> -----Original Message----- > From: Pavel Hrdina <phrdina@xxxxxxxxxx> > Sent: Wednesday, July 21, 2021 10:23 PM > To: Duan, Zhenzhong <zhenzhong.duan@xxxxxxxxx> > Cc: libvir-list@xxxxxxxxxx; pkrempa@xxxxxxxxxx; berrange@xxxxxxxxxx; > Yamahata, Isaku <isaku.yamahata@xxxxxxxxx>; Tian, Jun J > <jun.j.tian@xxxxxxxxx>; Qiang, Chenyi <chenyi.qiang@xxxxxxxxx> > Subject: Re: [RFC PATCH v2 0/8] LIBVIRT: X86: TDX support > > On Fri, Jul 16, 2021 at 11:10:28AM +0800, Zhenzhong Duan wrote: > > Thanks Peter, Pavel and Daniel's comments on v1 version, now the v2 > comes. > > > > * What's TDX? > > TDX stands for Trust Domain Extensions which isolates VMs from the > > virtual-machine manager (VMM)/hypervisor and any other software on the > > platform. [...] > > * Misc > > Just let you know we have released v2 version of TDX qemu in [1], and > > the API for libvirt is keeping stable. Using these patches we have > > succesfully booted and tested a guest both with and without TDX enabled. > > Overall looks good. It's missing documentation and the QEMU patches are > missing documentation as well. I was looking into Intel specification but I > failed to find the necessary info there as well. > What are the values `mrconfigid`, `mrowner`, `mrownerconfig` for, what data > is supposed to be stored there, what are the limitation and so on. Oh, yes. Thanks for point out. We will add the doc both for qemu and libvirt. > > What I could gather these are exposed in the VM and are used for > measurement but that's it. > > Another thing that I've missed in v1, QEMU patches are introducing new `- > machine pic=no` option and for TDX PIC has to be disabled. The libvirt > patches are putting it on the QEMU command line but it is not reflected in > the VM XML, so I would say we need to introduce new hypervisor feature [1]: > > <features> > ... > <pic state='on|off'/> > ... > </features> > > [1] <https://libvirt.org/formatdomain.html#hypervisor-features> Will add this feature. > > > * Diff to v1: > > - give up using qmp cmd and check TDX directly on host for TDX capabilities. > > - use launchsecurity framework to support TDX > > - use <os>.<loader> for general loader > > - add auto firmware match feature for TDX > > > > A example TDVF fimware description file 70-edk2-x86_64-tdx.json: > > { > > "description": "UEFI firmware for x86_64, supporting Intel TDX", > > "interface-types": [ > > "uefi" > > ], > > "mapping": { > > "device": "generic", > > I think using 'loader' as that's the actual device in QEMU used with this > firmware will be better. The patches posted to QEMU doesn't extend > `docs/interop/firmware.json` so this example may change once some specific > format is accepted by QEMU community. Will do. > > You will most likely need to add the firmware descriptor to QEMU project as > well (`pc-bios/descriptors/70-edk2-x86_64-tdx.json`). NOTE: The name > should not use `edk2` if it's not edk2 based firmware. I see, will do. Thanks very much for your suggestions. Regards Zhenzhong