Am 13.10.25 um 4:25 PM schrieb Anton Iacobaeus: > On 10/13/25 11:30, Fiona Ebner wrote: >> Am 08.10.25 um 12:21 PM schrieb Fiona Ebner: >>> Am 04.10.25 um 3:23 PM schrieb Anton Iacobaeus: >>>> From: Philipp Giersfeld <[email protected]> >>>> >>>> This commit adds support for setting up an Intel TDX VM. A Intel TDX VM >>>> can be setup similar to AMD SEV but uses a different firmware image. >>>> >>>> Signed-off-by: Philipp Giersfeld <[email protected]> >>>> Signed-off-by: Anton Iacobaeus <[email protected]> >>> >>> Apart from a few nits, see below: >>> Reviewed-by: Fiona Ebner <[email protected]> >>>> @@ -3965,6 +3978,10 @@ sub config_to_command { >>>> if ($conf->{'amd-sev'}) { >>>> push @$devices, '-object', get_amd_sev_object($conf- >>>> >{'amd-sev'}, $conf->{bios}); >>>> push @$machineFlags, 'confidential-guest-support=sev0'; >>>> + } elsif ($conf->{'intel-tdx'}) { >>>> + push @$devices, '-object', get_intel_tdx_object($conf- >>>> >{'intel-tdx'}, $conf->{bios}); >>>> + push @$machineFlags, 'confidential-guest-support=tdx0'; >>>> + push @$machineFlags, 'kernel_irqchip=split'; >> >> One more thing I noticed/remembered: >> >> Don't we also need something like >> -device vhost-vsock-pci,guest-cid=3 >> >> for communication between QGS and TD VM like described in the docs: >> https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling- >> guide/05/host_os_setup/#setup-communication-path-between-qgs-and-td >> >> ? > Yes you are correct, but it is only required for attestation support, > which was initially out of scope for this series. The changes are > however quite small and they could fit in this series. > > Note that TDX memory encryption works without any communication between > the QGS and TD VM. The QGS is only contacted for quote generation. > > In terms of this particular device, it was only used in TDX Early > Preview. Today a quote-generation-socket should instead be included > directly in the TDX object, like this: > -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket": > {"type": "vsock", "cid":"2","port":"4050"}}' > > I think this change can be included in this series, but it adds some > additional scope since the type, cid and port can be configured > differently from these defaults.
Thanks for the explanation! I'm fine with either way, but yes, if we do include it, it should be made configurable via the intel-tdx property string/$tdx_fmt. _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
