RE: [PATCH rfcv4 05/13] conf: add tdx as launch security type

-----Original Message----- From: Daniel P. Berrangé <berrange(a)redhat.com&gt; Subject: Re: [PATCH rfcv4 05/13] conf: add tdx as launch security type On Wed, Mar 26, 2025 at 02:45:55AM +0000, Duan, Zhenzhong wrote: > > > >-----Original Message----- > >From: Daniel P. Berrangé <berrange(a)redhat.com&gt; > >Subject: Re: [PATCH rfcv4 05/13] conf: add tdx as launch security type > > > >On Fri, May 24, 2024 at 02:21:20PM +0800, Zhenzhong Duan wrote: > >> When 'tdx' is used, the VM will launched with Intel TDX feature enabled. > >> TDX feature supports running encrypted VM (Trust Domain, TD) under the > >> control of KVM. A TD runs in a CPU model which protects the > >> confidentiality of its memory and its CPU state from other software > >> > >> There is a child element 'policy' and three optional element for tdx type. > >> In 'policy', bit 0 is set to enable TDX debug, bit 28 set to enable > >> sept-ve-disable, other bits are reserved currently. mrConfigId, mrOwner > >> and mrOwnerConfig are base64 encoded SHA384 digest. > >> > >> For example: > >> > >> <launchSecurity type='tdx'> > >> <policy>0x10000001</policy> > >> <mrConfigId>xxx</mrConfigId> > >> <mrOwner>xxx</mrOwner> > >> <mrOwnerConfig>xxx</mrOwnerConfig> > >> </launchSecurity> > >> > >> Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com&gt; > >> --- > >> src/conf/domain_conf.c | 42 +++++++++++++++++++++++++++++++ > >> src/conf/domain_conf.h | 9 +++++++ > >> src/conf/schemas/domaincommon.rng | 29 +++++++++++++++++++++ > >> src/conf/virconftypes.h | 2 ++ > >> src/qemu/qemu_command.c | 2 ++ > >> src/qemu/qemu_firmware.c | 1 + > >> src/qemu/qemu_namespace.c | 1 + > >> src/qemu/qemu_process.c | 1 + > >> src/qemu/qemu_validate.c | 1 + > >> 9 files changed, 88 insertions(+) > >> > >> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c > >> index a0912062ff..c557da0c65 100644 > >> --- a/src/conf/domain_conf.c > >> +++ b/src/conf/domain_conf.c > > > > > >> @@ -13649,6 +13654,24 @@ virDomainSEVDefParseXML(virDomainSEVDef > >*def, > >> } > >> > >> > >> +static int > >> +virDomainTDXDefParseXML(virDomainTDXDef *def, > >> + xmlXPathContextPtr ctxt) > >> +{ > >> + if (virXPathULongLongBase("string(./policy)", ctxt, 16, &def->policy) < 0) { > >> + virReportError(VIR_ERR_XML_ERROR, "%s", > >> + _("failed to get launch security policy for launch security type > >TDX")); > >> + return -1; > >> + } > > > >This makes the 'policy' attribute mandatory, but QEMU is quite happy > >with it being unset, so we should not require this in libvirt either. > > Yes, but I am trying to align with SEV which has same issue. > So aligning with SEV vs. making TDX's 'policy' optional, you prefer the 2nd? Pls confirm. Yes, consistency is good. So if QEMU's sev/snp object lets policy be optional, then we should make the same change in libvirt's SEV parsing code too.