74 lines
3.3 KiB
Diff
74 lines
3.3 KiB
Diff
From 809c8b4ebb569d283e02b869580914a6c7d9edd5 Mon Sep 17 00:00:00 2001
|
|
Message-ID: <809c8b4ebb569d283e02b869580914a6c7d9edd5.1759835600.git.jdenemar@redhat.com>
|
|
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
|
|
Date: Thu, 10 Jul 2025 03:21:13 -0400
|
|
Subject: [PATCH] qemu: Force special parameters enabled for TDX guest
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
TDX guest requires some special parameters to boot, currently:
|
|
|
|
"kernel_irqchip=split"
|
|
"pmu!=on"
|
|
"smm!=on"
|
|
"-bios"
|
|
|
|
If not specified explicitly, QEMU should configure this option implicitly
|
|
when start a TDX guest.
|
|
|
|
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit 626b9ca84650966de266ff41e9df59aba948f65e)
|
|
Resolves: https://issues.redhat.com/browse/RHEL-111840
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
---
|
|
src/qemu/qemu_validate.c | 32 ++++++++++++++++++++++++++++++++
|
|
1 file changed, 32 insertions(+)
|
|
|
|
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
|
|
index 80aa2529f2..bbd838c7f0 100644
|
|
--- a/src/qemu/qemu_validate.c
|
|
+++ b/src/qemu/qemu_validate.c
|
|
@@ -1403,6 +1403,38 @@ qemuValidateDomainDef(const virDomainDef *def,
|
|
_("Only bit0(debug) and bit28(sept-ve-disable) are supported intel TDX launch security policy"));
|
|
return -1;
|
|
}
|
|
+ if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] == VIR_DOMAIN_IOAPIC_KVM) {
|
|
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
+ _("Intel TDX launch security needs split kernel irqchip"));
|
|
+ return -1;
|
|
+ }
|
|
+ /* Current KVM doesn't support PMU for TD guest. It returns
|
|
+ * error if TD is created with PMU bit being set in attributes.
|
|
+ * By default, QEMU disable PMU for TD guest.
|
|
+ */
|
|
+ if (def->features[VIR_DOMAIN_FEATURE_PMU] == VIR_TRISTATE_SWITCH_ON) {
|
|
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
+ _("Intel TDX launch security is not supported with PMU enabled"));
|
|
+ return -1;
|
|
+ }
|
|
+ /* TDX doesn't support SMM and VMM cannot emulate SMM for TDX VMs
|
|
+ * because VMM cannot manipulate TDX VM's memory.
|
|
+ * By default, QEMU disable SMM for TD guest.
|
|
+ */
|
|
+ if (def->features[VIR_DOMAIN_FEATURE_SMM] == VIR_TRISTATE_SWITCH_ON) {
|
|
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
+ _("Intel TDX launch security is not supported with SMM enabled"));
|
|
+ return -1;
|
|
+ }
|
|
+ /* TDVF(OVMF) needs to run at private memory for TD guest. TDX cannot
|
|
+ * support pflash device since it doesn't support read-only private memory.
|
|
+ * Thus load TDVF(OVMF) with -bios option for TDs.
|
|
+ */
|
|
+ if (def->os.loader && def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_PFLASH) {
|
|
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
+ _("Intel TDX launch security is not supported with pflash loader"));
|
|
+ return -1;
|
|
+ }
|
|
break;
|
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
|
--
|
|
2.51.0
|