From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 776741FF16F for ; Tue, 16 Sep 2025 11:14:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 44C0AE863; Tue, 16 Sep 2025 11:13:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1758009453; x=1758614253; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=MEKAbOGTMgCXFk5Mm+v+1wG03IdGN1VJY8ysjBiC7Vg=; b=lys2+zwfPosRnhfXAuM6wWacSk2tpjR/d2NwI2dLjeIZgCH7BoHCczJ+224iWgbYOYn5eJ+FXrnhX 5dQt3zXmT+t+xUpcd800jvpT5Se2ilEkqnRuaw1DQdiFP4aYX6v0ohfj+B95m+xs7Cdqk1bz3fDqfY V7b+bz9/8I44T4XIPNjju0uemzZxpQx9o/62n7n4y6l+cieRKS68yfXjcN+fId2YnNEDBmbd3QmV5V kMuCy3nPy1DAQRyHTmVE3hyB8sZQ5AoyGgU02evjgLCyIBFZF2Z+hPpxPkOB8U8rBlZrC24xO1Q4rV U5Wj5zQMII0O/bqEeFSFQEd/fQyElFQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1758009453; x=1758614253; d=canarybit.eu; s=ed1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=MEKAbOGTMgCXFk5Mm+v+1wG03IdGN1VJY8ysjBiC7Vg=; b=ndcq4mjIOw/6zl1v/2lU7oWtXsoh8WN7Wj86CuMW4TSXMeS38T2THCPsr3sZWPVcydnHG0v+YfGfp IvUbKbRDw== X-HalOne-ID: cd3c6d05-92d2-11f0-8430-494313b7f784 From: Anton Iacobaeus To: pve-devel@lists.proxmox.com Date: Tue, 16 Sep 2025 09:52:53 +0200 Message-ID: <20250916075406.33084-11-anton.iacobaeus@canarybit.eu> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250916075406.33084-2-anton.iacobaeus@canarybit.eu> References: <20250916075406.33084-2-anton.iacobaeus@canarybit.eu> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.050 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record X-Mailman-Approved-At: Tue, 16 Sep 2025 11:13:12 +0200 Subject: [pve-devel] [PATCH qemu-server 3/3] Add support for Intel TDX X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Anton Iacobaeus , Philipp Giersfeld Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" From: Philipp Giersfeld This commit adds support for setting up an Intel TDX VM. A Intel TDX VM can be setup similar to AMD SEV but uses a different firmware image. Signed-off-by: Philipp Giersfeld Signed-off-by: Anton Iacobaeus --- src/PVE/QemuMigrate/Helpers.pm | 1 + src/PVE/QemuServer.pm | 21 +++++++++++++++++++-- src/PVE/QemuServer/CPUConfig.pm | 31 +++++++++++++++++++++++++++++++ src/PVE/QemuServer/OVMF.pm | 13 ++++++++++++- 4 files changed, 63 insertions(+), 3 deletions(-) diff --git a/src/PVE/QemuMigrate/Helpers.pm b/src/PVE/QemuMigrate/Helpers.pm index f191565a..466517da 100644 --- a/src/PVE/QemuMigrate/Helpers.pm +++ b/src/PVE/QemuMigrate/Helpers.pm @@ -20,6 +20,7 @@ sub check_non_migratable_resources { my @blockers = (); if ($state) { push @blockers, "amd-sev" if $conf->{"amd-sev"}; + push @blockers, "intel-tdx" if $conf->{"intel-tdx"}; push @blockers, "virtiofs" if PVE::QemuServer::Virtiofs::virtiofs_enabled($conf); } diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index eb2a8c7e..bb5a0a8e 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -60,8 +60,15 @@ use PVE::QemuServer::Helpers qw(config_aware_timeout get_iscsi_initiator_name min_version kvm_user_version windows_version); use PVE::QemuServer::Cloudinit; use PVE::QemuServer::CGroup; -use PVE::QemuServer::CPUConfig - qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type); +use PVE::QemuServer::CPUConfig qw( + print_cpu_device + get_cpu_options + get_cpu_bitness + is_native_arch + get_amd_sev_object + get_intel_tdx_object + get_cvm_type + ); use PVE::QemuServer::Drive qw( is_valid_drivename checked_volume_format @@ -323,6 +330,12 @@ my $confdesc = { format => 'pve-qemu-sev-fmt', type => 'string', }, + 'intel-tdx' => { + description => "Trusted Domain Extension (TDX) features by Intel CPUs", + optional => 1, + format => 'pve-qemu-tdx-fmt', + type => 'string', + }, balloon => { optional => 1, type => 'integer', @@ -3965,6 +3978,10 @@ sub config_to_command { if ($conf->{'amd-sev'}) { push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios}); push @$machineFlags, 'confidential-guest-support=sev0'; + } elsif ($conf->{'intel-tdx'}) { + push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); + push @$machineFlags, 'confidential-guest-support=tdx0'; + push @$machineFlags, 'kernel_irqchip=split'; } PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices); diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 65a7b565..bd5540e6 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -18,6 +18,7 @@ our @EXPORT_OK = qw( get_cpu_bitness is_native_arch get_amd_sev_object + get_intel_tdx_object get_cvm_type ); @@ -282,6 +283,18 @@ my $sev_fmt = { }; PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt); +my $tdx_fmt = { + type => { + description => "Enable TDX", + type => 'string', + default_key => 1, + format_description => "tdx-type", + enum => ['tdx'], + maxLength => 3, + }, +}; +PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt); + PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits); sub parse_phys_bits { @@ -887,6 +900,9 @@ sub get_cvm_type { if ($conf->{'amd-sev'}) { my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'}); return $sev->{type}; + } elsif ($conf->{'intel-tdx'}) { + my $tdx = PVE::JSONSchema::parse_property_string($tdx_fmt, $conf->{'intel-tdx'}); + return $tdx->{type}; } else { return undef; } @@ -945,6 +961,21 @@ sub get_amd_sev_object { return $sev_mem_object; } +sub get_intel_tdx_object { + my ($intel_tdx, $bios) = @_; + my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx); + my $tdx_hw_caps = get_hw_capabilities()->{'intel-tdx'}; + + if (!$tdx_hw_caps->{'tdx-support'}) { + die "Your CPU does not support Intel TDX.\n"; + } + if (!$bios || $bios ne 'ovmf') { + die "To use Intel TDX, you need to change the BIOS to OVMF.\n"; + } + my $tdx_mem_object = 'tdx-guest,id=tdx0'; + return $tdx_mem_object; +} + __PACKAGE__->register(); __PACKAGE__->init(); diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm index df44d3f1..4253914c 100644 --- a/src/PVE/QemuServer/OVMF.pm +++ b/src/PVE/QemuServer/OVMF.pm @@ -34,6 +34,9 @@ my $OVMF = { '4m-snp' => [ "$EDK2_FW_BASE/OVMF_SEV_4M.fd", ], + '4m-tdx' => [ + "$EDK2_FW_BASE/OVMF_TDX_4M.fd", + ], # FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build # anymore. how can we deperacate this sanely without breaking existing instances, or using # older backups and snapshot? @@ -63,6 +66,11 @@ my sub get_ovmf_files($$$$) { return ($ovmf); } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) { $type = "4m-sev"; + } elsif ($cvm_type && $cvm_type eq 'tdx') { + $type = "4m-tdx"; + my ($ovmf) = $types->{$type}->@*; + die "EFI base image '$ovmf' not found\n" if ! -f $ovmf; + return ($ovmf); } elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') { $type = $smm ? "4m" : "4m-no-smm"; $type .= '-ms' if $efidisk->{'pre-enrolled-keys'}; @@ -88,6 +96,9 @@ my sub print_ovmf_drive_commandlines { die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n" if $cvm_type && $cvm_type eq 'snp'; + die "Attempting to configure TDX with pflash devices instead of using `-bios`\n" + if $cvm_type && $cvm_type eq 'tdx'; + my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type); my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0"; @@ -208,7 +219,7 @@ sub print_ovmf_commandline { my $cmd = []; my $machine_flags = []; - if ($cvm_type && $cvm_type eq 'snp') { + if ($cvm_type && ($cvm_type eq 'snp' || $cvm_type eq 'tdx')) { if (defined($conf->{efidisk0})) { log_warn("EFI disks are not supported with Confidential Virtual Machines and will be ignored"); } -- 2.43.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel