RE: [RFC PATCH v2 0/8] LIBVIRT: X86: TDX support

-----Original Message----- From: Pavel Hrdina <phrdina(a)redhat.com&gt; Sent: Wednesday, July 21, 2021 10:23 PM To: Duan, Zhenzhong <zhenzhong.duan(a)intel.com&gt; Cc: libvir-list(a)redhat.com; pkrempa(a)redhat.com; berrange(a)redhat.com; Yamahata, Isaku <isaku.yamahata(a)intel.com>; Tian, Jun J <jun.j.tian(a)intel.com>; Qiang, Chenyi <chenyi.qiang(a)intel.com&gt; Subject: Re: [RFC PATCH v2 0/8] LIBVIRT: X86: TDX support On Fri, Jul 16, 2021 at 11:10:28AM +0800, Zhenzhong Duan wrote: > Thanks Peter, Pavel and Daniel's comments on v1 version, now the v2 comes.

> * Misc > Just let you know we have released v2 version of TDX qemu in [1], and > the API for libvirt is keeping stable. Using these patches we have > succesfully booted and tested a guest both with and without TDX enabled. Overall looks good. It's missing documentation and the QEMU patches are missing documentation as well. I was looking into Intel specification but I failed to find the necessary info there as well. What are the values `mrconfigid`, `mrowner`, `mrownerconfig` for, what data is supposed to be stored there, what are the limitation and so on. What I could gather these are exposed in the VM and are used for measurement but that's it. Another thing that I've missed in v1, QEMU patches are introducing new `- machine pic=no` option and for TDX PIC has to be disabled. The libvirt patches are putting it on the QEMU command line but it is not reflected in the VM XML, so I would say we need to introduce new hypervisor feature [1]: <features> ... <pic state='on|off'/> ... </features> [1] <https://libvirt.org/formatdomain.html#hypervisor-features> > * Diff to v1: > - give up using qmp cmd and check TDX directly on host for TDX capabilities. > - use launchsecurity framework to support TDX > - use <os>.<loader> for general loader > - add auto firmware match feature for TDX > > A example TDVF fimware description file 70-edk2-x86_64-tdx.json: > { > "description": "UEFI firmware for x86_64, supporting Intel TDX", > "interface-types": [ > "uefi" > ], > "mapping": { > "device": "generic", I think using 'loader' as that's the actual device in QEMU used with this firmware will be better. The patches posted to QEMU doesn't extend `docs/interop/firmware.json` so this example may change once some specific format is accepted by QEMU community.