Re: [PATCH rfcv4 05/13] conf: add tdx as launch security type

Daniel P. Berrangé <berrange@xxxxxxxxxx> · Thu, 6 Jun 2024 09:33:16 +0100

On Fri, May 24, 2024 at 02:21:20PM +0800, Zhenzhong Duan wrote:
> When 'tdx' is used, the VM will launched with Intel TDX feature enabled.
> TDX feature supports running encrypted VM (Trust Domain, TD) under the
> control of KVM. A TD runs in a CPU model which protects the
> confidentiality of its memory and its CPU state from other software
> 
> There is a child element 'policy' and three optional element for tdx type.
> In 'policy', bit 0 is set to enable TDX debug, bit 28 set to enable
> sept-ve-disable, other bits are reserved currently. mrConfigId, mrOwner
> and mrOwnerConfig are base64 encoded SHA384 digest.
> 
> For example:
> 
>  <launchSecurity type='tdx'>
>    <policy>0x10000001</policy>
>    <mrConfigId>xxx</mrConfigId>
>    <mrOwner>xxx</mrOwner>
>    <mrOwnerConfig>xxx</mrOwnerConfig>
>  </launchSecurity>
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxx>
> ---
>  src/conf/domain_conf.c            | 42 +++++++++++++++++++++++++++++++
>  src/conf/domain_conf.h            |  9 +++++++
>  src/conf/schemas/domaincommon.rng | 29 +++++++++++++++++++++
>  src/conf/virconftypes.h           |  2 ++
>  src/qemu/qemu_command.c           |  2 ++
>  src/qemu/qemu_firmware.c          |  1 +
>  src/qemu/qemu_namespace.c         |  1 +
>  src/qemu/qemu_process.c           |  1 +
>  src/qemu/qemu_validate.c          |  1 +
>  9 files changed, 88 insertions(+)
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index a0912062ff..c557da0c65 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1508,6 +1508,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
>                "",
>                "sev",
>                "s390-pv",
> +              "tdx",
>  );
>  
>  typedef enum {
> @@ -3832,6 +3833,10 @@ virDomainSecDefFree(virDomainSecDef *def)
>          g_free(def->data.sev.dh_cert);
>          g_free(def->data.sev.session);
>          break;
> +    case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
> +        g_free(def->data.tdx.mrconfigid);
> +        g_free(def->data.tdx.mrowner);
> +        g_free(def->data.tdx.mrownerconfig);

Missing 'break' here. I'm surprised the compiler didn't complain,
as we have warning flags set to require explicit marking of case
fallthroughs.

>      case VIR_DOMAIN_LAUNCH_SECURITY_PV:
>      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|