On Mon, Nov 27, 2023 at 04:55:16PM +0800, Zhenzhong Duan wrote:
> TDX guest requires some special parameters to boot, They are:
>
> "-machine pc-q35-*"
> "kernel_irqchip=split"
>
> Signed-off-by: Zhenzhong Duan <[email protected]>
> ---
> src/qemu/qemu_validate.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
> index 5a9173e8ff..c4f386fe99 100644
> --- a/src/qemu/qemu_validate.c
> +++ b/src/qemu/qemu_validate.c
> @@ -1329,6 +1329,16 @@ qemuValidateDomainDef(const virDomainDef *def,
> _("INTEL TDX launch security is not supported
> with this QEMU binary"));
> return -1;
> }
> + if (!qemuDomainIsQ35(def)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Intel TDX is supported with q35 machine
> types only"));
> + return -1;
> + }
Ideally QMP 'MachineInfo' struct would report whether TDX is supported
so we don't need to hardcode that.
> + if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] !=
> VIR_DOMAIN_IOAPIC_QEMU) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("INTEL TDX launch security needs split
> kernel irqchip"));
s/INTEL/Intel/
Ideally QEMU would automatically use the correct ioapic impl when no
args are given to QEMU. That would let us do
if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] == VIR_DOMAIN_IOAPIC_KVM) {
thus allowing IOAPIC_NONE (ie QEMU's default) or IOAPIC_QEMU (explicitly
requested config). This will make TDX guest "just work" in more scenarios.
> + return -1;
> + }
> break;
> case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> --
> 2.34.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
