On Mon, Jun 30, 2025 at 02:17:18PM +0800, Zhenzhong Duan wrote: > When 'tdx' is used, the VM will be launched with Intel TDX feature enabled. > TDX feature supports running encrypted VM (Trust Domain, TD) under the > control of KVM. A TD runs in a CPU model which protects the confidentiality > of its memory and its CPU state from other software. > > There are four optional child elements. Element policy is 64bit hex, bit 0 > is set to enable TDX debug, bit 28 is set to enable sept-ve-disable, other > bits are reserved currently. When policy isn't specified, QEMU will use its > own default value 0x10000000. mrConfigId, mrOwner and mrOwnerConfig are > base64 encoded SHA384 digest string. > > For example: > > <launchSecurity type='tdx'> > <policy>0x10000001</policy> > <mrConfigId>xxx</mrConfigId> > <mrOwner>xxx</mrOwner> > <mrOwnerConfig>xxx</mrOwnerConfig> > </launchSecurity> > > Signed-off-by: Zhenzhong Duan <zhenzhong.d...@intel.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
