[pve-devel] [PATCH manager/qemu-server 0/2] Add support for Intel TDX attestation

[pve-devel] [PATCH manager/qemu-server 0/2] Add support for Intel TDX attestation

[Anton Iacobaeus]

This patch series adds support for configuring the Quote Generation Socket
object used for attestation in Intel TDX.

This is effectively v4 of https://lists.proxmox.com/pipermail/pve-devel/2025-October/076262.html
without the already applied patches.

A part from Intel TDX support a running Quote Generation Service (QGS) on the
host (or dedicated VM) connected to a Provisioning Certificate Caching Service
(PCCS) is also required for attestation, more information can be found at:
https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/

Only a subset of the possible socket types are implemented with this patch.
Ideally the SocketAddress object as defined in QEMU would be fully implemented,
but for the sake of TDX this is not neccessary. More information at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress

pve-manager:

Anton Iacobaeus (1):
  Add support for TDX attestation

 www/manager6/qemu/TdxEdit.js | 56 +++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

qemu-server:

Anton Iacobaeus (1):
  Add support for TDX quote-generation-socket object

 src/PVE/QemuServer.pm           |  3 +-
 src/PVE/QemuServer/CPUConfig.pm | 60 +++++++++++++++++++++++++++++++--
 2 files changed, 60 insertions(+), 3 deletions(-)

-- 
2.43.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 1/1] Add support for TDX attestation

[Anton Iacobaeus]

Add configuration options for the quote-generation-socket used to communicate
with the Quote Generation Service. This enables attestation support for TDX
using vsock.

More information can be found at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties

This only includes support for vsock. The SocketAddress object in QEMU also
supports unix, inet and fd, which are not commonly used in TDX.

Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
 www/manager6/qemu/TdxEdit.js | 56 +++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/www/manager6/qemu/TdxEdit.js b/www/manager6/qemu/TdxEdit.js
index 4a7ed0c4..71735e12 100644
--- a/www/manager6/qemu/TdxEdit.js
+++ b/www/manager6/qemu/TdxEdit.js
@@ -7,9 +7,11 @@ Ext.define('PVE.qemu.TdxInputPanel', {
     viewModel: {
         data: {
             type: '__default__',
+            attestation: 1,
         },
         formulas: {
             tdxEnabled: (get) => get('type') === 'tdx',
+            attestationEnabled: (get) => Number(get('attestation')) === 1,
         },
     },
 
@@ -65,7 +67,59 @@ Ext.define('PVE.qemu.TdxInputPanel', {
         },
     ],
 
-    advancedItems: [],
+    advancedItems: [
+        {
+            xtype: 'proxmoxcheckbox',
+            fieldLabel: gettext('Enable Attestation'),
+            labelWidth: 150,
+            name: 'attestation',
+            value: 1,
+            uncheckedValue: 0,
+            bind: {
+                value: '{attestation}',
+                hidden: '{!tdxEnabled}',
+                disabled: '{!tdxEnabled}',
+            },
+        },
+        {
+            xtype: 'proxmoxKVComboBox',
+            fieldLabel: gettext('Socket Type'),
+            labelWidth: 150,
+            name: 'socket-type',
+            value: 'vsock',
+            comboItems: [['vsock', 'VSOCK']],
+            bind: {
+                hidden: '{!tdxEnabled}',
+                disabled: '{!attestationEnabled || !tdxEnabled}',
+            },
+        },
+        {
+            xtype: 'proxmoxintegerfield',
+            fieldLabel: gettext('CID'),
+            labelWidth: 150,
+            name: 'vsock-cid',
+            minValue: 2,
+            value: '2',
+            allowBlank: false,
+            bind: {
+                hidden: '{!tdxEnabled}',
+                disabled: '{!attestationEnabled || !tdxEnabled}',
+            },
+        },
+        {
+            xtype: 'proxmoxintegerfield',
+            fieldLabel: gettext('Port'),
+            labelWidth: 150,
+            name: 'vsock-port',
+            minValue: 0,
+            value: '4050',
+            allowBlank: false,
+            bind: {
+                hidden: '{!tdxEnabled}',
+                disabled: '{!attestationEnabled || !tdxEnabled}',
+            },
+        },
+    ],
 });
 
 Ext.define('PVE.qemu.TdxEdit', {
-- 
2.43.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server 1/1] Add support for TDX quote-generation-socket object

[Anton Iacobaeus]

Extend the tdx object with the quote-generation-socket as defined in:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties

Only vsock is included here since it is the most commonly used with TDX
attestation.

Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
 src/PVE/QemuServer.pm           |  3 +-
 src/PVE/QemuServer/CPUConfig.pm | 60 +++++++++++++++++++++++++++++++--
 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index ddd30abb..11c7543f 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3794,7 +3794,8 @@ sub config_to_command {
         push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
         push @$machineFlags, 'confidential-guest-support=sev0';
     } elsif ($conf->{'intel-tdx'}) {
-        push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+        my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+        push @$devices, '-object', to_json($tdx_object, { canonical => 1 });
         push @$machineFlags, 'confidential-guest-support=tdx0';
         push @$machineFlags, 'kernel_irqchip=split';
     }
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 67b05925..dae6f379 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -5,7 +5,7 @@ use warnings;
 
 use JSON;
 
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(json_bool);
 use PVE::Cluster qw(cfs_register_file cfs_read_file);
 use PVE::ProcFSTools;
 use PVE::RESTEnvironment qw(log_warn);
@@ -348,6 +348,32 @@ my $tdx_fmt = {
         format_description => "tdx-type",
         enum => ['tdx'],
     },
+    'attestation' => {
+        description => "Enable TDX attestation by including quote-generation-socket",
+        type => 'boolean',
+        default => 1,
+    },
+    'socket-type' => {
+        type => 'string',
+        optional => 1,
+        enum => ['vsock'],
+        default => 'vsock',
+        description => "Socket type to communicate with the Quote Generation Service",
+    },
+    'vsock-cid' => {
+        type => 'integer',
+        minimum => 2,
+        default => 2,
+        optional => 1,
+        description => "CID for vsock of Quote Generation Service",
+    },
+    'vsock-port' => {
+        type => 'integer',
+        minimum => 0,
+        default => 4050,
+        optional => 1,
+        description => "Port for vsock of Quote Generation Service",
+    },
 };
 PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
 
@@ -1088,6 +1114,27 @@ sub get_amd_sev_object {
     return $sev_mem_object;
 }
 
+sub get_quote_generation_socket {
+    my ($conf) = @_;
+    my $type = $conf->{'socket-type'}
+        or die "A socket type is required for Quote Generation Socket.\n";
+
+    my $socket = {
+        type => $type,
+    };
+
+    if ($type eq 'vsock') {
+        $socket->{'cid'} = $conf->{'vsock-cid'}
+            or die "Missing cid for vsock.\n";
+        $socket->{'port'} = $conf->{'vsock-port'}
+            or die "Missing port for vsock.\n";
+    } else {
+        die "Unsupported socket type for TDX Quote Generation Socket.\n";
+    }
+
+    return $socket;
+}
+
 sub get_intel_tdx_object {
     my ($intel_tdx, $bios) = @_;
     my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
@@ -1099,7 +1146,16 @@ sub get_intel_tdx_object {
     if (!$bios || $bios ne 'ovmf') {
         die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
     }
-    return 'tdx-guest,id=tdx0';
+
+    my $tdx_object = {
+        'qom-type' => 'tdx-guest',
+        id => 'tdx0',
+    };
+
+    $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
+        if $intel_tdx_conf->{'attestation'};
+
+    return $tdx_object;
 }
 
 __PACKAGE__->register();
-- 
2.43.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH qemu-server 1/1] Add support for TDX quote-generation-socket object

[Fiona Ebner]

On Mon, 17 Nov 2025 11:48:00 +0100, Anton Iacobaeus wrote:
> Extend the tdx object with the quote-generation-socket as defined in:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
> 
> Only vsock is included here since it is the most commonly used with TDX
> attestation.

Applied, thanks! I made some slight changes, most importantly not
exposing the socket type yet. Can still be added later with a default
for 'vsock' should we ever need it. Also changed the checks for 'cid'
and 'port' to be for definedness rather than boolean. And added
explicit coercion to strings in the object passed for JSON, since it's
like that in the QMP schema.

[1/1] Add support for TDX quote-generation-socket object
      commit: bd0347878e824e249b1e919fe2fe2348e58d9316


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH manager 1/1] Add support for TDX attestation

[Fiona Ebner]

On Mon, 17 Nov 2025 11:47:59 +0100, Anton Iacobaeus wrote:
> Add configuration options for the quote-generation-socket used to communicate
> with the Quote Generation Service. This enables attestation support for TDX
> using vsock.
> 
> More information can be found at:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties

Applied now too, thanks! Also dropped the socket type from here to
stay compatible.

[1/1] Add support for TDX attestation
      commit: 3d8ce67dbba998b5540e6c4a83eee80485341080


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel