On Thu, Nov 20, 2025 at 02:25:05PM +0100, Peter Krempa wrote:
On Thu, Nov 20, 2025 at 11:57:54 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Currently domain capabilities will only ever report
<tdx supported='yes'/>
so it is not possible to determine whether libvirt itself is new enough to have TDX support or not, vs the host OS lacking it.
For SEV and s390 prot-virt, the capability is always reported whether supported or not, so do likewise for TDX, so other x86 hosts get:
<tdx supported='no'/>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
[...]
--- diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 67fe5d7acf..2eae52f8c4 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -7120,11 +7120,14 @@ static void virQEMUCapsFillDomainFeatureTDXCaps(virQEMUCaps *qemuCaps, virDomainCaps *domCaps) { - if (domCaps->arch == VIR_ARCH_X86_64 && - domCaps->virttype == VIR_DOMAIN_VIRT_KVM && - virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) && - virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) + if (domCaps->arch == VIR_ARCH_X86_64) { + if (domCaps->virttype == VIR_DOMAIN_VIRT_KVM && + virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST) && + virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_YES; + else + domCaps->features[VIR_DOMAIN_CAPS_FEATURE_TDX] = VIR_TRISTATE_BOOL_NO;
IMO we should say that it's not supported even on non-x86 arches rather than make it seem like the feature doesn't exist.
I did that to be consistent with virQEMUCapsFillDomainFeatureS390PVCaps. Do you think we should report s390 prot-virt as not-avail on x86 too ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|