On Mon, Nov 24, 2025 at 01:47:08PM +0100, Peter Krempa wrote:
On Mon, Nov 24, 2025 at 12:15:06 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Querying existence of the 'tdx-guest' type merely tells us whether QEMU has been compiled with TDX support, not whether it is usable on the host. Thus QEMU was incorrectly reporting
<tdx supported='yes'/> ... <launchSecurity supported='yes'> <enum name='sectype'> <value>tdx</value> </enum> </launchSecurity>
on every platform with new enough QEMU.
Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP command in QEMU was dropped, so there is no way to ask QEMU whether it can launch a TDX guest. Libvirt must directly query the KVM device and ask for supported VM types.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/qemu/qemu_capabilities.c | 51 ++++++++++++++++++++++++++++++++++++ src/qemu/qemu_capabilities.h | 3 +++ tests/domaincapsmock.c | 6 +++++ 3 files changed, 60 insertions(+)
[...]
@@ -3686,6 +3692,50 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps *qemuCaps, }
+bool +virQEMUCapsKVMSupportsVMTypeTDX(void) +{ +#if defined(KVM_CAP_VM_TYPES) && defined(KVM_X86_TDX_VM) + VIR_AUTOCLOSE kvmfd = -1; + int types; + + if (!virFileExists(KVM_DEVICE)) + return false; + + if ((kvmfd = open(KVM_DEVICE, O_RDONLY)) < 0) { + VIR_DEBUG("Unable to open %s, cannot check TDX", KVM_DEVICE); + return false; + } + + if ((types = ioctl(kvmfd, KVM_CHECK_EXTENSION, KVM_CAP_VM_TYPES)) < 0) + types = false;
Either 'types = 0' or 'return false;'
Opps, yes, it should be 'types=0', as I wanted the following VIR_DEBUG line to remain visible.
+ + VIR_DEBUG("KVM VM types: 0x%x", types); + + return !!(types & (1 << KVM_X86_TDX_VM));
Is there possibility that the answer could change based on some external input where libvirt's cache isn't invalidated?
We already have logic to invalidate the cache when the kernel version changes, as we have other areas where we rely on /dev/kvm behaviour. So that existing logic should be sufficient for this.
+#else + VIR_DEBUG("KVM not compiled"); + return false; +#endif +}
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|