On Thu, Nov 20, 2025 at 13:34:13 +0000, Daniel P. Berrangé wrote:
On Thu, Nov 20, 2025 at 02:25:05PM +0100, Peter Krempa wrote:
On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Currently domain capabilities will only ever report
<tdx supported='yes'/>
so it is not possible to determine whether libvirt itself is new enough to have TDX support or not, vs the host OS lacking it.
For SEV and s390 prot-virt, the capability is always reported whether supported or not, so do likewise for TDX, so other x86 hosts get:
<tdx supported='no'/>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
[...]
--- diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 67fe5d7acf..2eae52f8c4 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -7120,11 +7120,14 @@ static void virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps, virDomainCaps *domCaps) { - if (domCaps->arch == VIR_ARCH_X86_64 && - domCaps->virttype == VIR_DOMAIN_VIRT_KVM && - virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) && - virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) + if (domCaps->arch == VIR_ARCH_X86_64) { + if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM && + virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) && + virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES; + else + domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;
IMO we should say that it's not supported even on non-x86 arches rather than make it seem like the feature doesn't exist.
I did that to be consistent with virQEMUCapsFillDomainFeatureS390PVCaps.
Do you think we should report s390 prot-virt as not-avail on x86 too
Well yes. Libvirt does already have that feature and that feature doesn't work on that host. IMO there's no difference if you have a box where the feature doesn't work or have a kernel that doesn't support it. If, as you mentioned in 1/2, you want to keep this patch minimal for backports, I'm okay to do it in a follow-up. Reviewed-by: Peter Krempa <pkrempa@redhat.com>