rpms/libvirt
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Import from AlmaLinux stable repository

Browse Source
This commit is contained in:
eabdullin 2025-12-04 12:33:07 +00:00
parent 8c1523a5c9
commit 0091d8af22
23 changed files with 2 additions and 54174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
SOURCES/libvirt-conf-Add-Intel-TDX-Quote-Generation-Service-QGS-support.patch
View File

@ -1,141 +0,0 @@
From e3233ee7847c0b51267b511038724a0ab8a54484 Mon Sep 17 00:00:00 2001
Message-ID: <e3233ee7847c0b51267b511038724a0ab8a54484.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:16 -0400
Subject: [PATCH] conf: Add Intel TDX Quote Generation Service(QGS) support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add element "quoteGenerationService" to tdx launch security type.
It contains only an optional unix socket address attribute,
when omitted, libvirt will use default QGS server address
"/var/run/tdx-qgs/qgs.socket".
UNIX sockets offer the required functionality with greater
security than vsock, so libvirt only provides support for unix
socket.
XML example:
<launchSecurity type='tdx'>
<policy>0x10000001</policy>
<mrConfigId>xxx</mrConfigId>
<mrOwner>xxx</mrOwner>
<mrOwnerConfig>xxx</mrOwnerConfig>
<quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
</launchSecurity>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 8214980432191138f052c2e32d12ae284597c8b8)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/conf/domain_conf.c | 35 ++++++++++++++++++++++++++++++-
src/conf/domain_conf.h | 2 ++
src/conf/schemas/domaincommon.rng | 9 ++++++++
3 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 92185080a9..38179a7e59 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3895,6 +3895,7 @@ virDomainSecDefFree(virDomainSecDef *def)
g_free(def->data.tdx.mrconfigid);
g_free(def->data.tdx.mrowner);
g_free(def->data.tdx.mrownerconfig);
+ g_free(def->data.tdx.qgs_unix_path);
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -13911,6 +13912,33 @@ virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
}
+static int
+virDomainTDXQGSDefParseXML(virDomainTDXDef *def, xmlXPathContextPtr ctxt)
+{
+ g_autofree xmlNodePtr *nodes = NULL;
+ xmlNodePtr node;
+ int n;
+
+ if ((n = virXPathNodeSet("./quoteGenerationService", ctxt, &nodes)) < 0)
+ return -1;
+
+ if (!n)
+ return 0;
+
+ if (n > 1) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("only a single QGS element is supported"));
+ return -1;
+ }
+ node = nodes[0];
+
+ def->haveQGS = true;
+ def->qgs_unix_path = virXMLPropString(node, "path");
+
+ return 0;
+}
+
+
static int
virDomainTDXDefParseXML(virDomainTDXDef *def,
xmlXPathContextPtr ctxt)
@@ -13930,7 +13958,7 @@ virDomainTDXDefParseXML(virDomainTDXDef *def,
def->mrowner = virXPathString("string(./mrOwner)", ctxt);
def->mrownerconfig = virXPathString("string(./mrOwnerConfig)", ctxt);
- return 0;
+ return virDomainTDXQGSDefParseXML(def, ctxt);
}
@@ -27261,6 +27289,11 @@ virDomainTDXDefFormat(virBuffer *childBuf, virDomainTDXDef *def)
virBufferEscapeString(childBuf, "<mrConfigId>%s</mrConfigId>\n", def->mrconfigid);
virBufferEscapeString(childBuf, "<mrOwner>%s</mrOwner>\n", def->mrowner);
virBufferEscapeString(childBuf, "<mrOwnerConfig>%s</mrOwnerConfig>\n", def->mrownerconfig);
+ if (def->haveQGS) {
+ virBufferAddLit(childBuf, "<quoteGenerationService");
+ virBufferEscapeString(childBuf, " path='%s'", def->qgs_unix_path);
+ virBufferAddLit(childBuf, "/>\n");
+ }
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0ea88e013b..85ef6fbf2c 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2965,6 +2965,8 @@ struct _virDomainTDXDef {
char *mrconfigid;
char *mrowner;
char *mrownerconfig;
+ bool haveQGS;
+ char *qgs_unix_path;
};
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 552b2f4ced..93bc128dec 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -652,6 +652,15 @@
<data type="string"/>
</element>
</optional>
+ <optional>
+ <element name="quoteGenerationService">
+ <optional>
+ <attribute name="path">
+ <ref name="absFilePath"/>
+ </attribute>
+ </optional>
+ </element>
+ </optional>
</interleave>
</define>
--
2.51.0

379
SOURCES/libvirt-conf-Add-tdx-as-launch-security-type.patch
View File

@ -1,379 +0,0 @@
From 3f4f38e2f1f05b0484035f96e61ee0de130d3050 Mon Sep 17 00:00:00 2001
Message-ID: <3f4f38e2f1f05b0484035f96e61ee0de130d3050.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:09 -0400
Subject: [PATCH] conf: Add tdx as launch security type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When 'tdx' is used, the VM will be launched with Intel TDX feature enabled.
TDX feature supports running encrypted VM (Trust Domain, TD) under the
control of KVM. A TD runs in a CPU model which protects the confidentiality
of its memory and its CPU state from other software.
There are four optional child elements. Element policy is 64bit hex, bit 0
is set to enable TDX debug, bit 28 is set to enable sept-ve-disable, other
bits are reserved currently. When policy isn't specified, QEMU will use its
own default value 0x10000000. mrConfigId, mrOwner and mrOwnerConfig are
base64 encoded SHA384 digest string.
For example:
<launchSecurity type='tdx'>
<policy>0x10000001</policy>
<mrConfigId>xxx</mrConfigId>
<mrOwner>xxx</mrOwner>
<mrOwnerConfig>xxx</mrOwnerConfig>
</launchSecurity>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit e919a4dd374535511d962bee2cd64f22f1ac3fa1)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: context
---
src/conf/domain_conf.c | 49 +++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 11 +++++++
src/conf/domain_validate.c | 1 +
src/conf/schemas/domaincommon.rng | 32 ++++++++++++++++++++
src/conf/virconftypes.h | 2 ++
src/qemu/qemu_cgroup.c | 1 +
src/qemu/qemu_command.c | 3 ++
src/qemu/qemu_driver.c | 1 +
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_namespace.c | 1 +
src/qemu/qemu_process.c | 2 ++
src/qemu/qemu_validate.c | 1 +
src/security/security_dac.c | 2 ++
13 files changed, 107 insertions(+)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 286e59a4c7..92185080a9 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1538,6 +1538,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
"sev",
"sev-snp",
"s390-pv",
+ "tdx",
);
VIR_ENUM_IMPL(virDomainPstoreBackend,
@@ -3890,6 +3891,11 @@ virDomainSecDefFree(virDomainSecDef *def)
g_free(def->data.sev_snp.id_auth);
g_free(def->data.sev_snp.host_data);
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ g_free(def->data.tdx.mrconfigid);
+ g_free(def->data.tdx.mrowner);
+ g_free(def->data.tdx.mrownerconfig);
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -13905,6 +13911,29 @@ virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
}
+static int
+virDomainTDXDefParseXML(virDomainTDXDef *def,
+ xmlXPathContextPtr ctxt)
+{
+ int rc;
+
+ rc = virXPathULongLongBase("string(./policy)", ctxt, 16, &def->policy);
+ if (rc == 0) {
+ def->havePolicy = true;
+ } else if (rc == -2) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("failed to get launch security policy for launch security type TDX"));
+ return -1;
+ }
+
+ def->mrconfigid = virXPathString("string(./mrConfigId)", ctxt);
+ def->mrowner = virXPathString("string(./mrOwner)", ctxt);
+ def->mrownerconfig = virXPathString("string(./mrOwnerConfig)", ctxt);
+
+ return 0;
+}
+
+
static virDomainSecDef *
virDomainSecDefParseXML(xmlNodePtr lsecNode,
xmlXPathContextPtr ctxt)
@@ -13928,6 +13957,10 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
if (virDomainSEVSNPDefParseXML(&sec->data.sev_snp, ctxt) < 0)
return NULL;
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (virDomainTDXDefParseXML(&sec->data.tdx, ctxt) < 0)
+ return NULL;
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -27219,6 +27252,18 @@ virDomainSEVSNPDefFormat(virBuffer *attrBuf,
}
+static void
+virDomainTDXDefFormat(virBuffer *childBuf, virDomainTDXDef *def)
+{
+ if (def->havePolicy)
+ virBufferAsprintf(childBuf, "<policy>0x%llx</policy>\n", def->policy);
+
+ virBufferEscapeString(childBuf, "<mrConfigId>%s</mrConfigId>\n", def->mrconfigid);
+ virBufferEscapeString(childBuf, "<mrOwner>%s</mrOwner>\n", def->mrowner);
+ virBufferEscapeString(childBuf, "<mrOwnerConfig>%s</mrOwnerConfig>\n", def->mrownerconfig);
+}
+
+
static void
virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
{
@@ -27240,6 +27285,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
virDomainSEVSNPDefFormat(&attrBuf, &childBuf, &sec->data.sev_snp);
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ virDomainTDXDefFormat(&childBuf, &sec->data.tdx);
+ break;
+
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index e59d2e6c5f..1238f2001f 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2924,6 +2924,7 @@ typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP,
VIR_DOMAIN_LAUNCH_SECURITY_PV,
+ VIR_DOMAIN_LAUNCH_SECURITY_TDX,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity;
@@ -2958,11 +2959,21 @@ struct _virDomainSEVSNPDef {
};
+struct _virDomainTDXDef {
+ bool havePolicy;
+ unsigned long long policy;
+ char *mrconfigid;
+ char *mrowner;
+ char *mrownerconfig;
+};
+
+
struct _virDomainSecDef {
virDomainLaunchSecurity sectype;
union {
virDomainSEVDef sev;
virDomainSEVSNPDef sev_snp;
+ virDomainTDXDef tdx;
} data;
};
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 522fd0174f..2d4b79032b 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1860,6 +1860,7 @@ virDomainDefLaunchSecurityValidate(const virDomainDef *def)
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
break;
}
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 1b153acc48..552b2f4ced 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -528,6 +528,9 @@
<value>s390-pv</value>
</attribute>
</group>
+ <group>
+ <ref name="launchSecurityTDX"/>
+ </group>
</choice>
</element>
</define>
@@ -623,6 +626,35 @@
</optional>
</interleave>
</define>
+
+ <define name="launchSecurityTDX">
+ <attribute name="type">
+ <value>tdx</value>
+ </attribute>
+ <interleave>
+ <optional>
+ <element name="policy">
+ <ref name="hexuint"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mrConfigId">
+ <data type="string"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mrOwner">
+ <data type="string"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mrOwnerConfig">
+ <data type="string"/>
+ </element>
+ </optional>
+ </interleave>
+ </define>
+
<!--
Enable or disable perf events for the domain. For each
of the events the following rules apply:
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 59be61cea4..d46da4bdda 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -216,6 +216,8 @@ typedef struct _virDomainSEVDef virDomainSEVDef;
typedef struct _virDomainSEVSNPDef virDomainSEVSNPDef;
+typedef struct _virDomainTDXDef virDomainTDXDef;
+
typedef struct _virDomainSecDef virDomainSecDef;
typedef struct _virDomainShmemDef virDomainShmemDef;
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f3c85d65e8..03c1c76ec4 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -865,6 +865,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
return -1;
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 243729800b..6c5e1926a5 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6990,6 +6990,7 @@ qemuBuildMachineCommandLine(virCommand *cmd,
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
virBufferAddLit(&buf, ",confidential-guest-support=lsec0");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -9766,6 +9767,8 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
return qemuBuildPVCommandLine(vm, cmd);
break;
+
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 13e2838f19..7d0c39c89f 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19174,6 +19174,7 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
goto cleanup;
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 2d0ec0b4fa..6c65a2751b 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1371,6 +1371,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 59421ec9d1..f72da83929 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -665,6 +665,7 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
VIR_DEBUG("Set up launch security for SEV");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a78aa8569d..7586248329 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6856,6 +6856,7 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
return -1;
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -6928,6 +6929,7 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
return 0;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index ddfb14399a..34bb7e45c7 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1391,6 +1391,7 @@ qemuValidateDomainDef(const virDomainDef *def,
return -1;
}
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b4d61bc576..bf849090a7 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2017,6 +2017,7 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
rc = -1;
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -2259,6 +2260,7 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
return -1;
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
--
2.51.0

164
SOURCES/libvirt-conf-Expose-TDX-feature-in-domain-capabilities.patch
View File

@ -1,164 +0,0 @@
From dec132c0a7598d1d5dfd50e380cf988ac4e0b321 Mon Sep 17 00:00:00 2001
Message-ID: <dec132c0a7598d1d5dfd50e380cf988ac4e0b321.1759835599.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:08 -0400
Subject: [PATCH] conf: Expose TDX feature in domain capabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Extend qemu TDX capability to domain capabilities.
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f87397488337ed596b0961855ccdea81de0e161c)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: missing 10.1 data files
---
docs/formatdomaincaps.rst | 1 +
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/conf/schemas/domaincaps.rng | 9 +++++++++
src/qemu/qemu_capabilities.c | 13 +++++++++++++
.../qemu_10.1.0-q35.x86_64+inteltdx.xml | 1 +
.../domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml | 1 +
tests/domaincapsmock.c | 3 ++-
8 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst
index ed95af4fee..664194b16d 100644
--- a/docs/formatdomaincaps.rst
+++ b/docs/formatdomaincaps.rst
@@ -720,6 +720,7 @@ capabilities. All features occur as children of the main ``features`` element.
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<async-teardown supported='yes'/>
+ <tdx supported='yes'/>
<sev>
<cbitpos>47</cbitpos>
<reduced-phys-bits>1</reduced-phys-bits>
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index ab715b19d8..b8f17e6d2f 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -44,6 +44,7 @@ VIR_ENUM_IMPL(virDomainCapsFeature,
"async-teardown",
"s390-pv",
"ps2",
+ "tdx",
);
static virClass *virDomainCapsClass;
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index 69dd1a15c1..eacbd6b6b3 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -274,6 +274,7 @@ typedef enum {
VIR_DOMAIN_CAPS_FEATURE_ASYNC_TEARDOWN,
VIR_DOMAIN_CAPS_FEATURE_S390_PV,
VIR_DOMAIN_CAPS_FEATURE_PS2,
+ VIR_DOMAIN_CAPS_FEATURE_TDX,
VIR_DOMAIN_CAPS_FEATURE_LAST
} virDomainCapsFeature;
diff --git a/src/conf/schemas/domaincaps.rng b/src/conf/schemas/domaincaps.rng
index 3559d2ae05..850e7d63a0 100644
--- a/src/conf/schemas/domaincaps.rng
+++ b/src/conf/schemas/domaincaps.rng
@@ -357,6 +357,9 @@
<optional>
<ref name="ps2"/>
</optional>
+ <optional>
+ <ref name="tdx"/>
+ </optional>
<optional>
<ref name="sev"/>
</optional>
@@ -421,6 +424,12 @@
</element>
</define>
+ <define name="tdx">
+ <element name="tdx">
+ <ref name="supported"/>
+ </element>
+ </define>
+
<define name="sev">
<element name="sev">
<ref name="supported"/>
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index f912b4cf9d..dbec00c99d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6968,6 +6968,18 @@ virQEMUCapsFillDomainFeatureHypervCaps(virQEMUCaps *qemuCaps,
}
+static void
+virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
+ virDomainCaps *domCaps)
+{
+ if (domCaps->arch == VIR_ARCH_X86_64 &&
+ domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
+ virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
+ virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
+ domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES;
+}
+
+
int
virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virArch hostarch,
@@ -7030,6 +7042,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virQEMUCapsFillDomainFeaturePS2Caps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureHypervCaps(qemuCaps, domCaps);
+ virQEMUCapsFillDomainFeatureTDXCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainDeviceCryptoCaps(qemuCaps, crypto);
virQEMUCapsFillDomainLaunchSecurity(qemuCaps, launchSecurity);
virQEMUCapsFillDomainDeviceNetCaps(qemuCaps, net);
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
index 385a828d43..1d0f9f1362 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
@@ -722,6 +722,7 @@
<backup supported='yes'/>
<async-teardown supported='yes'/>
<ps2 supported='yes'/>
+ <tdx supported='yes'/>
<sev supported='no'/>
<sgx supported='yes'>
<flc>yes</flc>
diff --git a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
index f689021a96..a5c781c67c 100644
--- a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
@@ -722,6 +722,7 @@
<backup supported='yes'/>
<async-teardown supported='yes'/>
<ps2 supported='yes'/>
+ <tdx supported='yes'/>
<sev supported='no'/>
<sgx supported='yes'>
<flc>yes</flc>
diff --git a/tests/domaincapsmock.c b/tests/domaincapsmock.c
index 6ae0c4ad45..cb6e98dbb8 100644
--- a/tests/domaincapsmock.c
+++ b/tests/domaincapsmock.c
@@ -54,7 +54,8 @@ bool
virQEMUCapsGetKVMSupportsSecureGuest(virQEMUCaps *qemuCaps)
{
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) &&
- virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST))
+ (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) ||
+ virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)))
return true;
if (!real_virQEMUCapsGetKVMSupportsSecureGuest)
--
2.51.0

90
SOURCES/libvirt-conf-Expose-TDX-type-in-domain-launch-security-capability.patch
View File

@ -1,90 +0,0 @@
From 2e0bf808c6d2543b2279a365f3175d1a9c384617 Mon Sep 17 00:00:00 2001
Message-ID: <2e0bf808c6d2543b2279a365f3175d1a9c384617.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:12 -0400
Subject: [PATCH] conf: Expose TDX type in domain launch security capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As the tdx launch security type support is added, expose it in domain
capabilities so that domain definition validation check can take
effect.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 0a825f910bb863ddc46c23e8a98834d1903dc526)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: missing 10.1 data files
---
src/qemu/qemu_capabilities.c | 2 ++
tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml | 6 +++++-
tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml | 6 +++++-
tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml | 6 +++++-
4 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index dbec00c99d..4f239ae77b 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6762,6 +6762,8 @@ virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) &&
virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT))
VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_PV);
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST))
+ VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_TDX);
if (launchSecurity->sectype.values == 0) {
launchSecurity->supported = VIR_TRISTATE_BOOL_NO;
diff --git a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
index 1d0f9f1362..fedf50a52a 100644
--- a/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml
@@ -757,6 +757,10 @@
<value>xmm_input</value>
</enum>
</hyperv>
- <launchSecurity supported='no'/>
+ <launchSecurity supported='yes'>
+ <enum name='sectype'>
+ <value>tdx</value>
+ </enum>
+ </launchSecurity>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
index ea79280179..c9913316b8 100644
--- a/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml
@@ -1804,6 +1804,10 @@
<value>xmm_input</value>
</enum>
</hyperv>
- <launchSecurity supported='no'/>
+ <launchSecurity supported='yes'>
+ <enum name='sectype'>
+ <value>tdx</value>
+ </enum>
+ </launchSecurity>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
index a5c781c67c..c1aebf16b2 100644
--- a/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
+++ b/tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml
@@ -757,6 +757,10 @@
<value>xmm_input</value>
</enum>
</hyperv>
- <launchSecurity supported='no'/>
+ <launchSecurity supported='yes'>
+ <enum name='sectype'>
+ <value>tdx</value>
+ </enum>
+ </launchSecurity>
</features>
</domainCapabilities>
--
2.51.0

63
SOURCES/libvirt-conf-Validate-TDX-launchSecurity-element-mrConfigId-mrOwner-mrOwnerConfig.patch
View File

@ -1,63 +0,0 @@
From 889ea0ba62e2c51b8dc7d75c0f59ba757d57bdce Mon Sep 17 00:00:00 2001
Message-ID: <889ea0ba62e2c51b8dc7d75c0f59ba757d57bdce.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:10 -0400
Subject: [PATCH] conf: Validate TDX launchSecurity element
mrConfigId/mrOwner/mrOwnerConfig
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
mrConfigId/mrOwner/mrOwnerConfig are base64 encoded SHA384 digest,
can be provided for TDX attestation.
Check their decoded lengths to ensure they are 48 bytes.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit ea625cb60b6c829d96c67a4ac99f6ccb96a15257)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/conf/domain_validate.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 2d4b79032b..2878b210c7 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1839,10 +1839,13 @@ virDomainDefValidateIOThreads(const virDomainDef *def)
} \
}
+#define SHA384_DIGEST_SIZE 48
+
static int
virDomainDefLaunchSecurityValidate(const virDomainDef *def)
{
virDomainSEVSNPDef *sev_snp;
+ virDomainTDXDef *tdx;
if (!def->sec)
return 0;
@@ -1857,10 +1860,17 @@ virDomainDefLaunchSecurityValidate(const virDomainDef *def)
CHECK_BASE64_LEN(sev_snp->host_data, "hostData", 32);
break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ tdx = &def->sec->data.tdx;
+
+ CHECK_BASE64_LEN(tdx->mrconfigid, "mrConfigId", SHA384_DIGEST_SIZE);
+ CHECK_BASE64_LEN(tdx->mrowner, "mrOwner", SHA384_DIGEST_SIZE);
+ CHECK_BASE64_LEN(tdx->mrownerconfig, "mrOwnerConfig", SHA384_DIGEST_SIZE);
+ break;
+
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
- case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
break;
}
--
2.51.0

94
SOURCES/libvirt-docs-domain-Add-documentation-for-Intel-TDX-guest.patch
View File

@ -1,94 +0,0 @@
From 81832cba9c026511ccf3fecbff894f9db48fbd33 Mon Sep 17 00:00:00 2001
Message-ID: <81832cba9c026511ccf3fecbff894f9db48fbd33.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:25 -0400
Subject: [PATCH] docs: domain: Add documentation for Intel TDX guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 5e5528ef14b600a43070c7efc3877e3840725dec)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
docs/formatdomain.rst | 63 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 847c9ebc6e..bfe28759e7 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -9294,6 +9294,69 @@ The ``<launchSecurity/>`` element then accepts the following child elements:
the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
+The contents of the ``<launchSecurity type='tdx'>`` element is used to provide
+the guest owners input used for creating an encrypted VM using the Intel TDX
+(Trusted Domain eXtensions). Intel TDX refers to an Intel technology that
+extends Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption
+(MKTME) with a new kind of virtual machine guest called a Trust Domain (TD).
+A TD runs in a CPU mode that is designed to protect the confidentiality of its
+memory contents and its CPU state from any other software, including the hosting
+Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself.
+Example configuration:
+
+::
+
+ <domain>
+ ...
+ <launchSecurity type='tdx'>
+ <policy>0x10000001</policy>
+ <mrConfigId>xxx</mrConfigId>
+ <mrOwner>xxx</mrOwner>
+ <mrOwnerConfig>xxx</mrOwnerConfig>
+ <quoteGenerationService path="/var/run/tdx-qgs/qgs.socket"/>
+ </launchSecurity>
+ ...
+ </domain>
+
+``policy``
+ The optional ``policy`` element provides the guest TD attributes which is
+ passed by the host VMM as a guest TD initialization parameter as part of
+ TD_PARAMS, it exactly matches the definition of TD_PARAMS.ATTRIBUTES in
+ (Intel TDX Module Spec Table 22.2: ATTRIBUTES Definition). It is reported
+ to the guest TD by TDG.VP.INFO and as part of TDREPORT_STRUCT returned by
+ TDG.MR.REPORT. The guest policy is 64bit unsigned with the fields shown
+ in Table:
+
+ ====== ====================================================================================
+ Bit(s) Description
+ ====== ====================================================================================
+ 0 Guest TD runs in off-TD debug mode when set
+ 1:27 reserved
+ 28 Disable EPT violation conversion to #VE on guest TD access of PENDING pages when set
+ 29:63 reserved
+ ====== ====================================================================================
+
+``mrConfigId``
+ The optional ``mrConfigId`` element provides ID for non-owner-defined
+ configuration of the guest TD, e.g., run-time or OS configuration
+ (base64 encoded SHA384 digest).
+
+``@mrOwner``
+ The optional ``@mrOwner`` element provides ID for the guest TDs owner
+ (base64 encoded SHA384 digest).
+
+``mrOwnerConfig``
+ The optional ``mrOwnerConfig`` element provides ID for owner-defined
+ configuration of the guest TD, e.g., specific to the workload rather than
+ the run-time or OS (base64 encoded SHA384 digest).
+
+``quoteGenerationService``
+ The optional ``quoteGenerationService`` subelement provides Quote Generation
+ Service(QGS) daemon socket address configuration. It includes an optional
+ ``path`` attribute to determine the UNIX socket address, when omitted,
+ ``/var/run/tdx-qgs/qgs.socket`` is used as default. User in TD guest cannot
+ get TD quoting for attestation if this subelement is not provided.
+
Example configs
===============
--
2.51.0

139
SOURCES/libvirt-qemu-Add-FakeReboot-support-for-TDX-guest.patch
View File

@ -1,139 +0,0 @@
From 30e83bf71626ce8a180982feb974ac4592b0303c Mon Sep 17 00:00:00 2001
Message-ID: <30e83bf71626ce8a180982feb974ac4592b0303c.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:18 -0400
Subject: [PATCH] qemu: Add FakeReboot support for TDX guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Utilize the existing fake reboot mechanism to do reboot for TDX guest.
Different from normal guest, TDX guest doesn't support system_reset,
so have to kill the old guest and start a new one to simulate the reboot.
Co-developed-by: Chenyi Qiang <chenyi.qiang@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 4f733348212b3bb4de491aeaab4ac32f0335673d)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: fix arguments to qemuProcessStart, qemuProcessStop, qemuDomainRemoveInactive
---
src/qemu/qemu_process.c | 80 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 77 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7586248329..caf63b0ae3 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -446,6 +446,67 @@ qemuProcessHandleReset(qemuMonitor *mon G_GNUC_UNUSED,
}
+/*
+ * Secure guest doesn't support fake reboot via machine CPU reset.
+ * We thus fake reboot via QEMU re-creation.
+ */
+static void
+qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
+{
+ qemuDomainObjPrivate *priv = vm->privateData;
+ virQEMUDriver *driver = priv->driver;
+ int ret = -1;
+
+ VIR_DEBUG("Handle secure guest reboot: destroy phase");
+
+ virObjectLock(vm);
+ if (qemuProcessBeginStopJob(vm, VIR_JOB_DESTROY, 0) < 0)
+ goto cleanup;
+
+ if (virDomainObjCheckActive(vm) < 0) {
+ qemuProcessEndStopJob(vm);
+ goto cleanup;
+ }
+
+ qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_DESTROYED, VIR_ASYNC_JOB_NONE, 0);
+ virDomainAuditStop(vm, "destroyed");
+
+ /* skip remove inactive domain from active list */
+ qemuProcessEndStopJob(vm);
+
+ VIR_DEBUG("Handle secure guest reboot: boot phase");
+
+ if (qemuProcessBeginJob(vm, VIR_DOMAIN_JOB_OPERATION_START, 0) < 0) {
+ qemuDomainRemoveInactive(driver, vm, 0, false);
+ goto cleanup;
+ }
+
+ if (qemuProcessStart(NULL, driver, vm, NULL, VIR_ASYNC_JOB_START,
+ NULL, -1, NULL, NULL,
+ VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
+ 0) < 0) {
+ virDomainAuditStart(vm, "booted", false);
+ qemuDomainRemoveInactive(driver, vm, 0, false);
+ goto endjob;
+ }
+
+ virDomainAuditStart(vm, "booted", true);
+
+ qemuDomainSaveStatus(vm);
+ ret = 0;
+
+ endjob:
+ qemuProcessEndJob(vm);
+
+ cleanup:
+ priv->pausedShutdown = false;
+ qemuDomainSetFakeReboot(vm, false);
+ if (ret == -1)
+ ignore_value(qemuProcessKill(vm, VIR_QEMU_PROCESS_KILL_FORCE));
+ virDomainObjEndAPI(&vm);
+}
+
+
/*
* Since we have the '-no-shutdown' flag set, the
* QEMU process will currently have guest OS shutdown
@@ -455,15 +516,13 @@ qemuProcessHandleReset(qemuMonitor *mon G_GNUC_UNUSED,
* guest OS booting up again
*/
static void
-qemuProcessFakeReboot(void *opaque)
+qemuProcessFakeRebootViaReset(virDomainObj *vm)
{
- virDomainObj *vm = opaque;
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
virDomainRunningReason reason = VIR_DOMAIN_RUNNING_BOOTED;
int ret = -1, rc;
- VIR_DEBUG("vm=%p", vm);
virObjectLock(vm);
if (virDomainObjBeginJob(vm, VIR_JOB_MODIFY) < 0)
goto cleanup;
@@ -509,6 +568,21 @@ qemuProcessFakeReboot(void *opaque)
}
+static void
+qemuProcessFakeReboot(void *opaque)
+{
+ virDomainObj *vm = opaque;
+
+ VIR_DEBUG("vm=%p", vm);
+
+ if (vm->def->sec &&
+ vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_TDX)
+ qemuProcessFakeRebootViaRecreate(vm);
+ else
+ qemuProcessFakeRebootViaReset(vm);
+}
+
+
void
qemuProcessShutdownOrReboot(virDomainObj *vm)
{
--
2.51.0

72
SOURCES/libvirt-qemu-Add-QEMU_CAPS_TDX_GUEST-capability.patch
View File

@ -1,72 +0,0 @@
From b4b30bd7eebc51bbc4b3de23db6cf3b494a8f60f Mon Sep 17 00:00:00 2001
Message-ID: <b4b30bd7eebc51bbc4b3de23db6cf3b494a8f60f.1759835599.git.jdenemar@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 24 Sep 2025 13:11:50 +0200
Subject: [PATCH] qemu: Add QEMU_CAPS_TDX_GUEST capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU_CAPS_TDX_GUEST set means TDX supported with this QEMU.
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 121fd199420e0f3f645177de78e285dfa3502935)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: context
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml | 1 +
3 files changed, 4 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index ea0c42d624..f912b4cf9d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -728,6 +728,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
"blockdev-set-active", /* QEMU_CAPS_BLOCKDEV_SET_ACTIVE */
"amd-iommu", /* QEMU_CAPS_AMD_IOMMU */
"amd-iommu.pci-id", /* QEMU_CAPS_AMD_IOMMU_PCI_ID */
+ "tdx-guest", /* QEMU_CAPS_TDX_GUEST */
);
@@ -1419,6 +1420,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[] = {
{ "acpi-erst", QEMU_CAPS_DEVICE_ACPI_ERST },
{ "virtio-mem-ccw", QEMU_CAPS_DEVICE_VIRTIO_MEM_CCW },
{ "amd-iommu", QEMU_CAPS_AMD_IOMMU },
+ { "tdx-guest", QEMU_CAPS_TDX_GUEST},
};
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 8918e8dfc4..1334a668f0 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -707,6 +707,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
QEMU_CAPS_BLOCKDEV_SET_ACTIVE, /* blockdev-set-active QMP command supported */
QEMU_CAPS_AMD_IOMMU, /* -device amd-iommu */
QEMU_CAPS_AMD_IOMMU_PCI_ID, /* amd-iommu.pci-id */
+ QEMU_CAPS_TDX_GUEST, /* -object tdx-guest,... */
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml b/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
index 584d515d8c..54b09813a8 100644
--- a/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
+++ b/tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml
@@ -194,6 +194,7 @@
<flag name='blockdev-set-active'/>
<flag name='amd-iommu'/>
<flag name='amd-iommu.pci-id'/>
+ <flag name='tdx-guest'/>
<version>10000050</version>
<microcodeVersion>43100286</microcodeVersion>
<package>v10.0.0-1724-gf9a3def17b</package>
--
2.51.0

118
SOURCES/libvirt-qemu-Add-command-line-and-validation-for-TDX-type.patch
View File

@ -1,118 +0,0 @@
From 2fa4ab6a8a776f41e64bcd7a3f1bf0f76e54f8db Mon Sep 17 00:00:00 2001
Message-ID: <2fa4ab6a8a776f41e64bcd7a3f1bf0f76e54f8db.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:11 -0400
Subject: [PATCH] qemu: Add command line and validation for TDX type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU will provides 'tdx-guest' object which is used to launch encrypted
VMs on Intel platform using TDX feature.
Command line looks like:
$QEMU ... \
-object '{"qom-type":"tdx-guest","id":"lsec0","mrconfigid":"xxx","mrowner":"xxx","mrownerconfig":"xxx","attributes":268435457}' \
-machine pc-q35-6.0,confidential-guest-support=lsec0
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 67b0720d2f2a16ab59a11aa8ecccfe11c73d8727)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: pass priv->qemuCaps to qemuBuildObjectCommandlineFromJSON
---
src/conf/domain_conf.h | 5 +++++
src/qemu/qemu_command.c | 29 +++++++++++++++++++++++++++++
src/qemu/qemu_validate.c | 12 ++++++++++++
3 files changed, 46 insertions(+)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 1238f2001f..0ea88e013b 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2968,6 +2968,11 @@ struct _virDomainTDXDef {
};
+#define VIR_DOMAIN_TDX_POLICY_DEBUG 0x1
+#define VIR_DOMAIN_TDX_POLICY_SEPT_VE_DISABLE 0x10000000
+#define VIR_DOMAIN_TDX_POLICY_ALLOWED_MASK (VIR_DOMAIN_TDX_POLICY_DEBUG | \
+ VIR_DOMAIN_TDX_POLICY_SEPT_VE_DISABLE)
+
struct _virDomainSecDef {
virDomainLaunchSecurity sectype;
union {
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6c5e1926a5..c2183d332e 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9750,6 +9750,34 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
}
+static int
+qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
+ virDomainTDXDef *tdx)
+{
+ g_autoptr(virJSONValue) props = NULL;
+ qemuDomainObjPrivate *priv = vm->privateData;
+
+ if (tdx->havePolicy)
+ VIR_DEBUG("policy=0x%llx", tdx->policy);
+
+ if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
+ "S:mrconfigid", tdx->mrconfigid,
+ "S:mrowner", tdx->mrowner,
+ "S:mrownerconfig", tdx->mrownerconfig,
+ NULL) < 0)
+ return -1;
+
+ if (tdx->havePolicy &&
+ virJSONValueObjectAdd(&props, "U:attributes", tdx->policy, NULL) < 0)
+ return -1;
+
+ if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
+ return -1;
+
+ return 0;
+}
+
+
static int
qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
virDomainSecDef *sec)
@@ -9769,6 +9797,7 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
break;
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ return qemuBuildTDXCommandLine(vm, cmd, &sec->data.tdx);
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 34bb7e45c7..80aa2529f2 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1392,6 +1392,18 @@ qemuValidateDomainDef(const virDomainDef *def,
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX launch security is not supported with this QEMU binary"));
+ return -1;
+ }
+ if (def->sec->data.tdx.havePolicy &&
+ def->sec->data.tdx.policy & ~VIR_DOMAIN_TDX_POLICY_ALLOWED_MASK) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Only bit0(debug) and bit28(sept-ve-disable) are supported intel TDX launch security policy"));
+ return -1;
+ }
+ break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
--
2.51.0

84
SOURCES/libvirt-qemu-Add-command-line-for-TDX-Quote-Generation-Service-QGS.patch
View File

@ -1,84 +0,0 @@
From ed45ed36365fd14833c74d6143678afdf8448dc7 Mon Sep 17 00:00:00 2001
Message-ID: <ed45ed36365fd14833c74d6143678afdf8448dc7.1759835600.git.jdenemar@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 24 Sep 2025 12:41:09 +0200
Subject: [PATCH] qemu: Add command line for TDX Quote Generation Service(QGS)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
'tdx-guest' object supports a "quote-generation-socket" property for
attestation purpose. When "quote-generation-socket" is configured in
guest xml, libvirt generates unix socket format cmdline for QEMU.
'Path' element can be omitted, default path "/var/run/tdx-qgs/qgs.socket"
is used in this case.
QEMU command line example:
qemu-system-x86_64 \
-object '{"qom-type":"tdx-guest","id":"lsec0","mrconfigid":"xxx","mrowner":"xxx","mrownerconfig":"xxx","quote-generation-socket":{"type":"unix","path":"/var/run/tdx-qgs/qgs.socket"},"attributes":268435457}' \
-machine pc-q35-6.0,confidential-guest-support=lsec0
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 61c4c1b538eed608315c21126b4bd1d26f972512)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: context
---
src/conf/domain_conf.h | 3 +++
src/qemu/qemu_command.c | 14 ++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 85ef6fbf2c..15aacc71c1 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2959,6 +2959,9 @@ struct _virDomainSEVSNPDef {
};
+/* Copied from QGS source code */
+#define QGS_UNIX_SOCKET_FILE "/var/run/tdx-qgs/qgs.socket"
+
struct _virDomainTDXDef {
bool havePolicy;
unsigned long long policy;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index c2183d332e..c6b826a007 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9754,16 +9754,30 @@ static int
qemuBuildTDXCommandLine(virDomainObj *vm, virCommand *cmd,
virDomainTDXDef *tdx)
{
+ g_autoptr(virJSONValue) addr = NULL;
g_autoptr(virJSONValue) props = NULL;
qemuDomainObjPrivate *priv = vm->privateData;
+ const char *path = QGS_UNIX_SOCKET_FILE;
if (tdx->havePolicy)
VIR_DEBUG("policy=0x%llx", tdx->policy);
+ if (tdx->haveQGS) {
+ if (tdx->qgs_unix_path)
+ path = tdx->qgs_unix_path;
+
+ if (virJSONValueObjectAdd(&addr,
+ "s:type", "unix",
+ "s:path", path,
+ NULL) < 0)
+ return -1;
+ }
+
if (qemuMonitorCreateObjectProps(&props, "tdx-guest", "lsec0",
"S:mrconfigid", tdx->mrconfigid,
"S:mrowner", tdx->mrowner,
"S:mrownerconfig", tdx->mrownerconfig,
+ "A:quote-generation-socket", &addr,
NULL) < 0)
return -1;
--
2.51.0

48
SOURCES/libvirt-qemu-Avoid-duplicate-FakeReboot-for-secure-guest.patch
View File

@ -1,48 +0,0 @@
From 80e6f292a501cc9bc8b2d5197c339326ecff0323 Mon Sep 17 00:00:00 2001
Message-ID: <80e6f292a501cc9bc8b2d5197c339326ecff0323.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:20 -0400
Subject: [PATCH] qemu: Avoid duplicate FakeReboot for secure guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For secure guest, FakeReboot kills original QEMU instance and
create new one. During this process, QEMU send SHUTDOWN event
with "host-signal" reason which can trigger another FakeReboot.
Check if a FakeReboot is ongoing and bypass "host-signal"
processing which originally comes from FakeReboot.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 194a36f4fe14b489b4697396d908c2a2c578ca5c)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_monitor.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 40f15c88a8..6d19b675d5 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -1076,6 +1076,16 @@ qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest,
* with it here. */
if (vm->def->sec &&
vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_TDX) {
+ qemuDomainObjPrivate *priv = vm->privateData;
+
+ /* For secure guest, FakeReboot kills original QEMU instance and
+ * create new one. During this process, QEMU send SHUTDOWN event
+ * with "host-signal" reason which can trigger another FakeReboot.
+ * Check if a FakeReboot is ongoing and bypass "host-signal"
+ * processing which is originally come from FakeReboot. */
+ if (priv->fakeReboot && STREQ_NULLABLE(reason, "host-signal"))
+ return;
+
if ((STREQ_NULLABLE(reason, "guest-shutdown") &&
vm->def->onPoweroff == VIR_DOMAIN_LIFECYCLE_ACTION_RESTART) ||
(STREQ_NULLABLE(reason, "guest-reset") &&
--
2.51.0

68
SOURCES/libvirt-qemu-Check-if-INTEL-Trust-Domain-Extention-support-is-enabled.patch
View File

@ -1,68 +0,0 @@
From 7eff4d32f92fa15ffa3705b977cf8e29d41f6d26 Mon Sep 17 00:00:00 2001
Message-ID: <7eff4d32f92fa15ffa3705b977cf8e29d41f6d26.1759835599.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:04 -0400
Subject: [PATCH] qemu: Check if INTEL Trust Domain Extention support is
enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implement TDX check in order to generate domain feature capability
correctly in case the availability of the feature changed.
For INTEL TDX the verification is:
- checking if "/sys/module/kvm_intel/parameters/tdx" contains the
value 'Y': meaning TDX is enabled in the host kernel.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
(cherry picked from commit d7c96e809d2c446830930790db5206168aedef81)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index d60d2d95cc..ea0c42d624 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5308,6 +5308,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
}
+/*
+ * Check whether INTEL Trust Domain Extention (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestTDX(void)
+{
+ g_autofree char *modValue = NULL;
+
+ if (virFileReadValueString(&modValue, "/sys/module/kvm_intel/parameters/tdx") < 0)
+ return false;
+
+ if (modValue[0] != 'Y')
+ return false;
+
+ return true;
+}
+
+
/*
* Check whether the secure guest functionality is enabled.
* See the specific architecture function for details on the verifications made.
@@ -5321,7 +5339,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
return virQEMUCapsKVMSupportsSecureGuestS390();
if (ARCH_IS_X86(arch))
- return virQEMUCapsKVMSupportsSecureGuestAMD();
+ return virQEMUCapsKVMSupportsSecureGuestAMD() ||
+ virQEMUCapsKVMSupportsSecureGuestTDX();
return false;
}
--
2.51.0

73
SOURCES/libvirt-qemu-Force-special-parameters-enabled-for-TDX-guest.patch
View File

@ -1,73 +0,0 @@
From 809c8b4ebb569d283e02b869580914a6c7d9edd5 Mon Sep 17 00:00:00 2001
Message-ID: <809c8b4ebb569d283e02b869580914a6c7d9edd5.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:13 -0400
Subject: [PATCH] qemu: Force special parameters enabled for TDX guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TDX guest requires some special parameters to boot, currently:
"kernel_irqchip=split"
"pmu!=on"
"smm!=on"
"-bios"
If not specified explicitly, QEMU should configure this option implicitly
when start a TDX guest.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 626b9ca84650966de266ff41e9df59aba948f65e)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_validate.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 80aa2529f2..bbd838c7f0 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1403,6 +1403,38 @@ qemuValidateDomainDef(const virDomainDef *def,
_("Only bit0(debug) and bit28(sept-ve-disable) are supported intel TDX launch security policy"));
return -1;
}
+ if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] == VIR_DOMAIN_IOAPIC_KVM) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX launch security needs split kernel irqchip"));
+ return -1;
+ }
+ /* Current KVM doesn't support PMU for TD guest. It returns
+ * error if TD is created with PMU bit being set in attributes.
+ * By default, QEMU disable PMU for TD guest.
+ */
+ if (def->features[VIR_DOMAIN_FEATURE_PMU] == VIR_TRISTATE_SWITCH_ON) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX launch security is not supported with PMU enabled"));
+ return -1;
+ }
+ /* TDX doesn't support SMM and VMM cannot emulate SMM for TDX VMs
+ * because VMM cannot manipulate TDX VM's memory.
+ * By default, QEMU disable SMM for TD guest.
+ */
+ if (def->features[VIR_DOMAIN_FEATURE_SMM] == VIR_TRISTATE_SWITCH_ON) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX launch security is not supported with SMM enabled"));
+ return -1;
+ }
+ /* TDVF(OVMF) needs to run at private memory for TD guest. TDX cannot
+ * support pflash device since it doesn't support read-only private memory.
+ * Thus load TDVF(OVMF) with -bios option for TDs.
+ */
+ if (def->os.loader && def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_PFLASH) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX launch security is not supported with pflash loader"));
+ return -1;
+ }
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
--
2.51.0

138
SOURCES/libvirt-qemu-Send-event-VIR_DOMAIN_EVENT_-STOPPED-STARTED-during-recreation.patch
View File

@ -1,138 +0,0 @@
From dbeae7c9d470143a0c23195d1880ad302bce78ab Mon Sep 17 00:00:00 2001
Message-ID: <dbeae7c9d470143a0c23195d1880ad302bce78ab.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:21 -0400
Subject: [PATCH] qemu: Send event VIR_DOMAIN_EVENT_[STOPPED|STARTED] during
recreation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For secure guest, FakeReboot kills original QEMU instance and
create new one which is quite different from normal guest.
To reflect this fact, VIR_DOMAIN_EVENT_[STOPPED|STARTED]
are sent to control plane with new introduced reasons
VIR_DOMAIN_EVENT_[STOPPED|STARTED]_RECREATION.
That would let control plane software understand that these
events are from a fake reboot.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 1af740c5012bb45dfe96c77bcd6b20c28b6bb45d)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
examples/c/misc/event-test.c | 6 ++++++
include/libvirt/libvirt-domain.h | 2 ++
src/qemu/qemu_process.c | 10 ++++++++++
tools/virsh-domain-event.c | 6 ++++--
4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/examples/c/misc/event-test.c b/examples/c/misc/event-test.c
index 88d99dff56..04d74670e7 100644
--- a/examples/c/misc/event-test.c
+++ b/examples/c/misc/event-test.c
@@ -143,6 +143,9 @@ eventDetailToString(int event,
case VIR_DOMAIN_EVENT_STARTED_WAKEUP:
return "Event wakeup";
+ case VIR_DOMAIN_EVENT_STARTED_RECREATION:
+ return "Recreation";
+
case VIR_DOMAIN_EVENT_STARTED_LAST:
break;
}
@@ -227,6 +230,9 @@ eventDetailToString(int event,
case VIR_DOMAIN_EVENT_STOPPED_FROM_SNAPSHOT:
return "Snapshot";
+ case VIR_DOMAIN_EVENT_STOPPED_RECREATION:
+ return "Recreation";
+
case VIR_DOMAIN_EVENT_STOPPED_LAST:
break;
}
diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h
index df13b72f7b..7759ddeaad 100644
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@@ -3873,6 +3873,7 @@ typedef enum {
VIR_DOMAIN_EVENT_STARTED_RESTORED = 2, /* Restored from a state file (Since: 0.5.0) */
VIR_DOMAIN_EVENT_STARTED_FROM_SNAPSHOT = 3, /* Restored from snapshot (Since: 0.8.0) */
VIR_DOMAIN_EVENT_STARTED_WAKEUP = 4, /* Started due to wakeup event (Since: 0.9.11) */
+ VIR_DOMAIN_EVENT_STARTED_RECREATION = 5, /* Secure guest recreation (Since: 10.1.0) */
# ifdef VIR_ENUM_SENTINELS
VIR_DOMAIN_EVENT_STARTED_LAST /* (Since: 0.9.10) */
@@ -3937,6 +3938,7 @@ typedef enum {
VIR_DOMAIN_EVENT_STOPPED_SAVED = 4, /* Saved to a state file (Since: 0.5.0) */
VIR_DOMAIN_EVENT_STOPPED_FAILED = 5, /* Host emulator/mgmt failed (Since: 0.5.0) */
VIR_DOMAIN_EVENT_STOPPED_FROM_SNAPSHOT = 6, /* offline snapshot loaded (Since: 0.8.0) */
+ VIR_DOMAIN_EVENT_STOPPED_RECREATION = 7, /* Secure guest recreation (Since: 10.1.0) */
# ifdef VIR_ENUM_SENTINELS
VIR_DOMAIN_EVENT_STOPPED_LAST /* (Since: 0.9.10) */
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index caf63b0ae3..0d4fdf6960 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -455,6 +455,7 @@ qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
{
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
+ virObjectEvent *event = NULL;
int ret = -1;
VIR_DEBUG("Handle secure guest reboot: destroy phase");
@@ -471,6 +472,11 @@ qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_DESTROYED, VIR_ASYNC_JOB_NONE, 0);
virDomainAuditStop(vm, "destroyed");
+ event = virDomainEventLifecycleNewFromObj(vm,
+ VIR_DOMAIN_EVENT_STOPPED,
+ VIR_DOMAIN_EVENT_STOPPED_RECREATION);
+ virObjectEventStateQueue(driver->domainEventState, event);
+
/* skip remove inactive domain from active list */
qemuProcessEndStopJob(vm);
@@ -491,6 +497,10 @@ qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
}
virDomainAuditStart(vm, "booted", true);
+ event = virDomainEventLifecycleNewFromObj(vm,
+ VIR_DOMAIN_EVENT_STARTED,
+ VIR_DOMAIN_EVENT_STARTED_RECREATION);
+ virObjectEventStateQueue(driver->domainEventState, event);
qemuDomainSaveStatus(vm);
ret = 0;
diff --git a/tools/virsh-domain-event.c b/tools/virsh-domain-event.c
index cd33d4d938..1b42ed706d 100644
--- a/tools/virsh-domain-event.c
+++ b/tools/virsh-domain-event.c
@@ -70,7 +70,8 @@ VIR_ENUM_IMPL(virshDomainEventStarted,
N_("Migrated"),
N_("Restored"),
N_("Snapshot"),
- N_("Event wakeup"));
+ N_("Event wakeup"),
+ N_("Recreation"));
VIR_ENUM_DECL(virshDomainEventSuspended);
VIR_ENUM_IMPL(virshDomainEventSuspended,
@@ -103,7 +104,8 @@ VIR_ENUM_IMPL(virshDomainEventStopped,
N_("Migrated"),
N_("Saved"),
N_("Failed"),
- N_("Snapshot"));
+ N_("Snapshot"),
+ N_("Recreation"));
VIR_ENUM_DECL(virshDomainEventShutdown);
VIR_ENUM_IMPL(virshDomainEventShutdown,
--
2.51.0

150
SOURCES/libvirt-qemu-Support-domain-reset-command-for-TDX-guest.patch
View File

@ -1,150 +0,0 @@
From 9a47f88f06ca6c1274c2bb5ca723057faf33e86e Mon Sep 17 00:00:00 2001
Message-ID: <9a47f88f06ca6c1274c2bb5ca723057faf33e86e.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:23 -0400
Subject: [PATCH] qemu: Support domain reset command for TDX guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TDX guest doesn't support system_reset, so have to kill the old QEMU and
start a new one to simulate the reset. This can be achieved by calling
qemuProcessFakeRebootViaRecreate().
Simiar as FakeReboot, QEMU sends SHUTDOWN event with "host-signal" reason
which can trigger another FakeReset. Check if a FakeReset is ongoing and
bypass "host-signal" processing which originally comes from FakeReset.
Domain lock is already hold in qemuDomainReset() before calling
qemuProcessFakeRebootViaRecreate(), so bypass locking in it.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit fcc12f217e7a45ec6049642c2707917bb290d58c)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_driver.c | 10 +++++++++-
src/qemu/qemu_monitor.c | 6 ++++++
src/qemu/qemu_process.c | 14 +++++++++-----
src/qemu/qemu_process.h | 2 ++
5 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 3f16f86da8..d787d2a065 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -128,6 +128,7 @@ struct _qemuDomainObjPrivate {
char *lockState;
bool fakeReboot;
+ bool fakeReset;
bool pausedShutdown;
/* allowReboot:
*
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 7d0c39c89f..98bfe8124d 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2008,13 +2008,21 @@ qemuDomainReset(virDomainPtr dom, unsigned int flags)
if (virDomainResetEnsureACL(dom->conn, vm->def) < 0)
goto cleanup;
+ priv = vm->privateData;
+
+ if (vm->def->sec &&
+ vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_TDX) {
+ priv->fakeReset = true;
+ ret = qemuProcessFakeRebootViaRecreate(vm, true);
+ goto cleanup;
+ }
+
if (virDomainObjBeginJob(vm, VIR_JOB_MODIFY) < 0)
goto cleanup;
if (virDomainObjCheckActive(vm) < 0)
goto endjob;
- priv = vm->privateData;
qemuDomainObjEnterMonitor(vm);
ret = qemuMonitorSystemReset(priv->mon);
qemuDomainObjExitMonitor(vm);
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 6d19b675d5..a9fe4f2f6b 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -1086,6 +1086,12 @@ qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest,
if (priv->fakeReboot && STREQ_NULLABLE(reason, "host-signal"))
return;
+ /* Similar as FakeReboot for FakeReset. */
+ if (priv->fakeReset && STREQ_NULLABLE(reason, "host-signal")) {
+ priv->fakeReset = false;
+ return;
+ }
+
if ((STREQ_NULLABLE(reason, "guest-shutdown") &&
vm->def->onPoweroff == VIR_DOMAIN_LIFECYCLE_ACTION_RESTART) ||
(STREQ_NULLABLE(reason, "guest-reset") &&
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 0d4fdf6960..7b6c02bc27 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -450,8 +450,8 @@ qemuProcessHandleReset(qemuMonitor *mon G_GNUC_UNUSED,
* Secure guest doesn't support fake reboot via machine CPU reset.
* We thus fake reboot via QEMU re-creation.
*/
-static void
-qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
+int
+qemuProcessFakeRebootViaRecreate(virDomainObj *vm, bool locked)
{
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
@@ -460,7 +460,9 @@ qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
VIR_DEBUG("Handle secure guest reboot: destroy phase");
- virObjectLock(vm);
+ if (!locked)
+ virObjectLock(vm);
+
if (qemuProcessBeginStopJob(vm, VIR_JOB_DESTROY, 0) < 0)
goto cleanup;
@@ -513,7 +515,9 @@ qemuProcessFakeRebootViaRecreate(virDomainObj *vm)
qemuDomainSetFakeReboot(vm, false);
if (ret == -1)
ignore_value(qemuProcessKill(vm, VIR_QEMU_PROCESS_KILL_FORCE));
- virDomainObjEndAPI(&vm);
+ if (!locked)
+ virDomainObjEndAPI(&vm);
+ return ret;
}
@@ -587,7 +591,7 @@ qemuProcessFakeReboot(void *opaque)
if (vm->def->sec &&
vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_TDX)
- qemuProcessFakeRebootViaRecreate(vm);
+ ignore_value(qemuProcessFakeRebootViaRecreate(vm, false));
else
qemuProcessFakeRebootViaReset(vm);
}
diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h
index fee00ce53b..3074f27b64 100644
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -184,6 +184,8 @@ typedef enum {
int qemuProcessKill(virDomainObj *vm, unsigned int flags);
+int qemuProcessFakeRebootViaRecreate(virDomainObj *vm, bool locked);
+
void qemuProcessShutdownOrReboot(virDomainObj *vm);
void qemuProcessAutoDestroy(virDomainObj *dom,
--
2.51.0

96
SOURCES/libvirt-qemu-Support-reboot-command-in-guest.patch
View File

@ -1,96 +0,0 @@
From ae1ff9ae8b699e4be8b482d7dee32b3fe27767c7 Mon Sep 17 00:00:00 2001
Message-ID: <ae1ff9ae8b699e4be8b482d7dee32b3fe27767c7.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:19 -0400
Subject: [PATCH] qemu: Support reboot command in guest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can reboot a TDX guest with 'virsh reboot' or 'virsh shutdown' if action
for onPoweroff is 'restart'. But running reboot command in guest shell will
always lead to shutdown.
This behavior is not consistent with normal guest, fix it by checking
shutdown reason and action configuration to trigger FakeReboot.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 312c3afa48936c7a9676408abdd5a44cb9ad2baa)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_monitor.c | 18 +++++++++++++++++-
src/qemu/qemu_monitor.h | 2 +-
src/qemu/qemu_monitor_json.c | 6 +++++-
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 18b877ce29..40f15c88a8 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -1063,10 +1063,26 @@ qemuMonitorEmitEvent(qemuMonitor *mon, const char *event,
void
-qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest)
+qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest,
+ const char *reason)
{
+ virDomainObj *vm = mon->vm;
+
VIR_DEBUG("mon=%p guest=%u", mon, guest);
+ /* This isn't best place to set FakeReboot but we need to access
+ * mon->vm which is defined in this file. Reboot command in guest
+ * will trigger SHUTDOWN event for TDX guest, so we has to deal
+ * with it here. */
+ if (vm->def->sec &&
+ vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_TDX) {
+ if ((STREQ_NULLABLE(reason, "guest-shutdown") &&
+ vm->def->onPoweroff == VIR_DOMAIN_LIFECYCLE_ACTION_RESTART) ||
+ (STREQ_NULLABLE(reason, "guest-reset") &&
+ vm->def->onReboot == VIR_DOMAIN_LIFECYCLE_ACTION_RESTART))
+ qemuDomainSetFakeReboot(vm, true);
+ }
+
QEMU_MONITOR_CALLBACK(mon, domainShutdown, mon->vm, guest);
}
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index bf44c96057..d4730162ca 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -460,7 +460,7 @@ int qemuMonitorUpdateVideoVram64Size(qemuMonitor *mon,
void qemuMonitorEmitEvent(qemuMonitor *mon, const char *event,
long long seconds, unsigned int micros,
const char *details);
-void qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest);
+void qemuMonitorEmitShutdown(qemuMonitor *mon, virTristateBool guest, const char *reason);
void qemuMonitorEmitReset(qemuMonitor *mon);
void qemuMonitorEmitStop(qemuMonitor *mon);
void qemuMonitorEmitResume(qemuMonitor *mon);
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index db46bcc741..cbe10ad907 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -548,12 +548,16 @@ qemuMonitorJSONMakeCommand(const char *cmdname,
static void qemuMonitorJSONHandleShutdown(qemuMonitor *mon, virJSONValue *data)
{
bool guest = false;
+ const char *reason = NULL;
virTristateBool guest_initiated = VIR_TRISTATE_BOOL_ABSENT;
if (data && virJSONValueObjectGetBoolean(data, "guest", &guest) == 0)
guest_initiated = virTristateBoolFromBool(guest);
- qemuMonitorEmitShutdown(mon, guest_initiated);
+ if (data)
+ reason = virJSONValueObjectGetString(data, "reason");
+
+ qemuMonitorEmitShutdown(mon, guest_initiated, reason);
}
static void qemuMonitorJSONHandleReset(qemuMonitor *mon, virJSONValue *data G_GNUC_UNUSED)
--
2.51.0

165
SOURCES/libvirt-qemu-log-the-crash-information-for-TDX.patch
View File

@ -1,165 +0,0 @@
From 052fb2f399b0fd750421ae0451f9bc17d5660147 Mon Sep 17 00:00:00 2001
Message-ID: <052fb2f399b0fd750421ae0451f9bc17d5660147.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:14 -0400
Subject: [PATCH] qemu: log the crash information for TDX
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since QEMU 10.1.0 commit id '6e250463b08b' guest crash information for
TDX is available in the QEMU monitor, e.g.:
{
"timestamp": {
"seconds": 1752118704,
"microseconds": 27480
},
"event": "GUEST_PANICKED",
"data": {
"action": "pause",
"info": {
"error-code": 0,
"message": "TD misconfiguration: SEPT #VE has to be disabled",
"type": "tdx"
}
}
}
Let's log this information into the domain log file, e.g.:
2025-07-10 03:39:18.243+0000: panic tdx: error_code='0x0' message='TD misconfiguration: SEPT #VE has to be disabled'
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 9df19f60f64f77f51b1bc1a632dfb0d30334b2dd)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_monitor.c | 16 ++++++++++++++++
src/qemu/qemu_monitor.h | 11 +++++++++++
src/qemu/qemu_monitor_json.c | 32 ++++++++++++++++++++++++++++++++
3 files changed, 59 insertions(+)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 3945aa92e5..18b877ce29 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -3916,6 +3916,19 @@ qemuMonitorGuestPanicEventInfoFormatMsg(qemuMonitorEventPanicInfo *info)
info->data.s390.psw_addr,
info->data.s390.reason);
break;
+ case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_TDX:
+ if (info->data.tdx.has_gpa)
+ ret = g_strdup_printf("tdx: error_code='0x%x' message='%s' "
+ "additional error information can be found "
+ "at gpa page: '0x%016llx'",
+ info->data.tdx.error_code,
+ info->data.tdx.message,
+ info->data.tdx.gpa);
+ else
+ ret = g_strdup_printf("tdx: error_code='0x%x' message='%s'",
+ info->data.tdx.error_code,
+ info->data.tdx.message);
+ break;
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE:
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_LAST:
break;
@@ -3935,6 +3948,9 @@ qemuMonitorEventPanicInfoFree(qemuMonitorEventPanicInfo *info)
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_S390:
g_free(info->data.s390.reason);
break;
+ case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_TDX:
+ g_free(info->data.tdx.message);
+ break;
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE:
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_HYPERV:
case QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_LAST:
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index acb3279e45..bf44c96057 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -38,6 +38,7 @@ typedef enum {
QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE = 0,
QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_HYPERV,
QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_S390,
+ QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_TDX,
QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_LAST
} qemuMonitorEventPanicInfoType;
@@ -61,12 +62,22 @@ struct _qemuMonitorEventPanicInfoS390 {
char *reason;
};
+typedef struct _qemuMonitorEventPanicInfoTDX qemuMonitorEventPanicInfoTDX;
+struct _qemuMonitorEventPanicInfoTDX {
+ /* TDX specific guest panic information */
+ int error_code;
+ char *message;
+ bool has_gpa;
+ unsigned long long gpa;
+};
+
typedef struct _qemuMonitorEventPanicInfo qemuMonitorEventPanicInfo;
struct _qemuMonitorEventPanicInfo {
qemuMonitorEventPanicInfoType type;
union {
qemuMonitorEventPanicInfoHyperv hyperv;
qemuMonitorEventPanicInfoS390 s390;
+ qemuMonitorEventPanicInfoTDX tdx;
} data;
};
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index edf6fac76e..db46bcc741 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -621,6 +621,36 @@ qemuMonitorJSONGuestPanicExtractInfoS390(virJSONValue *data)
return g_steal_pointer(&ret);
}
+static qemuMonitorEventPanicInfo *
+qemuMonitorJSONGuestPanicExtractInfoTDX(virJSONValue *data)
+{
+ g_autoptr(qemuMonitorEventPanicInfo) ret = NULL;
+ int error_code;
+ unsigned long long gpa = 0;
+ const char *message = NULL;
+ bool has_gpa;
+
+ ret = g_new0(qemuMonitorEventPanicInfo, 1);
+
+ ret->type = QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_TDX;
+ has_gpa = virJSONValueObjectHasKey(data, "gpa");
+
+ if (virJSONValueObjectGetNumberInt(data, "error-code", &error_code) < 0 ||
+ !(message = virJSONValueObjectGetString(data, "message")) ||
+ (has_gpa && virJSONValueObjectGetNumberUlong(data, "gpa", &gpa) < 0)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("malformed TDX panic data"));
+ return NULL;
+ }
+
+ ret->data.tdx.error_code = error_code;
+ ret->data.tdx.gpa = gpa;
+ ret->data.tdx.has_gpa = has_gpa;
+
+ ret->data.tdx.message = g_strdup(message);
+
+ return g_steal_pointer(&ret);
+}
+
static qemuMonitorEventPanicInfo *
qemuMonitorJSONGuestPanicExtractInfo(virJSONValue *data)
{
@@ -630,6 +660,8 @@ qemuMonitorJSONGuestPanicExtractInfo(virJSONValue *data)
return qemuMonitorJSONGuestPanicExtractInfoHyperv(data);
else if (STREQ_NULLABLE(type, "s390"))
return qemuMonitorJSONGuestPanicExtractInfoS390(data);
+ else if (STREQ_NULLABLE(type, "tdx"))
+ return qemuMonitorJSONGuestPanicExtractInfoTDX(data);
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unknown panic info type '%1$s'"), NULLSTR(type));
--
2.51.0

