On Mon, Nov 24, 2025 at 12:15:06 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Querying existence of the 'tdx-guest' type merely tells us whether QEMU has been compiled with TDX support, not whether it is usable on the host. Thus QEMU was incorrectly reporting
<tdx supported='yes'/> ... <launchSecurity supported='yes'> <enum name='sectype'> <value>tdx</value> </enum> </launchSecurity>
on every platform with new enough QEMU.
Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP command in QEMU was dropped, so there is no way to ask QEMU whether it can launch a TDX guest. Libvirt must directly query the KVM device and ask for supported VM types.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/qemu/qemu_capabilities.c | 51 ++++++++++++++++++++++++++++++++++++ src/qemu/qemu_capabilities.h | 3 +++ tests/domaincapsmock.c | 6 +++++ 3 files changed, 60 insertions(+)
[...]
@@ -3686,6 +3692,50 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps *qemuCaps, }
+bool +virQEMUCapsKVMSupportsVMTypeTDX(void) +{ +#if defined(KVM_CAP_VM_TYPES) && defined(KVM_X86_TDX_VM) + VIR_AUTOCLOSE kvmfd = -1; + int types; + + if (!virFileExists(KVM_DEVICE)) + return false; + + if ((kvmfd = open(KVM_DEVICE, O_RDONLY)) < 0) { + VIR_DEBUG("Unable to open %s, cannot check TDX", KVM_DEVICE); + return false; + } + + if ((types = ioctl(kvmfd, KVM_CHECK_EXTENSION, KVM_CAP_VM_TYPES)) < 0) + types = false;
Either 'types = 0' or 'return false;'
+ + VIR_DEBUG("KVM VM types: 0x%x", types); + + return !!(types & (1 << KVM_X86_TDX_VM));
Is there possibility that the answer could change based on some external input where libvirt's cache isn't invalidated?
+#else + VIR_DEBUG("KVM not compiled"); + return false; +#endif +}
Reviewed-by: Peter Krempa <pkrempa@redhat.com>