RE: [PATCH rfcv3 01/11] qemu: Check if INTEL Trust Domain Extention support is enabled
-----Original Message-----
From: Daniel P. Berrangé <berrange(a)redhat.com>
Subject: Re: [PATCH rfcv3 01/11] qemu: Check if INTEL Trust Domain
Extention support is enabled
On Mon, Nov 27, 2023 at 04:55:11PM +0800, Zhenzhong Duan wrote:
> Implement TDX check in order to generate domain feature capability
> correctly in case the availability of the feature changed.
>
> For INTEL TDX the verification is:
> - checking if "/sys/module/kvm_intel/parameters/tdx" contains the
> value 'Y': meaning TDX is enabled in the host kernel.
>
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com>
> ---
> src/qemu/qemu_capabilities.c | 21 ++++++++++++++++++++-
> 1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 83119e871a..5f806c68fb 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -5098,6 +5098,24 @@
virQEMUCapsKVMSupportsSecureGuestAMD(void)
> }
>
>
> +/*
> + * Check whether INTEL Trust Domain Extention (x86) is enabled
> + */
> +static bool
> +virQEMUCapsKVMSupportsSecureGuestINTEL(void)
> +{
> + g_autofree char *modValue = NULL;
> +
> + if (virFileReadValueString(&modValue,
"/sys/module/kvm_intel/parameters/tdx") < 0)
> + return false;
> +
> + if (modValue[0] != 'Y')
> + return false;
> +
> + return true;
> +}
It is worth adding this as a check to tools/virt-host-validate-qemu.c
too, but not a requirement for this patch.
Got it, will do.
Thanks
Zhenzhong
> +
> +
> /*
> * Check whether the secure guest functionality is enabled.
> * See the specific architecture function for details on the verifications
made.
> @@ -5111,7 +5129,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
> return virQEMUCapsKVMSupportsSecureGuestS390();
>
> if (ARCH_IS_X86(arch))
> - return virQEMUCapsKVMSupportsSecureGuestAMD();
> + return virQEMUCapsKVMSupportsSecureGuestAMD() ||
> + virQEMUCapsKVMSupportsSecureGuestINTEL();
>
> return false;
> }
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|