122
SOURCES/libvirt-qemu_firmware-Pick-the-right-firmware-for-TDX-guests.patch
View File

@ -1,122 +0,0 @@
From 53970ee6e429594f696f6e8056a7f5240c825974 Mon Sep 17 00:00:00 2001
Message-ID: <53970ee6e429594f696f6e8056a7f5240c825974.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:15 -0400
Subject: [PATCH] qemu_firmware: Pick the right firmware for TDX guests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The firmware descriptors have 'intel-tdx' feature which
describes whether firmware is suitable for TDX guests.
Provide necessary implementation to detect the feature and pick
the right firmware if guest is TDX enabled.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 2dec0d9ede0546f5db9d36c2baddb9d94c83a435)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
src/qemu/qemu_firmware.c | 21 ++++++++++++++++++-
.../firmware/60-edk2-ovmf-x64-inteltdx.json | 1 +
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 6c65a2751b..f10137144e 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -149,6 +149,7 @@ typedef enum {
QEMU_FIRMWARE_FEATURE_AMD_SEV,
QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
+ QEMU_FIRMWARE_FEATURE_INTEL_TDX,
QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -167,6 +168,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
"amd-sev",
"amd-sev-es",
"amd-sev-snp",
+ "intel-tdx",
"enrolled-keys",
"requires-smm",
"secure-boot",
@@ -1158,6 +1160,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
bool supportsSEV = false;
bool supportsSEVES = false;
bool supportsSEVSNP = false;
+ bool supportsTDX = false;
bool supportsSecureBoot = false;
bool hasEnrolledKeys = false;
int reqSecureBoot;
@@ -1209,6 +1212,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
supportsSEVSNP = true;
break;
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+ supportsTDX = true;
+ break;
+
case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
requiresSMM = true;
break;
@@ -1370,9 +1377,18 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
return false;
}
break;
- case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ if (!supportsTDX) {
+ VIR_DEBUG("Domain requires TDX, firmware '%s' doesn't support it",
+ path);
+ return false;
+ }
break;
+
+ case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ break;
+
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
@@ -1490,6 +1506,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1541,6 +1558,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1981,6 +1999,7 @@ qemuFirmwareGetSupported(const char *machine,
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+ case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
index d002ec7386..2630b57b05 100644
--- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
+++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
@@ -16,6 +16,7 @@
],
"features": [
"enrolled-keys",
+ "intel-tdx",
"secure-boot",
"verbose-dynamic"
]
--
2.51.0

36
SOURCES/libvirt-qemucapabilitiesdata-Document-inteltdx-variant.patch
View File

@ -1,36 +0,0 @@
From 14406d5398bab0cde8e340964e13f992a179d4ac Mon Sep 17 00:00:00 2001
Message-ID: <14406d5398bab0cde8e340964e13f992a179d4ac.1759835599.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:05 -0400
Subject: [PATCH] qemucapabilitiesdata: Document '+inteltdx' variant
Upcoming patch will introduce test data from an TDX-enabled host.
Document the new variant.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 4c59ff7783d1672b872cc4190df3e89ae8d4130a)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
tests/qemucapabilitiesdata/README.rst | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/qemucapabilitiesdata/README.rst b/tests/qemucapabilitiesdata/README.rst
index f65f07cfca..f87bbda52b 100644
--- a/tests/qemucapabilitiesdata/README.rst
+++ b/tests/qemucapabilitiesdata/README.rst
@@ -58,6 +58,11 @@ Known test variants
for qemu.
+``+inteltdx``
+
+ Variant of the test data captured on hosts supporting INTEL TDX security
+ framework.
+
Usage in tests
==============
--
2.51.0

51568
SOURCES/libvirt-qemucapabilitiestest-Add-data-for-the-qemu-10.1.0-dev-cycle-on-x86_64-for-the-inteltdx-variant.patch
View File

File diff suppressed because it is too large Load Diff

211
SOURCES/libvirt-qemuxmlconftest-Add-latest-version-of-launch-security-tdx-test-data.patch
View File

@ -1,211 +0,0 @@
From c8561a94d58c4b90ab67f49cc963e6b431972aee Mon Sep 17 00:00:00 2001
Message-ID: <c8561a94d58c4b90ab67f49cc963e6b431972aee.1759835600.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:24 -0400
Subject: [PATCH] qemuxmlconftest: Add latest version of 'launch-security-tdx*'
test data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We now have the '+inteltdx' variant dumped from a modern qemu with tdx support,
add qemuxmlconftest data for that variant.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
(cherry picked from commit 798f748210ff7a43702adadd6037220b713d998e)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
RHEL: rename the files to not include +inteltdx
---
.../launch-security-tdx.x86_64-latest.args | 44 +++++++++++
.../launch-security-tdx.x86_64-latest.xml | 75 +++++++++++++++++++
tests/qemuxmlconfdata/launch-security-tdx.xml | 28 +++++++
tests/qemuxmlconftest.c | 3 +
4 files changed, 150 insertions(+)
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.args
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.xml
diff --git a/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.args
new file mode 100644
index 0000000000..366d553c93
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.args
@@ -0,0 +1,44 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/var/lib/libvirt/qemu/domain--1-guest \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \
+XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \
+XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=guest,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
+-machine q35,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
+-accel tcg \
+-cpu qemu64 \
+-m size=4194304k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":4294967296}' \
+-overcommit mem-lock=off \
+-smp 4,sockets=4,cores=1,threads=1 \
+-uuid 1ccfd97d-5eb4-478a-bbe6-88d254c16db7 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device '{"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x2"}' \
+-device '{"driver":"pcie-pci-bridge","id":"pci.2","bus":"pci.1","addr":"0x0"}' \
+-device '{"driver":"pcie-root-port","port":17,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x2.0x1"}' \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.2","addr":"0x2"}' \
+-device '{"driver":"lsi","id":"scsi0","bus":"pci.2","addr":"0x3"}' \
+-netdev '{"type":"user","id":"hostnet0"}' \
+-device '{"driver":"rtl8139","netdev":"hostnet0","id":"net0","mac":"52:54:00:09:a4:37","bus":"pci.2","addr":"0x1"}' \
+-chardev pty,id=charserial0 \
+-device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-device '{"driver":"cirrus-vga","id":"video0","bus":"pcie.0","addr":"0x1"}' \
+-global ICH9-LPC.noreboot=off \
+-watchdog-action reset \
+-object '{"qom-type":"tdx-guest","id":"lsec0","mrconfigid":"ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v","mrowner":"ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v","mrownerconfig":"ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v","quote-generation-socket":{"type":"unix","path":"/var/run/tdx-qgs/qgs.socket"},"attributes":268435456}' \
+-device '{"driver":"pvpanic"}' \
+-msg timestamp=on
diff --git a/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.xml
new file mode 100644
index 0000000000..757fbdabbb
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest.xml
@@ -0,0 +1,75 @@
+<domain type='qemu'>
+ <name>guest</name>
+ <uuid>1ccfd97d-5eb4-478a-bbe6-88d254c16db7</uuid>
+ <memory unit='KiB'>4194304</memory>
+ <currentMemory unit='KiB'>4194304</currentMemory>
+ <vcpu placement='static'>4</vcpu>
+ <os>
+ <type arch='x86_64' machine='q35'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb' index='0' model='piix3-uhci'>
+ <address type='pci' domain='0x0000' bus='0x02' slot='0x02' function='0x0'/>
+ </controller>
+ <controller type='scsi' index='0' model='lsilogic'>
+ <address type='pci' domain='0x0000' bus='0x02' slot='0x03' function='0x0'/>
+ </controller>
+ <controller type='sata' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pcie-root'/>
+ <controller type='pci' index='1' model='pcie-root-port'>
+ <model name='pcie-root-port'/>
+ <target chassis='1' port='0x10'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+ </controller>
+ <controller type='pci' index='2' model='pcie-to-pci-bridge'>
+ <model name='pcie-pci-bridge'/>
+ <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+ </controller>
+ <controller type='pci' index='3' model='pcie-root-port'>
+ <model name='pcie-root-port'/>
+ <target chassis='3' port='0x11'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+ </controller>
+ <interface type='user'>
+ <mac address='52:54:00:09:a4:37'/>
+ <model type='rtl8139'/>
+ <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>
+ </interface>
+ <serial type='pty'>
+ <target type='isa-serial' port='0'>
+ <model name='isa-serial'/>
+ </target>
+ </serial>
+ <console type='pty'>
+ <target type='serial' port='0'/>
+ </console>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <video>
+ <model type='cirrus' vram='16384' heads='1' primary='yes'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+ </video>
+ <watchdog model='itco' action='reset'/>
+ <memballoon model='none'/>
+ <panic model='isa'/>
+ </devices>
+ <launchSecurity type='tdx'>
+ <policy>0x10000000</policy>
+ <mrConfigId>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrConfigId>
+ <mrOwner>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrOwner>
+ <mrOwnerConfig>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrOwnerConfig>
+ <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
+ </launchSecurity>
+</domain>
diff --git a/tests/qemuxmlconfdata/launch-security-tdx.xml b/tests/qemuxmlconfdata/launch-security-tdx.xml
new file mode 100644
index 0000000000..07e3ae6db8
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-tdx.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>guest</name>
+ <uuid>1ccfd97d-5eb4-478a-bbe6-88d254c16db7</uuid>
+ <memory>4194304</memory>
+ <vcpu>4</vcpu>
+ <os>
+ <type arch='x86_64' machine='q35'>hvm</type>
+ </os>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb'/>
+ <controller type='scsi'/>
+ <interface type='user'>
+ <mac address='52:54:00:09:a4:37'/>
+ </interface>
+ <serial type='pty'/>
+ <video/>
+ <memballoon model='none'/>
+ <panic/>
+ </devices>
+ <launchSecurity type='tdx'>
+ <policy>0x10000000</policy>
+ <mrConfigId>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrConfigId>
+ <mrOwner>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrOwner>
+ <mrOwnerConfig>ASNFZ4mrze8BI0VniavN7wEjRWeJq83vASNFZ4mrze8BI0VniavN7wEjRWeJq83v</mrOwnerConfig>
+ <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
+ </launchSecurity>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index a0af6429d1..5683e76599 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -2893,6 +2893,9 @@ mymain(void)
DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
+ DO_TEST_CAPS_ARCH_LATEST_FULL("launch-security-tdx", "x86_64",
+ ARG_CAPS_VARIANT, "+inteltdx", ARG_END);
+
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-openfiles");
DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
--
2.51.0

