On Tue, Nov 05, 2024 at 01:24:08AM -0500, Xiaoyao Li wrote: > Add docs/system/i386/tdx.rst for TDX support, and add tdx in > confidential-guest-support.rst > > Signed-off-by: Xiaoyao Li <xiaoyao.li@xxxxxxxxx> > --- > Changes in v6: > - Add more information of "Feature configuration" > - Mark TD Attestation as future work because KVM now drops the support > of it. > > Changes in v5: > - Add TD attestation section and update the QEMU parameter; > > Changes since v1: > - Add prerequisite of private gmem; > - update example command to launch TD; > > Changes since RFC v4: > - add the restriction that kernel-irqchip must be split > --- > docs/system/confidential-guest-support.rst | 1 + > docs/system/i386/tdx.rst | 155 +++++++++++++++++++++ > docs/system/target-i386.rst | 1 + > 3 files changed, 157 insertions(+) > create mode 100644 docs/system/i386/tdx.rst > > diff --git a/docs/system/confidential-guest-support.rst b/docs/system/confidential-guest-support.rst > index 0c490dbda2b7..66129fbab64c 100644 > --- a/docs/system/confidential-guest-support.rst > +++ b/docs/system/confidential-guest-support.rst > @@ -38,6 +38,7 @@ Supported mechanisms > Currently supported confidential guest mechanisms are: > > * AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`) > +* Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`) > * POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`) > * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`) > > diff --git a/docs/system/i386/tdx.rst b/docs/system/i386/tdx.rst > new file mode 100644 > index 000000000000..60106b29bf72 > --- /dev/null > +++ b/docs/system/i386/tdx.rst > +Feature check > +~~~~~~~~~~~~~ > + > +QEMU checks if the final (CPU) features, determined by given cpu model and > +explicit feature adjustment of "+featureA/-featureB", can be supported or not. > +It can produce feature not supported warnning like Typo in 'warnning' - repeated 'n' > + > + "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]" > + > +It will also procude warning like > + > + "warning: TDX forcibly sets the feature: CPUID.80000007H:EDX.invtsc [bit 8]" > + > +if the fixed-1 feature is requested to be disabled explicitly. This is newly > +added to QEMU for TDX because TDX has fixed-1 features that are enfored enabled > +by TDX module and VMM cannot disable them. > + > +Launching a TD (TDX VM) > +----------------------- > + > +To launch a TDX guest, below are new added and required: > + > +.. parsed-literal:: > + > + |qemu_system_x86| \\ > + -object tdx-guest,id=tdx0 \\ > + -machine ...,kernel-irqchip=split,confidential-guest-support=tdx0 \\ > + -bios OVMF.fd \\ > + > +restrictions Capitalize initial "R" > +------------ With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
