* [pve-devel] [PATCH manager 1/1] Add support for TDX attestation
2025-11-17 10:47 [pve-devel] [PATCH manager/qemu-server 0/2] Add support for Intel TDX attestation Anton Iacobaeus
@ 2025-11-17 10:47 ` Anton Iacobaeus
2025-11-17 16:33 ` [pve-devel] applied: " Fiona Ebner
2025-11-17 10:48 ` [pve-devel] [PATCH qemu-server 1/1] Add support for TDX quote-generation-socket object Anton Iacobaeus
1 sibling, 1 reply; 5+ messages in thread
From: Anton Iacobaeus @ 2025-11-17 10:47 UTC (permalink / raw)
To: pve-devel
Add configuration options for the quote-generation-socket used to communicate
with the Quote Generation Service. This enables attestation support for TDX
using vsock.
More information can be found at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
This only includes support for vsock. The SocketAddress object in QEMU also
supports unix, inet and fd, which are not commonly used in TDX.
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
www/manager6/qemu/TdxEdit.js | 56 +++++++++++++++++++++++++++++++++++-
1 file changed, 55 insertions(+), 1 deletion(-)
diff --git a/www/manager6/qemu/TdxEdit.js b/www/manager6/qemu/TdxEdit.js
index 4a7ed0c4..71735e12 100644
--- a/www/manager6/qemu/TdxEdit.js
+++ b/www/manager6/qemu/TdxEdit.js
@@ -7,9 +7,11 @@ Ext.define('PVE.qemu.TdxInputPanel', {
viewModel: {
data: {
type: '__default__',
+ attestation: 1,
},
formulas: {
tdxEnabled: (get) => get('type') === 'tdx',
+ attestationEnabled: (get) => Number(get('attestation')) === 1,
},
},
@@ -65,7 +67,59 @@ Ext.define('PVE.qemu.TdxInputPanel', {
},
],
- advancedItems: [],
+ advancedItems: [
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Enable Attestation'),
+ labelWidth: 150,
+ name: 'attestation',
+ value: 1,
+ uncheckedValue: 0,
+ bind: {
+ value: '{attestation}',
+ hidden: '{!tdxEnabled}',
+ disabled: '{!tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ fieldLabel: gettext('Socket Type'),
+ labelWidth: 150,
+ name: 'socket-type',
+ value: 'vsock',
+ comboItems: [['vsock', 'VSOCK']],
+ bind: {
+ hidden: '{!tdxEnabled}',
+ disabled: '{!attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxintegerfield',
+ fieldLabel: gettext('CID'),
+ labelWidth: 150,
+ name: 'vsock-cid',
+ minValue: 2,
+ value: '2',
+ allowBlank: false,
+ bind: {
+ hidden: '{!tdxEnabled}',
+ disabled: '{!attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxintegerfield',
+ fieldLabel: gettext('Port'),
+ labelWidth: 150,
+ name: 'vsock-port',
+ minValue: 0,
+ value: '4050',
+ allowBlank: false,
+ bind: {
+ hidden: '{!tdxEnabled}',
+ disabled: '{!attestationEnabled || !tdxEnabled}',
+ },
+ },
+ ],
});
Ext.define('PVE.qemu.TdxEdit', {
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread* [pve-devel] [PATCH qemu-server 1/1] Add support for TDX quote-generation-socket object
2025-11-17 10:47 [pve-devel] [PATCH manager/qemu-server 0/2] Add support for Intel TDX attestation Anton Iacobaeus
2025-11-17 10:47 ` [pve-devel] [PATCH manager 1/1] Add support for " Anton Iacobaeus
@ 2025-11-17 10:48 ` Anton Iacobaeus
2025-11-17 14:04 ` [pve-devel] applied: " Fiona Ebner
1 sibling, 1 reply; 5+ messages in thread
From: Anton Iacobaeus @ 2025-11-17 10:48 UTC (permalink / raw)
To: pve-devel
Extend the tdx object with the quote-generation-socket as defined in:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
Only vsock is included here since it is the most commonly used with TDX
attestation.
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
src/PVE/QemuServer.pm | 3 +-
src/PVE/QemuServer/CPUConfig.pm | 60 +++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index ddd30abb..11c7543f 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3794,7 +3794,8 @@ sub config_to_command {
push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
push @$machineFlags, 'confidential-guest-support=sev0';
} elsif ($conf->{'intel-tdx'}) {
- push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ push @$devices, '-object', to_json($tdx_object, { canonical => 1 });
push @$machineFlags, 'confidential-guest-support=tdx0';
push @$machineFlags, 'kernel_irqchip=split';
}
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 67b05925..dae6f379 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -5,7 +5,7 @@ use warnings;
use JSON;
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(json_bool);
use PVE::Cluster qw(cfs_register_file cfs_read_file);
use PVE::ProcFSTools;
use PVE::RESTEnvironment qw(log_warn);
@@ -348,6 +348,32 @@ my $tdx_fmt = {
format_description => "tdx-type",
enum => ['tdx'],
},
+ 'attestation' => {
+ description => "Enable TDX attestation by including quote-generation-socket",
+ type => 'boolean',
+ default => 1,
+ },
+ 'socket-type' => {
+ type => 'string',
+ optional => 1,
+ enum => ['vsock'],
+ default => 'vsock',
+ description => "Socket type to communicate with the Quote Generation Service",
+ },
+ 'vsock-cid' => {
+ type => 'integer',
+ minimum => 2,
+ default => 2,
+ optional => 1,
+ description => "CID for vsock of Quote Generation Service",
+ },
+ 'vsock-port' => {
+ type => 'integer',
+ minimum => 0,
+ default => 4050,
+ optional => 1,
+ description => "Port for vsock of Quote Generation Service",
+ },
};
PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
@@ -1088,6 +1114,27 @@ sub get_amd_sev_object {
return $sev_mem_object;
}
+sub get_quote_generation_socket {
+ my ($conf) = @_;
+ my $type = $conf->{'socket-type'}
+ or die "A socket type is required for Quote Generation Socket.\n";
+
+ my $socket = {
+ type => $type,
+ };
+
+ if ($type eq 'vsock') {
+ $socket->{'cid'} = $conf->{'vsock-cid'}
+ or die "Missing cid for vsock.\n";
+ $socket->{'port'} = $conf->{'vsock-port'}
+ or die "Missing port for vsock.\n";
+ } else {
+ die "Unsupported socket type for TDX Quote Generation Socket.\n";
+ }
+
+ return $socket;
+}
+
sub get_intel_tdx_object {
my ($intel_tdx, $bios) = @_;
my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
@@ -1099,7 +1146,16 @@ sub get_intel_tdx_object {
if (!$bios || $bios ne 'ovmf') {
die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
}
- return 'tdx-guest,id=tdx0';
+
+ my $tdx_object = {
+ 'qom-type' => 'tdx-guest',
+ id => 'tdx0',
+ };
+
+ $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
+ if $intel_tdx_conf->{'attestation'};
+
+ return $tdx_object;
}
__PACKAGE__->register();
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread