Re: [PATCH 2/2] qemu: always report TDX feature caps on x86

Thu, 20 Nov 2025 06:09:46 -0800 

On Thu, Nov 20, 2025 at 13:34:13 +0000, Daniel P. Berrangé wrote:
> On Thu, Nov 20, 2025 at 02:25:05PM +0100, Peter Krempa wrote:
> > On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
> > > From: Daniel P. Berrangé <[email protected]>
> > > 
> > > Currently domain capabilities will only ever report
> > > 
> > >     <tdx supported='yes'/>
> > > 
> > > so it is not possible to determine whether libvirt itself is
> > > new enough to have TDX support or not, vs the host OS lacking
> > > it.
> > > 
> > > For SEV and s390 prot-virt, the capability is always reported
> > > whether supported or not, so do likewise for TDX, so other
> > > x86 hosts get:
> > > 
> > >     <tdx supported='no'/>
> > > 
> > > Signed-off-by: Daniel P. Berrangé <[email protected]>
> > 
> > [...]
> > 
> > > ---
> > > diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> > > index 67fe5d7acf..2eae52f8c4 100644
> > > --- a/src/qemu/qemu_capabilities.c
> > > +++ b/src/qemu/qemu_capabilities.c
> > > @@ -7120,11 +7120,14 @@ static void
> > >  virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps,
> > >                                      virDomainCaps *domCaps)
> > >  {
> > > -    if (domCaps->arch == VIR_ARCH_X86_64 &&
> > > -        domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > > -        virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > > -        virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> > > +    if (domCaps->arch == VIR_ARCH_X86_64) {
> > > +        if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM &&
> > > +            virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) &&
> > > +            virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps))
> > >              domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = 
> > > VIR_TRISTATE_BOOL_YES;
> > > +        else
> > > +            domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = 
> > > VIR_TRISTATE_BOOL_NO;
> > 
> > IMO we should say that it's not supported even on non-x86 arches rather
> > than make it seem like the feature doesn't exist.
> 
> I did that to be consistent with virQEMUCapsFillDomainFeatureS390PVCaps.
> 
> Do you think we should report s390 prot-virt as not-avail on x86 too

Well yes. Libvirt does already have that feature and that feature
doesn't work on that host. IMO there's no difference if you have a box
where the feature doesn't work or have a kernel that doesn't support it.

If, as you mentioned in 1/2, you want to keep this patch minimal for
backports, I'm okay to do it in a follow-up.

Reviewed-by: Peter Krempa <[email protected]>

Reply via email to