Thanks Peter, Pavel and Daniel's comments on v1 version, now the v2 comes. * What's TDX? TDX stands for Trust Domain Extensions which isolates VMs from the virtual-machine manager (VMM)/hypervisor and any other software on the platform. To support TDX, multiple software components, not only KVM but also QEMU, guest Linux and virtual bios, need to be updated. For more details, please check link[1], there are TDX spec links and public repository link at github for each software component. This patchset is another software component to extend libvirt to support TDX, with which one can start a VM from high level rather than running qemu directly. * The goal of this RFC patch The purpose of this post is to get feedback early on high level design issue of libvirt enhancement for TDX. Referenced much on AMD SEV and S390 PV implemention at link[2][3]. This 2nd version is rebased on upstream + s390 v4 version as shown in [3] to utilize the common launchsecurity framework code. * Patch organization - patch 1-3: Support query of TDX capabilities. - patch 4-6: Add TDX type to launchsecurity framework. - patch 7: Add general loader support for TDX. - patch 8: Add firmware descriptor support for TDX. * Misc Just let you know we have released v2 version of TDX qemu in [1], and the API for libvirt is keeping stable. Using these patches we have succesfully booted and tested a guest both with and without TDX enabled. * Diff to v1: - give up using qmp cmd and check TDX directly on host for TDX capabilities. - use launchsecurity framework to support TDX - use <os>.<loader> for general loader - add auto firmware match feature for TDX A example TDVF fimware description file 70-edk2-x86_64-tdx.json: { "description": "UEFI firmware for x86_64, supporting Intel TDX", "interface-types": [ "uefi" ], "mapping": { "device": "generic", "filename": "/usr/share/OVMF/OVMF_CODE-tdx.fd" }, "targets": [ { "architecture": "x86_64", "machines": [ "pc-q35-*" ] } ], "features": [ "intel-tdx", "verbose-dynamic" ], "tags": [ ] } Links: [1] https://lists.nongnu.org/archive/html/qemu-devel/2021-07/msg01682.html [2] https://github.com/codomania/libvirt/commits/v9 [3] https://www.mail-archive.com/libvir-list@xxxxxxxxxx/msg219144.html Zhenzhong Duan (8): qemu: Check if INTEL Trust Domain Extention support is enabled qemu: Add TDX capability conf: expose TDX feature in domain capabilities conf: add tdx as launch security type qemu: Add command line and validation for TDX type qemu: force special parameters enabled for TDX guest qemu: Add general loader support qemu: Add firmware descriptor support for TDX docs/formatdomaincaps.html.in | 17 ++++++ docs/schemas/domaincaps.rng | 9 +++ docs/schemas/domaincommon.rng | 18 ++++++ src/conf/domain_capabilities.c | 1 + src/conf/domain_capabilities.h | 1 + src/conf/domain_conf.c | 49 ++++++++++++++++ src/conf/domain_conf.h | 11 ++++ src/conf/virconftypes.h | 2 + src/qemu/qemu_capabilities.c | 44 ++++++++++++++- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 38 +++++++++++++ src/qemu/qemu_firmware.c | 100 ++++++++++++++++++++++++++++++++- src/qemu/qemu_namespace.c | 2 + src/qemu/qemu_process.c | 1 + src/qemu/qemu_validate.c | 28 +++++++++ 15 files changed, 319 insertions(+), 3 deletions(-) -- 2.25.1