RE: [PATCH rfcv3 04/11] conf: add tdx as launch security type

-----Original Message----- From: Daniel P. Berrangé <berrange(a)redhat.com&gt; Subject: Re: [PATCH rfcv3 04/11] conf: add tdx as launch security type On Mon, Nov 27, 2023 at 04:55:14PM +0800, Zhenzhong Duan wrote: > When 'tdx' is used, the VM will launched with Intel TDX feature enabled. > TDX feature supports running encrypted VM (Trust Domain, TD) under the > control of KVM. A TD runs in a CPU model which protects the > confidentiality of its memory and its CPU state from other software > > There is a child element 'policy' and four optional element for tdx type. > In 'policy', bit 0 is set to enable TDX debug, bit 28 set to enable > sept-ve-disable, other bits are reserved currently. mrConfigId, mrOwner > and mrOwnerConfig are hex string of 48 * 2 length each. > Quote-Generation-Service is string to specify Quote Generation Service(QGS) > in qemu socket address format. The examples of the supported format are > "vsock:2:1234", "unix:/run/qgs", "localhost:1234". > > For example: > > <launchSecurity type='tdx'> > <policy>0x1</policy> > <mrConfigId>xxx...xxx</mrConfigId> > <mrOwner>xxx...xxx</mrOwner> > <mrOwnerConfig>xxx...xxx</mrOwnerConfig> > <Quote-Generation-Service>xxx</Quote-Generation-Service> > </launchSecurity> On the QEMU side, the quote generateo sevice is defined as '*quote-generation-socket': 'SocketAddress' we need to model 'SocktetAddress' in the XML properly, not just as an opaque string.

Also given the naming for the rest of the elements, this should also use caps, eg <quoteGenerationService>

> > Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com&gt; > --- > src/conf/domain_conf.c | 46 +++++++++++++++++++++++++++++++ > src/conf/domain_conf.h | 10 +++++++ > src/conf/schemas/domaincommon.rng | 34 +++++++++++++++++++++++ > src/conf/virconftypes.h | 2 ++ > src/qemu/qemu_command.c | 2 ++ > src/qemu/qemu_firmware.c | 1 + > src/qemu/qemu_namespace.c | 1 + > src/qemu/qemu_process.c | 1 + > src/qemu/qemu_validate.c | 1 + Schema additions need something added to docs/formatdomain.rst to document them, as well as example XML added under tests/ to validate the parsing and formatting logic, and the QEMU command line args generation.