RE: [PATCH rfcv3 06/11] qemu: force special parameters enabled for TDX guest
-----Original Message-----
From: Daniel P. Berrangé <berrange(a)redhat.com>
Subject: Re: [PATCH rfcv3 06/11] qemu: force special parameters enabled for
TDX guest
On Mon, Nov 27, 2023 at 04:55:16PM +0800, Zhenzhong Duan wrote:
> TDX guest requires some special parameters to boot, They are:
>
> "-machine pc-q35-*"
> "kernel_irqchip=split"
>
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com>
> ---
> src/qemu/qemu_validate.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
> index 5a9173e8ff..c4f386fe99 100644
> --- a/src/qemu/qemu_validate.c
> +++ b/src/qemu/qemu_validate.c
> @@ -1329,6 +1329,16 @@ qemuValidateDomainDef(const virDomainDef
*def,
> _("INTEL TDX launch security is not supported
with this
QEMU binary"));
> return -1;
> }
> + if (!qemuDomainIsQ35(def)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Intel TDX is supported with q35 machine
types
only"));
> + return -1;
> + }
Ideally QMP 'MachineInfo' struct would report whether TDX is supported
so we don't need to hardcode that.
As you suggested in previous mails, I'll remove Q35 check.
> + if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] !=
VIR_DOMAIN_IOAPIC_QEMU) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("INTEL TDX launch security needs split
kernel
irqchip"));
s/INTEL/Intel/
Ideally QEMU would automatically use the correct ioapic impl when no
args are given to QEMU. That would let us do
if (def->features[VIR_DOMAIN_FEATURE_IOAPIC] ==
VIR_DOMAIN_IOAPIC_KVM) {
thus allowing IOAPIC_NONE (ie QEMU's default) or IOAPIC_QEMU (explicitly
requested config). This will make TDX guest "just work" in more scenarios.
It looks the matching QEMU doesn't do this automation for kernel-irqchip yet.
@Li, Xiaoyao could you add this automation on QEMU side? Meanwhile
I'll apply Daniel's suggested change on libvirt side.
Thanks
Zhenzhong
> + return -1;
> + }
> break;
> case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> --
> 2.34.1
>
With regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|