On Mon, Jun 30, 2025 at 02:17:18PM +0800, Zhenzhong Duan wrote:
When 'tdx' is used, the VM will be launched with Intel TDX feature enabled. TDX feature supports running encrypted VM (Trust Domain, TD) under the control of KVM. A TD runs in a CPU model which protects the confidentiality of its memory and its CPU state from other software.
There are four optional child elements. Element policy is 64bit hex, bit 0 is set to enable TDX debug, bit 28 is set to enable sept-ve-disable, other bits are reserved currently. When policy isn't specified, QEMU will use its own default value 0x10000000. mrConfigId, mrOwner and mrOwnerConfig are base64 encoded SHA384 digest string.
For example:
<launchSecurity type='tdx'> <policy>0x10000001</policy> <mrConfigId>xxx</mrConfigId> <mrOwner>xxx</mrOwner> <mrOwnerConfig>xxx</mrOwnerConfig> </launchSecurity>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|