Re: [PATCH rfcv4 05/13] conf: add tdx as launch security type

When 'tdx' is used, the VM will launched with Intel TDX feature enabled. TDX feature supports running encrypted VM (Trust Domain, TD) under the control of KVM. A TD runs in a CPU model which protects the confidentiality of its memory and its CPU state from other software There is a child element 'policy' and three optional element for tdx type. In 'policy', bit 0 is set to enable TDX debug, bit 28 set to enable sept-ve-disable, other bits are reserved currently. mrConfigId, mrOwner and mrOwnerConfig are base64 encoded SHA384 digest. For example: <launchSecurity type='tdx'> <policy>0x10000001</policy> <mrConfigId>xxx</mrConfigId> <mrOwner>xxx</mrOwner> <mrOwnerConfig>xxx</mrOwnerConfig> </launchSecurity> Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com&gt; --- src/conf/domain_conf.c | 42 +++++++++++++++++++++++++++++++ src/conf/domain_conf.h | 9 +++++++ src/conf/schemas/domaincommon.rng | 29 +++++++++++++++++++++ src/conf/virconftypes.h | 2 ++ src/qemu/qemu_command.c | 2 ++ src/qemu/qemu_firmware.c | 1 + src/qemu/qemu_namespace.c | 1 + src/qemu/qemu_process.c | 1 + src/qemu/qemu_validate.c | 1 + 9 files changed, 88 insertions(+) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index a0912062ff..c557da0c65 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -1508,6 +1508,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity, "", "sev", "s390-pv", + "tdx", ); typedef enum { @@ -3832,6 +3833,10 @@ virDomainSecDefFree(virDomainSecDef *def) g_free(def->data.sev.dh_cert); g_free(def->data.sev.session); break; + case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + g_free(def->data.tdx.mrconfigid); + g_free(def->data.tdx.mrowner); + g_free(def->data.tdx.mrownerconfig);

case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: