This patches series adds support for launching Intel TDX confidential VMs via QEMU. Basic attestation support is also added.
Intel TDX requires QEMU >= v10.1 and kernel >= 6.16. A TDX compatible CPU is also required, with TDX enabled in the BIOS. Attestation also requires a running Quote Generation Service (QGS) on the host (or dedicated VM) connected to a Provisioning Certificate Caching Service (PCCS), more information can be found at: https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/ Only a subset of the possible socket types are implemented with this patch. Ideally the SocketAddress object as defined in QEMU would be fully implemented, but for the sake of TDX this is not neccessary. More information at: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress The TDX object can also be extended with additional configuration options, but these are not neccessary for regular usage of TDX. More information available at: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties Future work can build upon this patch to improve these shortcomings. Thanks to Fiona for the review. Changes since v2: https://lists.proxmox.com/pipermail/pve-devel/2025-October/075766.html * Fixed nits and formatting * Added reasoning for firmware Config-B * Added reasoning for kernel_irqchip=split * Added support for configuration of the quote-generation-socket for attestation. pve-edk2-firmware: Philipp Giersfeld (3): Change name of SEV-related OVMF files Add firmware target for TDFV Add SCSI in NCCFV for TD guest .../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 ++++++++++++++++ debian/patches/series | 1 + debian/pve-edk2-firmware-ovmf.install | 7 ++- debian/pve-edk2-firmware-ovmf.links | 3 + debian/rules | 59 +++++++++++++------ 5 files changed, 100 insertions(+), 22 deletions(-) create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch create mode 100644 debian/pve-edk2-firmware-ovmf.links pve-manager: Anton Iacobaeus (1): Add support for TDX attestation Philipp Giersfeld (1): Add support for Intel TDX www/manager6/Makefile | 1 + www/manager6/qemu/Options.js | 12 +++ www/manager6/qemu/TdxEdit.js | 194 +++++++++++++++++++++++++++++++++++ 3 files changed, 207 insertions(+) create mode 100644 www/manager6/qemu/TdxEdit.js qemu-server: Anton Iacobaeus (1): Add support for TDX quote-generation-socket object Philipp Giersfeld (3): Adapt AMD SEV code for compatibility with other platforms Add check for TDX support Add support for Intel TDX src/PVE/API2/Qemu.pm | 6 +- src/PVE/QemuMigrate/Helpers.pm | 1 + src/PVE/QemuServer.pm | 28 +++- src/PVE/QemuServer/CPUConfig.pm | 129 ++++++++++++++++-- src/PVE/QemuServer/OVMF.pm | 53 ++++--- .../query-machine-capabilities.c | 98 +++++++++++-- src/test/cfg2cmd/sev-es.conf.cmd | 2 +- src/test/cfg2cmd/sev-snp.conf.cmd | 2 +- src/test/cfg2cmd/sev-std.conf.cmd | 2 +- src/usr/modules-load.conf | 1 + 10 files changed, 270 insertions(+), 52 deletions(-) -- 2.43.0 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
