On 4/2/2025 7:47 PM, Daniel P. Berrangé wrote:
> On Tue, Apr 01, 2025 at 09:01:22AM -0400, Xiaoyao Li wrote:
>> Validate TD attributes with tdx_caps that only supported bits are
>> allowed by KVM.
>>
>> Besides, sanity check the attribute bits that have not been supported by
>> QEMU yet. e.g., debug bit, it will be allowed in the future when debug
>> TD support lands in QEMU.
>>
>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
>> ---
>> Changes in v8:
>> - Split the mrconfigid/mrowner/mrownerconfig part into a seperate next
>> patch;
>>
>> Changes in v7:
>> - Define TDX_SUPPORTED_TD_ATTRS as QEMU supported mask, to validates
>> user's request. (Rick)
>>
>> Changes in v3:
>> - using error_setg() for error report; (Daniel)
>> ---
>> target/i386/kvm/tdx.c | 32 ++++++++++++++++++++++++++++++--
>> 1 file changed, 30 insertions(+), 2 deletions(-)
>>
>> diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
>> index 1202b2111ba8..aa043acb1a88 100644
>> --- a/target/i386/kvm/tdx.c
>> +++ b/target/i386/kvm/tdx.c
>> @@ -18,10 +18,15 @@
>> #include "kvm_i386.h"
>> #include "tdx.h"
>>
>> +#define TDX_TD_ATTRIBUTES_DEBUG BIT_ULL(0)
>> #define TDX_TD_ATTRIBUTES_SEPT_VE_DISABLE BIT_ULL(28)
>> #define TDX_TD_ATTRIBUTES_PKS BIT_ULL(30)
>> #define TDX_TD_ATTRIBUTES_PERFMON BIT_ULL(63)
>>
>> +#define TDX_SUPPORTED_TD_ATTRS (TDX_TD_ATTRIBUTES_SEPT_VE_DISABLE |\
>> + TDX_TD_ATTRIBUTES_PKS | \
>> + TDX_TD_ATTRIBUTES_PERFMON)
>> +
>> static TdxGuest *tdx_guest;
>>
>> static struct kvm_tdx_capabilities *tdx_caps;
>> @@ -153,13 +158,33 @@ static int tdx_kvm_type(X86ConfidentialGuest *cg)
>> return KVM_X86_TDX_VM;
>> }
>>
>> -static void setup_td_guest_attributes(X86CPU *x86cpu)
>> +static int tdx_validate_attributes(TdxGuest *tdx, Error **errp)
>> +{
>> + if ((tdx->attributes & ~tdx_caps->supported_attrs)) {
>> + error_setg(errp, "Invalid attributes 0x%lx for TDX VM "
>> + "(KVM supported: 0x%llx)", tdx->attributes,
>> + tdx_caps->supported_attrs);
>> + return -1;
>> + }
>> +
>> + if (tdx->attributes & ~TDX_SUPPORTED_TD_ATTRS) {
>> + warn_report("Some QEMU unsupported TD attribute bits being requested:"
>> + "requested: 0x%lx QEMU supported: 0x%llx",
>> + tdx->attributes, TDX_SUPPORTED_TD_ATTRS);
>
> IIUC, this is an explicit user mis-configuration, and so we
> ought to use error_setg & return -1, not merely a warning.
My thought was to allow user to enable some QEMU unsupported but KVM
supported attribute bits, for testing purpose.
But now I agree with you. It's not good for production QEMU.
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +static int setup_td_guest_attributes(X86CPU *x86cpu, Error **errp)
>> {
>> CPUX86State *env = &x86cpu->env;
>>
>> tdx_guest->attributes |= (env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKS) ?
>> TDX_TD_ATTRIBUTES_PKS : 0;
>> tdx_guest->attributes |= x86cpu->enable_pmu ? TDX_TD_ATTRIBUTES_PERFMON : 0;
>> +
>> + return tdx_validate_attributes(tdx_guest, errp);
>> }
>>
>> static int setup_td_xfam(X86CPU *x86cpu, Error **errp)
>> @@ -225,7 +250,10 @@ int tdx_pre_create_vcpu(CPUState *cpu, Error **errp)
>> init_vm = g_malloc0(sizeof(struct kvm_tdx_init_vm) +
>> sizeof(struct kvm_cpuid_entry2) * KVM_MAX_CPUID_ENTRIES);
>>
>> - setup_td_guest_attributes(x86cpu);
>> + r = setup_td_guest_attributes(x86cpu, errp);
>> + if (r) {
>> + return r;
>> + }
>>
>> r = setup_td_xfam(x86cpu, errp);
>> if (r) {
>> --
>> 2.34.1
>>
>
> With regards,
> Daniel