Hi,
This series brings libvirt the x86 TDX support.
* What's TDX?
TDX stands for Trust Domain Extensions which isolates VMs from
the virtual-machine manager (VMM)/hypervisor and any other software on
the platform.
This patchset extends libvirt to support TDX, with which one can start a TDX
guest
Add check in virt-host-validate for secure guest support
on x86 for Intel Trust Domain Extentions.
Suggested-by: Daniel P. Berrangé
Signed-off-by: Zhenzhong Duan
Reviewed-by: Daniel P. Berrangé
---
tools/virt-host-validate-common.c | 31 ++-
tools/virt-host-validate
Implement TDX check in order to generate domain feature capability
correctly in case the availability of the feature changed.
For INTEL TDX the verification is:
- checking if "/sys/module/kvm_intel/parameters/tdx" contains the
value 'Y': meaning TDX is enabled in the host kernel.
Signed-off-b
QEMU_CAPS_TDX_GUEST set means TDX supported with this QEMU.
Signed-off-by: Chenyi Qiang
Signed-off-by: Zhenzhong Duan
Reviewed-by: Daniel P. Berrangé
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/q
Upcoming patch will introduce test data from an TDX-enabled host.
Document the new variant.
Signed-off-by: Zhenzhong Duan
---
tests/qemucapabilitiesdata/README.rst | 5 +
1 file changed, 5 insertions(+)
diff --git a/tests/qemucapabilitiesdata/README.rst
b/tests/qemucapabilitiesdata/README.
Extend qemu TDX capability to domain capabilities.
Signed-off-by: Chenyi Qiang
Signed-off-by: Zhenzhong Duan
Reviewed-by: Daniel P. Berrangé
---
docs/formatdomaincaps.rst | 1 +
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.
When 'tdx' is used, the VM will be launched with Intel TDX feature enabled.
TDX feature supports running encrypted VM (Trust Domain, TD) under the
control of KVM. A TD runs in a CPU model which protects the confidentiality
of its memory and its CPU state from other software.
There are four optiona
QEMU will provides 'tdx-guest' object which is used to launch encrypted
VMs on Intel platform using TDX feature.
Command line looks like:
$QEMU ... \
-object
'{"qom-type":"tdx-guest","id":"lsec0","mrconfigid":"xxx","mrowner":"xxx","mrownerconfig":"xxx","attributes":268435457}'
\
-machine pc-
'tdx-guest' object supports a "quote-generation-socket" property for
attestation purpose. When "quote-generation-socket" is configured in
guest xml, libvirt generates unix socket format cmdline for QEMU.
'Path' element can be omitted, default path "/var/run/tdx-qgs/qgs.socket"
is used in this case
TDX guest requires some special parameters to boot, currently:
"kernel_irqchip=split"
"pmu!=on"
"smm!=on"
"-bios"
If not specified explicitly, QEMU should configure this option implicitly
when start a TDX guest.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Daniel P. Berrangé
---
src/qemu/qe
As the tdx launch security type support is added, expose it in domain
capabilities so that domain definition validation check can take
effect.
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_capabilities.c | 2 ++
tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.x
Add element "quoteGenerationSocket" to tdx launch security type.
It contains only an optional unix socket address attribute,
when omitted, libvirt will use default QGS server address
"/var/run/tdx-qgs/qgs.socket".
UNIX sockets offer the required functionality with greater
security than vsock, so l
Utilize the existing fake reboot mechanism to do reboot for TDX guest.
Different from normal guest, TDX guest doesn't support system_reset,
so have to kill the old guest and start a new one to simulate the reboot.
Co-developed-by: Chenyi Qiang
Signed-off-by: Zhenzhong Duan
---
src/qemu/qemu_pr
We can reboot a TDX guest with 'virsh reboot' or 'virsh shutdown' if action
for onPoweroff is 'restart'. But running reboot command in guest shell will
always lead to shutdown.
This behavior is not consistent with normal guest, fix it by checking
shutdown reason and action configuration to trigger
For secure guest, FakeReboot kills original QEMU instance and
create new one. During this process, QEMU send SHUTDOWN event
with "host-signal" reason which can trigger another FakeReboot.
Check if a FakeReboot is ongoing and bypass "host-signal"
processing which originally comes from FakeReboot.
TDX guest doesn't support system_reset, so have to kill the old QEMU and
start a new one to simulate the reset. This can be achieved by calling
qemuProcessFakeRebootViaRecreate().
Simiar as FakeReboot, QEMU sends SHUTDOWN event with "host-signal" reason
which can trigger another FakeReset. Check i
When TD VM reboot, qemu process is recreated by destroying old and
creating new one. When new qemu process starts, it sends a RESUME
event while libvirt domain isn't in run state yet. Then event
VIR_DOMAIN_EVENT_RESUMED is sent out and confuse control plane.
Check priv->pausedShutdown and bypass t
For secure guest, FakeReboot kills original QEMU instance and
create new one which is quite different from normal guest.
To reflect this fact, VIR_DOMAIN_EVENT_[STOPPED|STARTED]
are sent to control plane with new introduced reasons
VIR_DOMAIN_EVENT_[STOPPED|STARTED]_RECREATION.
That would let con
Signed-off-by: Zhenzhong Duan
---
docs/formatdomain.rst | 63 +++
1 file changed, 63 insertions(+)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 9a2f065590..5acebefec0 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -95
We now have the '+inteltdx' variant dumped from a modern qemu with tdx support,
add qemuxmlconftest data for that variant.
Signed-off-by: Zhenzhong Duan
---
...h-security-tdx.x86_64-latest+inteltdx.args | 44 +++
...ch-security-tdx.x86_64-latest+inteltdx.xml | 74 +++
tes
mrConfigId/mrOwner/mrOwnerConfig are base64 encoded SHA384 digest,
can be provided for TDX attestation.
Check their decoded lengths to ensure they are 48 bytes.
Signed-off-by: Zhenzhong Duan
---
src/conf/domain_validate.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff
Changelog
v5
- dropped the "none" test in qemuxmlactivetest (see commit for
details)
- reordered patches to introduce some tests first, then add
qemu.conf changes
v4
- added qemu.conf option to dictate the default behavior for the
deprecated_features at
Provide documentation for the deprecated_features XML attribute.
Available since 11.0.0, and supported for S390.
Signed-off-by: Collin Walling
---
docs/formatdomain.rst | 8
1 file changed, 8 insertions(+)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 9a2f065590..cd3
Group up the deprecated features code into a single block to keep things
clean; only check if the deprecated_features attribute is present
once and then do relevent work.
Signed-off-by: Collin Walling
Reviewed-by: Boris Fiuczynski
---
src/qemu/qemu_process.c | 13 ++---
1 file changed,
Currently, virQEMUCapsUpdateCPUDeprecatedFeatures only allows for
disabling deprecated features. This locks the deprecated_features
attribute to only do something if set to 'off'.
Let's add a virCPUFeaturePolicy to the function's parameters which will
allow the caller to decide what happens to th
From: Boris Fiuczynski
Allow to define the default for deprecated_features when the attribute
is not set in the cpu defintion of a domain XML. If these features are
still desired, they may be reenabled via the deprecated_features='on'
attribute.
Some existing tests utilize this updated behavior,
From: Boris Fiuczynski
Add tests for active/inactive XML with deprecated_features attribute.
Note that for the qemuxmlactivetest, it is not possible to test an
inactive guest XML with the absence of "deprecated_features" attribute
and expect the active XML to have the attribute present. This is
27 matches
Mail list logo
