* [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV Anton Iacobaeus
` (9 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Change variables names to seperate OVMF files from other platforms, such
as Intel TDX.
Add symlinks for backward compatibility with qemu-server.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
debian/pve-edk2-firmware-ovmf.install | 6 ++--
debian/pve-edk2-firmware-ovmf.links | 3 ++
debian/rules | 40 ++++++++++++++-------------
3 files changed, 27 insertions(+), 22 deletions(-)
create mode 100644 debian/pve-edk2-firmware-ovmf.links
diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install
index a51846e..981ac27 100644
--- a/debian/pve-edk2-firmware-ovmf.install
+++ b/debian/pve-edk2-firmware-ovmf.install
@@ -1,8 +1,8 @@
debian/ovmf-install/OVMF_CODE*.fd /usr/share/pve-edk2-firmware
debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware
-debian/ovmf-cvm-install/OVMF_CVM_CODE*.fd /usr/share/pve-edk2-firmware
-debian/ovmf-cvm-install/OVMF_CVM_VARS*.fd /usr/share/pve-edk2-firmware
-debian/ovmf-cvm-install/OVMF_CVM_4M.fd /usr/share/pve-edk2-firmware
+debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware
+debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware
+debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware
debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware
debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware
debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware
diff --git a/debian/pve-edk2-firmware-ovmf.links b/debian/pve-edk2-firmware-ovmf.links
new file mode 100644
index 0000000..3ffca93
--- /dev/null
+++ b/debian/pve-edk2-firmware-ovmf.links
@@ -0,0 +1,3 @@
+usr/share/pve-edk2-firmware/OVMF_SEV_CODE_4M.fd usr/share/pve-edk2-firmware/OVMF_CVM_CODE_4M.fd
+usr/share/pve-edk2-firmware/OVMF_SEV_VARS_4M.fd usr/share/pve-edk2-firmware/OVMF_CVM_VARS_4M.fd
+usr/share/pve-edk2-firmware/OVMF_SEV_4M.fd usr/share/pve-edk2-firmware/OVMF_CVM_4M.fd
diff --git a/debian/rules b/debian/rules
index 494f162..dd3bf39 100755
--- a/debian/rules
+++ b/debian/rules
@@ -37,7 +37,7 @@ OVMF_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
OVMF_4M_SMM_FLAGS = $(OVMF_4M_FLAGS) -DSMM_REQUIRE=TRUE
OVMF32_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
OVMF32_4M_SMM_FLAGS = $(OVMF32_4M_FLAGS) -DSMM_REQUIRE=TRUE
-OVMF_CVM_4M_FLAGS = $(OVMF_4M_FLAGS)
+OVMF_SEV_4M_FLAGS = $(OVMF_4M_FLAGS)
AAVMF_FLAGS = $(COMMON_FLAGS)
AAVMF_FLAGS += -DTPM2_ENABLE=TRUE
@@ -57,7 +57,7 @@ undefine CONF_PATH
%:
dh $@
-override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi-riscv64
+override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32 build-ovmf-sev build-qemu-efi-riscv64
debian/setup-build-stamp:
cp -a debian/Logo.bmp MdeModulePkg/Logo/Logo.bmp
@@ -80,11 +80,13 @@ OVMF32_SHELL = $(OVMF32_BUILD_DIR)/IA32/Shell.efi
OVMF32_BINARIES = $(OVMF32_SHELL)
OVMF32_IMAGES := $(addprefix $(OVMF32_INSTALL_DIR)/,OVMF32_CODE_4M.secboot.fd OVMF32_VARS_4M.fd)
-OVMF_CVM_INSTALL_DIR = debian/ovmf-cvm-install
-OVMF_CVM_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
-OVMF_CVM_SHELL = $(OVMF_CVM_BUILD_DIR)/X64/Shell.efi
-OVMF_CVM_BINARIES = $(OVMF_CVM_SHELL)
-OVMF_CVM_IMAGES := $(addprefix $(OVMF_CVM_INSTALL_DIR)/,OVMF_CVM_CODE_4M.fd OVMF_CVM_VARS_4M.fd)
+OVMF_SEV_INSTALL_DIR = debian/ovmf-sev-install
+OVMF_SEV_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF_SEV_SHELL = $(OVMF_SEV_BUILD_DIR)/X64/Shell.efi
+OVMF_SEV_BINARIES = $(OVMF_SEV_SHELL)
+OVMF_SEV_IMAGES := $(addprefix $(OVMF_SEV_INSTALL_DIR)/,OVMF_SEV_CODE_4M.fd OVMF_SEV_VARS_4M.fd OVMF_SEV_4M.fd)
+# Note: OVMF_CVM_* are also available via symlinks. Can be removed by next major pve version (PVE 10).
