On Mon, Dec 04, 2023 at 03:38:30AM +0000, Duan, Zhenzhong wrote: > > > >-----Original Message----- > >From: Jonathon Jongsma <jjongsma@xxxxxxxxxx> > >Sent: Saturday, December 2, 2023 6:30 AM > >Subject: Re: [PATCH rfcv3 00/11] LIBVIRT: X86: TDX support > > > >Hello, > > > >Thanks for the submission. A few initial general comments: > > > >On 11/27/23 2:55 AM, Zhenzhong Duan wrote: > >> Hi, > >> > >> This series brings libvirt the x86 TDX support. > >> > >> * What's TDX? > >> TDX stands for Trust Domain Extensions which isolates VMs from > >> the virtual-machine manager (VMM)/hypervisor and any other software > >on > >> the platform. > >> > >> To support TDX, multiple software components, not only KVM but also > >QEMU, > >> guest Linux and virtual bios, need to be updated. For more details, please > >> check link[1], there are TDX spec links and public repository link at github > >> for each software component. > >> > >> This patchset is another software component to extend libvirt to support > >TDX, > >> with which one can start a VM from high level rather than running qemu > >directly. > >> > >> > >> * Misc > >> As QEMU use a software emulated way to reset guest which isn't > >supported by TDX > >> guest for security reason. We add a new way to emulate the reset for TDX > >guest, > >> called "hard reboot". We achieve this by killing old qemu and start a new > >one. > > > >Can you expand on this a little bit more? What problems do you encounter > >when you reboot the normal way? I did not notice any patches related to > >a hard reboot in the v2 patchset that was submitted a while ago. > > If we use existing "fake reboot" in libvirt, qmp command "system_reset" isn't > supported for TDX guest, because TDX doesn't support resetting each register > of vcpu for security except in TDX debug mode. TDX guest will be shutdown > instead. I suspect the same probably applies to SEV. > >What other approaches did you consider to solve this issue? The changes > >to virsh adding a reconnect timeout option for the console command in > >particular feel hacky to me. > > One possible way I can think of is to let qemu do the kill/create job, > i.e. destroy TDX vcpus, create new one. This way we can utilize existing > "fake reboot" interface between qemu and libvirt. Yes, I do wonder if there's some reasonable way for QEMU to re-create the KVM VM from scratch, to make this hardware limitation more transparent for all mgmt apps. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
