Implement trust domain check for INTEL TDX (Trust Domain eXtention)
in order to invalidate the qemu capabilities cache in case the
availability of the feature changed.
For INTEL TDX the verification is:
- checking if /sys/module/kvm_intel/parameters/tdx contains the
value 'Y': meaning TDX is enabled in the host kernel.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxx>
---
src/qemu/qemu_capabilities.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 5e54d7e306..8f8802c121 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4767,6 +4767,24 @@ virQEMUCapsKVMSupportsSecureGuestAMD(void)
}
+/*
+ * Check whether INTEL Trust Domain Extention (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestINTEL(void)
+{
+ g_autofree char *modValue = NULL;
+
+ if (virFileReadValueString(&modValue, "/sys/module/kvm_intel/parameters/tdx") < 0)
+ return false;
+
+ if (modValue[0] != 'Y')
+ return false;
+
+ return true;
+}
+
+
/*
* Check whether the secure guest functionality is enabled.
* See the specific architecture function for details on the verifications made.
@@ -4782,6 +4800,9 @@ virQEMUCapsKVMSupportsSecureGuest(void)
if (ARCH_IS_X86(arch))
return virQEMUCapsKVMSupportsSecureGuestAMD();
+ if (ARCH_IS_X86(arch))
+ return virQEMUCapsKVMSupportsSecureGuestINTEL();
+
return false;
}
--
2.25.1