107
SOURCES/libvirt-tools-Secure-guest-check-for-Intel-in-virt-host-validate.patch
View File

@ -1,107 +0,0 @@
From c0c1b6b0c424c5c9e030e688d8c9dc20e9aa0ea4 Mon Sep 17 00:00:00 2001
Message-ID: <c0c1b6b0c424c5c9e030e688d8c9dc20e9aa0ea4.1759835599.git.jdenemar@redhat.com>
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Thu, 10 Jul 2025 03:21:03 -0400
Subject: [PATCH] tools: Secure guest check for Intel in virt-host-validate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add check in virt-host-validate for secure guest support
on x86 for Intel Trust Domain Extentions.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
(cherry picked from commit 908bb55724837e66778e6a2c264c9e92b51d7eb6)
Resolves: https://issues.redhat.com/browse/RHEL-111840
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
tools/virt-host-validate-common.c | 31 ++++++++++++++++++++++++++++++-
tools/virt-host-validate-common.h | 1 +
2 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index 63cc3dbe7b..59f6ac3319 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -44,7 +44,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
"svm",
"sie",
"158",
- "sev");
+ "sev",
+ "tdx_host_platform");
int virHostValidateDeviceExists(const char *hvname,
@@ -434,12 +435,36 @@ virHostValidateAMDSev(const char *hvname,
}
+static int virHostValidateIntelTDX(virValidateLevel level)
+{
+ g_autofree char *mod_value = NULL;
+
+ if (virFileReadValueString(&mod_value, "/sys/module/kvm_intel/parameters/tdx") < 0) {
+ virValidateFail(level, "Intel Trust Domain Extentions not "
+ "supported by the currently used kernel");
+ return VIR_VALIDATE_FAILURE(level);
+ }
+
+ if (mod_value[0] != 'Y') {
+ virValidateFail(level,
+ "Intel Trust Domain Extentions appears to be "
+ "disabled in kernel. Add kvm_intel.tdx=Y "
+ "to the kernel cmdline arguments");
+ return VIR_VALIDATE_FAILURE(level);
+ }
+
+ virValidatePass();
+ return 1;
+}
+
+
int virHostValidateSecureGuests(const char *hvname,
virValidateLevel level)
{
g_autoptr(virBitmap) flags = NULL;
bool hasFac158 = false;
bool hasAMDSev = false;
+ bool hasIntelTDX = false;
virArch arch = virArchFromHost();
g_autofree char *cmdline = NULL;
static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
@@ -450,6 +475,8 @@ int virHostValidateSecureGuests(const char *hvname,
hasFac158 = true;
else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
hasAMDSev = true;
+ else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_TDX))
+ hasIntelTDX = true;
virValidateCheck(hvname, "%s", _("Checking for secure guest support"));
if (ARCH_IS_S390(arch)) {
@@ -485,6 +512,8 @@ int virHostValidateSecureGuests(const char *hvname,
}
} else if (hasAMDSev) {
return virHostValidateAMDSev(hvname, level);
+ } else if (hasIntelTDX) {
+ return virHostValidateIntelTDX(level);
}
virValidateFail(level,
diff --git a/tools/virt-host-validate-common.h b/tools/virt-host-validate-common.h
index 7fb3545fe3..c81d203933 100644
--- a/tools/virt-host-validate-common.h
+++ b/tools/virt-host-validate-common.h
@@ -32,6 +32,7 @@ typedef enum {
VIR_HOST_VALIDATE_CPU_FLAG_SIE,
VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158,
VIR_HOST_VALIDATE_CPU_FLAG_SEV,
+ VIR_HOST_VALIDATE_CPU_FLAG_TDX,
VIR_HOST_VALIDATE_CPU_FLAG_LAST,
} virHostValidateCPUFlag;
--
2.51.0

50
SPECS/libvirt.spec
View File

@ -293,7 +293,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 10.10.0
Release: 15.1%{?dist}%{?extra_release}.alma.1
Release: 15%{?dist}%{?extra_release}.alma.1
License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
URL: https://libvirt.org/
@ -455,28 +455,6 @@ Patch151: libvirt-esx-Allow-specifying-different-CA-bundle-for-remote-connection
Patch152: libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch
Patch153: libvirt-qemu-sanitize-blank-lines-in-config-file.patch
Patch154: libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch
Patch155: libvirt-tools-Secure-guest-check-for-Intel-in-virt-host-validate.patch
Patch156: libvirt-qemu-Check-if-INTEL-Trust-Domain-Extention-support-is-enabled.patch
Patch157: libvirt-qemucapabilitiesdata-Document-inteltdx-variant.patch
Patch158: libvirt-qemucapabilitiestest-Add-data-for-the-qemu-10.1.0-dev-cycle-on-x86_64-for-the-inteltdx-variant.patch
Patch159: libvirt-qemu-Add-QEMU_CAPS_TDX_GUEST-capability.patch
Patch160: libvirt-conf-Expose-TDX-feature-in-domain-capabilities.patch
Patch161: libvirt-conf-Add-tdx-as-launch-security-type.patch
Patch162: libvirt-conf-Validate-TDX-launchSecurity-element-mrConfigId-mrOwner-mrOwnerConfig.patch
Patch163: libvirt-qemu-Add-command-line-and-validation-for-TDX-type.patch
Patch164: libvirt-conf-Expose-TDX-type-in-domain-launch-security-capability.patch
Patch165: libvirt-qemu-Force-special-parameters-enabled-for-TDX-guest.patch
Patch166: libvirt-qemu-log-the-crash-information-for-TDX.patch
Patch167: libvirt-qemu_firmware-Pick-the-right-firmware-for-TDX-guests.patch
Patch168: libvirt-conf-Add-Intel-TDX-Quote-Generation-Service-QGS-support.patch
Patch169: libvirt-qemu-Add-command-line-for-TDX-Quote-Generation-Service-QGS.patch
Patch170: libvirt-qemu-Add-FakeReboot-support-for-TDX-guest.patch
Patch171: libvirt-qemu-Support-reboot-command-in-guest.patch
Patch172: libvirt-qemu-Avoid-duplicate-FakeReboot-for-secure-guest.patch
Patch173: libvirt-qemu-Send-event-VIR_DOMAIN_EVENT_-STOPPED-STARTED-during-recreation.patch
Patch174: libvirt-qemu-Support-domain-reset-command-for-TDX-guest.patch
Patch175: libvirt-qemuxmlconftest-Add-latest-version-of-launch-security-tdx-test-data.patch
Patch176: libvirt-docs-domain-Add-documentation-for-Intel-TDX-guest.patch
Requires: libvirt-daemon = %{version}-%{release}
@ -2802,33 +2780,9 @@ exit 0
%endif
%changelog
* Thu Nov 27 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.10.0-15.1.alma.1
* Mon Sep 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.10.0-15.alma.1
- Enable building for ppc64le
* Tue Oct 7 2025 Jiri Denemark <jdenemar@redhat.com> - 10.10.0-15.1.el9_7
- tools: Secure guest check for Intel in virt-host-validate (RHEL-111840)
- qemu: Check if INTEL Trust Domain Extention support is enabled (RHEL-111840)
- qemucapabilitiesdata: Document '+inteltdx' variant (RHEL-111840)
- qemucapabilitiestest: Add data for the qemu-10.1.0 dev cycle on x86_64 for the '+inteltdx' variant (RHEL-111840)
- qemu: Add QEMU_CAPS_TDX_GUEST capability (RHEL-111840)
- conf: Expose TDX feature in domain capabilities (RHEL-111840)
- conf: Add tdx as launch security type (RHEL-111840)
- conf: Validate TDX launchSecurity element mrConfigId/mrOwner/mrOwnerConfig (RHEL-111840)
- qemu: Add command line and validation for TDX type (RHEL-111840)
- conf: Expose TDX type in domain launch security capability (RHEL-111840)
- qemu: Force special parameters enabled for TDX guest (RHEL-111840)
- qemu: log the crash information for TDX (RHEL-111840)
- qemu_firmware: Pick the right firmware for TDX guests (RHEL-111840)
- conf: Add Intel TDX Quote Generation Service(QGS) support (RHEL-111840)
- qemu: Add command line for TDX Quote Generation Service(QGS) (RHEL-111840)
- qemu: Add FakeReboot support for TDX guest (RHEL-111840)
- qemu: Support reboot command in guest (RHEL-111840)
- qemu: Avoid duplicate FakeReboot for secure guest (RHEL-111840)
- qemu: Send event VIR_DOMAIN_EVENT_[STOPPED|STARTED] during recreation (RHEL-111840)
- qemu: Support domain reset command for TDX guest (RHEL-111840)
- qemuxmlconftest: Add latest version of 'launch-security-tdx*' test data (RHEL-111840)
- docs: domain: Add documentation for Intel TDX guest (RHEL-111840)
* Mon Aug 18 2025 Jiri Denemark <jdenemar@redhat.com> - 10.10.0-15
- qemu: fix order of VNC TLS config entries (RHEL-106276)
- qemu: sanitize blank lines in config file (RHEL-106276)