TDX guest requires some special parameters to boot, They are:
"-machine q35-*"
"pic=no"
"kernel_irqchip=split"
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxx>
---
src/qemu/qemu_command.c | 2 +-
src/qemu/qemu_validate.c | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2bc8173d58..c53b0e237d 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6980,7 +6980,7 @@ qemuBuildMachineCommandLine(virCommand *cmd,
virBufferAddLit(&buf, ",confidential-guest-support=lsec0");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
- virBufferAddLit(&buf, ",confidential-guest-support=lsec0,kvm-type=tdx");
+ virBufferAddLit(&buf, ",confidential-guest-support=lsec0,kvm-type=tdx,pic=no");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 309d48e62f..2cb05dc5b2 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1243,6 +1243,17 @@ qemuValidateDomainDef(const virDomainDef *def,
"this QEMU binary"));
return -1;
}
+ if (!qemuDomainIsQ35(def)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Intel TDX is supported with q35 machine types only"));
+ return -1;
+ }
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_KERNEL_IRQCHIP) ||
+ def->features[VIR_DOMAIN_FEATURE_IOAPIC] != VIR_DOMAIN_IOAPIC_QEMU) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("INTEL TDX launch security needs split kernel irqchip"));
+ return -1;
+ }
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
break;
--
2.25.1
