-----Original Message----- From: Daniel P. Berrangé <berrange@redhat.com> Subject: Re: [PATCH rfcv3 04/11] conf: add tdx as launch security type
On Mon, Nov 27, 2023 at 04:55:14PM +0800, Zhenzhong Duan wrote:
When 'tdx' is used, the VM will launched with Intel TDX feature enabled. TDX feature supports running encrypted VM (Trust Domain, TD) under the control of KVM. A TD runs in a CPU model which protects the confidentiality of its memory and its CPU state from other software
There is a child element 'policy' and four optional element for tdx type. In 'policy', bit 0 is set to enable TDX debug, bit 28 set to enable sept-ve-disable, other bits are reserved currently. mrConfigId, mrOwner and mrOwnerConfig are hex string of 48 * 2 length each. Quote-Generation-Service is string to specify Quote Generation Service(QGS) in qemu socket address format. The examples of the supported format are "vsock:2:1234", "unix:/run/qgs", "localhost:1234".
For example:
<launchSecurity type='tdx'> <policy>0x1</policy> <mrConfigId>xxx...xxx</mrConfigId> <mrOwner>xxx...xxx</mrOwner> <mrOwnerConfig>xxx...xxx</mrOwnerConfig> <Quote-Generation-Service>xxx</Quote-Generation-Service> </launchSecurity>
On the QEMU side, the quote generateo sevice is defined as
'*quote-generation-socket': 'SocketAddress'
we need to model 'SocktetAddress' in the XML properly, not just as an opaque string.
Good suggestion.
Also given the naming for the rest of the elements, this should also use caps, eg <quoteGenerationService>
Will do.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> --- src/conf/domain_conf.c | 46
+++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 10 +++++++ src/conf/schemas/domaincommon.rng | 34 +++++++++++++++++++++++ src/conf/virconftypes.h | 2 ++ src/qemu/qemu_command.c | 2 ++ src/qemu/qemu_firmware.c | 1 + src/qemu/qemu_namespace.c | 1 + src/qemu/qemu_process.c | 1 + src/qemu/qemu_validate.c | 1 +
Schema additions need something added to docs/formatdomain.rst to document them, as well as example XML added under tests/ to validate the parsing and formatting logic, and the QEMU command line args generation.
Will do. Thanks Zhenzhong