-----Original Message----- From: Pavel Hrdina <phrdina@redhat.com> Sent: Wednesday, July 21, 2021 10:23 PM To: Duan, Zhenzhong <zhenzhong.duan@intel.com> Cc: libvir-list@redhat.com; pkrempa@redhat.com; berrange@redhat.com; Yamahata, Isaku <isaku.yamahata@intel.com>; Tian, Jun J <jun.j.tian@intel.com>; Qiang, Chenyi <chenyi.qiang@intel.com> Subject: Re: [RFC PATCH v2 0/8] LIBVIRT: X86: TDX support
On Fri, Jul 16, 2021 at 11:10:28AM +0800, Zhenzhong Duan wrote:
Thanks Peter, Pavel and Daniel's comments on v1 version, now the v2 comes. [...] * Misc Just let you know we have released v2 version of TDX qemu in [1], and the API for libvirt is keeping stable. Using these patches we have succesfully booted and tested a guest both with and without TDX enabled.
Overall looks good. It's missing documentation and the QEMU patches are missing documentation as well. I was looking into Intel specification but I failed to find the necessary info there as well. What are the values `mrconfigid`, `mrowner`, `mrownerconfig` for, what data is supposed to be stored there, what are the limitation and so on.
What I could gather these are exposed in the VM and are used for measurement but that's it.
Another thing that I've missed in v1, QEMU patches are introducing new `- machine pic=no` option and for TDX PIC has to be disabled. The libvirt patches are putting it on the QEMU command line but it is not reflected in the VM XML, so I would say we need to introduce new hypervisor feature [1]:
<features> ... <pic state='on|off'/> ... </features>
[1] <https://libvirt.org/formatdomain.html#hypervisor-features>
* Diff to v1: - give up using qmp cmd and check TDX directly on host for TDX capabilities. - use launchsecurity framework to support TDX - use <os>.<loader> for general loader - add auto firmware match feature for TDX
A example TDVF fimware description file 70-edk2-x86_64-tdx.json: { "description": "UEFI firmware for x86_64, supporting Intel TDX", "interface-types": [ "uefi" ], "mapping": { "device": "generic",
I think using 'loader' as that's the actual device in QEMU used with this firmware will be better. The patches posted to QEMU doesn't extend `docs/interop/firmware.json` so this example may change once some specific format is accepted by QEMU community. Hi Pavel,
Just want to clarify you want 'generic' changing to 'loader' only in 70-edk2-x86_64-tdx.json Or also want all the 'generic' and '_GENERIC' string in ('[RFC PATCH v2 8/8] qemu: Add firmware descriptor support for TDX') to be changed? Thanks Zhenzhong