioned in 1/2, you want to keep this patch minimal for
backports, I'm okay to do it in a follow-up.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>

[PATCH 1/2] qemu: correctly detect working TDX support
[PATCH 2/2] qemu: always report TDX feature caps on x86