On Mon, Nov 24, 2025 at 12:15:06 +0000, Daniel P. Berrangé via Devel wrote:
> From: Daniel P. Berrangé <[email protected]>
>
> Querying existence of the 'tdx-guest' type merely tells us whether
> QEMU has been compiled with TDX support, not whether it is usable
> on the host. Thus QEMU was incorrectly reporting
>
> <tdx supported='yes'/>
> ...
> <launchSecurity supported='yes'>
> <enum name='sectype'>
> <value>tdx</value>
> </enum>
> </launchSecurity>
>
> on every platform with new enough QEMU.
>
> Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP
> command in QEMU was dropped, so there is no way to ask QEMU whether
> it can launch a TDX guest. Libvirt must directly query the KVM
> device and ask for supported VM types.
>
> Signed-off-by: Daniel P. Berrangé <[email protected]>
> ---
> src/qemu/qemu_capabilities.c | 51 ++++++++++++++++++++++++++++++++++++
> src/qemu/qemu_capabilities.h | 3 +++
> tests/domaincapsmock.c | 6 +++++
> 3 files changed, 60 insertions(+)
[...]
> @@ -3686,6 +3692,50 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps
> *qemuCaps,
> }
>
>
> +bool
> +virQEMUCapsKVMSupportsVMTypeTDX(void)
> +{
> +#if defined(KVM_CAP_VM_TYPES) && defined(KVM_X86_TDX_VM)
> + VIR_AUTOCLOSE kvmfd = -1;
> + int types;
> +
> + if (!virFileExists(KVM_DEVICE))
> + return false;
> +
> + if ((kvmfd = open(KVM_DEVICE, O_RDONLY)) < 0) {
> + VIR_DEBUG("Unable to open %s, cannot check TDX", KVM_DEVICE);
> + return false;
> + }
> +
> + if ((types = ioctl(kvmfd, KVM_CHECK_EXTENSION, KVM_CAP_VM_TYPES)) < 0)
> + types = false;
Either 'types = 0' or 'return false;'
> +
> + VIR_DEBUG("KVM VM types: 0x%x", types);
> +
> + return !!(types & (1 << KVM_X86_TDX_VM));
Is there possibility that the answer could change based on some external
input where libvirt's cache isn't invalidated?
> +#else
> + VIR_DEBUG("KVM not compiled");
> + return false;
> +#endif
> +}
Reviewed-by: Peter Krempa <[email protected]>
