RE: [PATCH rfcv4 02/13] qemu: Check if INTEL Trust Domain Extention support is enabled

"Duan, Zhenzhong" <zhenzhong.duan@xxxxxxxxx> · Thu, 6 Jun 2024 10:23:58 +0000

>-----Original Message-----
>From: Daniel P. Berrangé <berrange@xxxxxxxxxx>
>Subject: Re: [PATCH rfcv4 02/13] qemu: Check if INTEL Trust Domain
>Extention support is enabled
>
>On Fri, May 24, 2024 at 02:21:17PM +0800, Zhenzhong Duan wrote:
>> Implement TDX check in order to generate domain feature capability
>> correctly in case the availability of the feature changed.
>>
>> For INTEL TDX the verification is:
>>  - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
>>    value 'Y': meaning TDX is enabled in the host kernel.
>>
>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxx>
>> Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
>> ---
>>  src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
>>  1 file changed, 20 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> index 21f93c6774..7cccc28e80 100644
>> --- a/src/qemu/qemu_capabilities.c
>> +++ b/src/qemu/qemu_capabilities.c
>> @@ -5112,6 +5112,24 @@
>virQEMUCapsKVMSupportsSecureGuestAMD(void)
>>  }
>>
>>
>> +/*
>> + * Check whether INTEL Trust Domain Extention (x86) is enabled
>> + */
>> +static bool
>> +virQEMUCapsKVMSupportsSecureGuestINTEL(void)
>> +{
>> +    g_autofree char *modValue = NULL;
>> +
>> +    if (virFileReadValueString(&modValue,
>"/sys/module/kvm_intel/parameters/tdx") < 0)
>> +        return false;
>> +
>> +    if (modValue[0] != 'Y')
>> +        return false;
>> +
>> +    return true;
>> +}
>> +
>> +
>>  /*
>>   * Check whether the secure guest functionality is enabled.
>>   * See the specific architecture function for details on the verifications
>made.
>> @@ -5125,7 +5143,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>>          return virQEMUCapsKVMSupportsSecureGuestS390();
>>
>>      if (ARCH_IS_X86(arch))
>> -        return virQEMUCapsKVMSupportsSecureGuestAMD();
>> +        return virQEMUCapsKVMSupportsSecureGuestAMD() ||
>> +               virQEMUCapsKVMSupportsSecureGuestINTEL();
>
>You were just copying our existing pattern here which is good practice,
>but I think our existing pattern was wrong. We should have named it after
>the technology, not the vendor. IOW, lets call your new function
>
>  virQEMUCapsKVMSupportsSecureGuestTDX()

Go it.

Thanks
Zhenzhong