RE: [PATCH rfcv3 06/11] qemu: force special parameters enabled for TDX guest

Thu, 11 Jan 2024 19:12:59 -0800 


>-----Original Message-----
>From: Daniel P. Berrangé <[email protected]>
>Subject: Re: [PATCH rfcv3 06/11] qemu: force special parameters enabled for
>TDX guest
>
>On Mon, Nov 27, 2023 at 04:55:16PM +0800, Zhenzhong Duan wrote:
>> TDX guest requires some special parameters to boot, They are:
>>
>>  "-machine pc-q35-*"
>>  "kernel_irqchip=split"
>>
>> Signed-off-by: Zhenzhong Duan <[email protected]>
>> ---
>>  src/qemu/qemu_validate.c | 10 ++++++++++
>>  1 file changed, 10 insertions(+)
>>
>> diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
>> index 5a9173e8ff..c4f386fe99 100644
>> --- a/src/qemu/qemu_validate.c
>> +++ b/src/qemu/qemu_validate.c
>> @@ -1329,6 +1329,16 @@ qemuValidateDomainDef(const virDomainDef
>*def,
>>                                 _("INTEL TDX launch security is not 
>> supported with this
>QEMU binary"));
>>                  return -1;
>>              }
>> +            if (!qemuDomainIsQ35(def)) {
>> +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>> +                               _("Intel TDX is supported with q35 machine 
>> types
>only"));
>> +                return -1;
>> +            }
>
>Ideally QMP  'MachineInfo' struct would report whether TDX is supported
>so we don't need to hardcode that.

As you suggested in previous mails, I'll remove Q35 check.

>
>> +            if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] !=
>VIR_DOMAIN_IOAPIC_QEMU) {
>> +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>> +                               _("INTEL TDX launch security needs split 
>> kernel
>irqchip"));
>
>s/INTEL/Intel/
>
>Ideally QEMU would automatically use the correct ioapic impl when no
>args are given to QEMU. That would let us do
>
>  if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] ==
>VIR_DOMAIN_IOAPIC_KVM) {
>
>
>thus allowing IOAPIC_NONE (ie QEMU's default) or IOAPIC_QEMU (explicitly
>requested config). This will make TDX guest "just work" in more scenarios.

It looks the matching QEMU doesn't do this automation for kernel-irqchip yet.
@Li, Xiaoyao could you add this automation on QEMU side? Meanwhile
I'll apply Daniel's suggested change on libvirt side.

Thanks
Zhenzhong

>
>> +                return -1;
>> +            }
>>              break;
>>          case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>>          case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
>> --
>> 2.34.1
>>
>
>With regards,
>Daniel
>--
>|: https://berrange.com      -o-
>https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
>|: https://entangle-photo.org    -o-
>https://www.instagram.com/dberrange :|

_______________________________________________
Devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to