From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 7728D1FF17A for ; Tue, 28 Oct 2025 13:56:15 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D96401AEE0; Tue, 28 Oct 2025 13:56:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1761656133; x=1762260933; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=jAaOJr0QeK9GwTrxIop4WST6EXN0qEy+19XeSJVEltg=; b=DQGHBrwIE0mp507ylV9gB1uXcTRPtf5ApUF63xcEiELfa8OpzYTAacmqIajXrXp6mVdnm3MMraHQe fnMdPKxr6WIYLIlfGuJdrrfN1tnBzO/ellbpEyG04W8YPg74UlcqLwGd74FHynbKZTub3W6x+wDWa5 RtexqeCHr/OMWK0MNBxMamY4KMgpful8KJJLw5Ikvg+B0+ApHPo8H3qDH/l+xQ9Ll3seRuwS9Sf9Sf CACTAvgNsxoXU3mYBH+YX9kldAAQnvUO8N003PVHNPQ0qbNcL+pReA2XunNEnZSNvQgd2XA8QtQhDC CsPOP5GEm2O+bobUYsPiC7mQfq4JJoA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1761656133; x=1762260933; d=canarybit.eu; s=ed1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=jAaOJr0QeK9GwTrxIop4WST6EXN0qEy+19XeSJVEltg=; b=fBuDZ6WqVM9ZzSshffUlZqAhqK8IKEWu+UuNweYA+oM2Bv9Plx7WvOd13juEYFsJIo3F/Nl/hP4Aq OyIsOnCAw== X-HalOne-ID: 6293e5ce-b3fd-11f0-ada8-d510462faafc From: Anton Iacobaeus To: pve-devel@lists.proxmox.com Date: Tue, 28 Oct 2025 13:54:31 +0100 Message-ID: <20251028125459.287308-10-anton.iacobaeus@canarybit.eu> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> References: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.520 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy MIME_BASE64_TEXT 1.741 Message text disguised using base64 encoding RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Extend the tdx object with the quote-generation-socket as defined in: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties Only vsock and unix sockets are included here since they are the most commonly used socket types with TDX attestation. Signed-off-by: Anton Iacobaeus --- src/PVE/QemuServer.pm | 3 +- src/PVE/QemuServer/CPUConfig.pm | 87 ++++++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 3 deletions(-) diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index 98180506..77aa612a 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -3770,7 +3770,8 @@ sub config_to_command { push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios}); push @$machineFlags, 'confidential-guest-support=sev0'; } elsif ($conf->{'intel-tdx'}) { - push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); + my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); + push @$devices, '-object', to_json($tdx_object, { canonical => 1 }); push @$machineFlags, 'confidential-guest-support=tdx0'; push @$machineFlags, 'kernel_irqchip=split'; } diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 415d1a9f..a847085c 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -5,7 +5,7 @@ use warnings; use JSON; -use PVE::JSONSchema; +use PVE::JSONSchema qw(json_bool); use PVE::Cluster qw(cfs_register_file cfs_read_file); use PVE::Tools qw(run_command get_host_arch); use PVE::QemuServer::Helpers qw(min_version); @@ -291,6 +291,50 @@ my $tdx_fmt = { format_description => "tdx-type", enum => ['tdx'], }, + 'attestation' => { + description => "Enable TDX attestation by including quote-generation-socket", + type => 'boolean', + default => 1, + }, + 'socket-type' => { + type => 'string', + optional => 1, + enum => ['unix', 'vsock'], + default => 'vsock', + description => "Socket type to communicate with the Quote Generation Service", + }, + 'vsock-cid' => { + type => 'integer', + minimum => 2, + default => 2, + optional => 1, + description => "CID for vsock of Quote Generation Service", + }, + 'vsock-port' => { + type => 'integer', + minimum => 0, + default => 4050, + optional => 1, + description => "Port for vsock of Quote Generation Service", + }, + 'unix-path' => { + type => 'string', + optional => 1, + description => "Path to Unix socket", + format_description => "unix-path", + }, + 'unix-abstract' => { + description => "Use Linux abstract socket address", + type => 'boolean', + default => 0, + optional => 1, + }, + 'unix-tight' => { + description => "Pads the abstract socket address.", + type => 'boolean', + default => 1, + optional => 1, + }, }; PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt); @@ -960,6 +1004,36 @@ sub get_amd_sev_object { return $sev_mem_object; } +sub get_quote_generation_socket { + my ($conf) = @_; + my $type = $conf->{'socket-type'} + or die "A socket type is required for Quote Generation Socket.\n"; + + my $socket = { + type => $type, + }; + + if ($type eq 'unix') { + my $path = $conf->{'unix-path'} + or die "Missing path for unix socket.\n"; + + $socket->{'path'} = $path; + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'}) + if defined $conf->{'unix-abstract'}; + $socket->{'tight'} = json_bool($conf->{'unix-tight'}) + if defined $conf->{'unix-tight'}; + } elsif ($type eq 'vsock') { + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' }; + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port; + + @$socket{ 'cid', 'port' } = ($cid, $port); + } else { + die "Unsupported socket type for TDX Quote Generation Socket.\n"; + } + + return $socket; +} + sub get_intel_tdx_object { my ($intel_tdx, $bios) = @_; my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx); @@ -971,7 +1045,16 @@ sub get_intel_tdx_object { if (!$bios || $bios ne 'ovmf') { die "To use Intel TDX, you need to change the BIOS to OVMF.\n"; } - return 'tdx-guest,id=tdx0'; + + my $tdx_object = { + 'qom-type' => 'tdx-guest', + id => 'tdx0', + }; + + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf) + unless !$intel_tdx_conf->{'attestation'}; + + return $tdx_object; } __PACKAGE__->register(); -- 2.43.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel