On 8/2/2022 5:49 PM, Daniel P. Berrangé wrote:
On Tue, Aug 02, 2022 at 03:47:10PM +0800, Xiaoyao Li wrote:
- CPU model
We cannot create a TD with arbitrary CPU model like what for non-TDX VMs,
because only a subset of features can be configured for TD.
- It's recommended to use '-cpu host' to create TD;
- '+feature/-feature' might not work as expected;
future work: To introduce specific CPU model for TDs and enhance +/-features
for TDs.
Which features are incompatible with TDX ?
TDX enforces some features fixed to 1 (e.g., CPUID_EXT_X2APIC,
CPUID_EXT_HYPERVISOR)and some fixed to 0 (e.g., CPUID_EXT_VMX ).
Details can be found in patch 8 and TDX spec chapter "CPUID virtualization"
Presumably you have such a list, so that KVM can block them when
using '-cpu host' ?
No, KVM doesn't do this. The result is no error reported from KVM but
what TD OS sees from CPUID might be different what user specifies in QEMU.
If so, we should be able to sanity check the
use of these features in QEMU for the named CPU models / feature
selection too.
This series enhances get_supported_cpuid() for TDX. If named CPU models
are used to boot a TDX guest, it likely gets warning of "xxx feature is
not available"
We have another series to enhance the "-feature" for TDX, to warn out if
some fixed1 is specified to be removed. Besides, we will introduce
specific named CPU model for TDX. e.g., TDX-SapphireRapids which
contains the maximum feature set a TDX guest can have on SPR host.
With regards,
Daniel