+# See pve-edk2-firmware-ovmf.links
QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
@@ -113,22 +115,22 @@ $(OVMF32_BINARIES) $(OVMF32_IMAGES): debian/setup-build-stamp
cp $(OVMF32_BUILD_DIR)/FV/OVMF_VARS.fd \
$(OVMF32_INSTALL_DIR)/OVMF32_VARS_4M.fd
-build-ovmf-cvm: $(OVMF_CVM_BINARIES) $(OVMF_CVM_IMAGES)
-$(OVMF_CVM_BINARIES) $(OVMF_CVM_IMAGES): debian/setup-build-stamp
- rm -rf $(OVMF_CVM_INSTALL_DIR)
- mkdir $(OVMF_CVM_INSTALL_DIR)
+build-ovmf-sev: $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES)
+$(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp
+ rm -rf $(OVMF_SEV_INSTALL_DIR)
+ mkdir $(OVMF_SEV_INSTALL_DIR)
set -e; . ./edksetup.sh; \
build -a X64 \
-t $(EDK2_TOOLCHAIN) \
-p OvmfPkg/OvmfPkgX64.dsc \
- $(OVMF_CVM_4M_FLAGS) -b $(BUILD_TYPE)
+ $(OVMF_SEV_4M_FLAGS) -b $(BUILD_TYPE)
#-b $(BUILD_TYPE)
- cp $(OVMF_CVM_BUILD_DIR)/FV/OVMF_CODE.fd \
- $(OVMF_CVM_INSTALL_DIR)/OVMF_CVM_CODE_4M.fd
- cp $(OVMF_CVM_BUILD_DIR)/FV/OVMF_VARS.fd \
- $(OVMF_CVM_INSTALL_DIR)/OVMF_CVM_VARS_4M.fd
- cp $(OVMF_CVM_BUILD_DIR)/FV/OVMF.fd \
- $(OVMF_CVM_INSTALL_DIR)/OVMF_CVM_4M.fd
+ cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF_CODE.fd \
+ $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_CODE_4M.fd
+ cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF_VARS.fd \
+ $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_VARS_4M.fd
+ cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \
+ $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd
build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS)
$(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
@@ -274,4 +276,4 @@ get-orig-source:
edk2-$(DEB_VERSION_UPSTREAM)
rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
-.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
+.PHONY: build-ovmf build-ovmf32 build-ovmf-sev build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest Anton Iacobaeus
` (8 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
TDVF enables UEFI support for TDX virtual machines. Add a build target
to build TDFV in Config-B (https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-and-features)
Config-B better conforms to the Intel TDX threat model and is preferred
over Config-A.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
debian/pve-edk2-firmware-ovmf.install | 1 +
debian/rules | 23 +++++++++++++++++++++--
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install
index 981ac27..2218656 100644
--- a/debian/pve-edk2-firmware-ovmf.install
+++ b/debian/pve-edk2-firmware-ovmf.install
@@ -3,6 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware
debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware
debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware
debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware
+debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware
debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware
debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware
debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware
diff --git a/debian/rules b/debian/rules
index dd3bf39..5850370 100755
--- a/debian/rules
+++ b/debian/rules
@@ -38,6 +38,7 @@ OVMF_4M_SMM_FLAGS = $(OVMF_4M_FLAGS) -DSMM_REQUIRE=TRUE
OVMF32_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
OVMF32_4M_SMM_FLAGS = $(OVMF32_4M_FLAGS) -DSMM_REQUIRE=TRUE
OVMF_SEV_4M_FLAGS = $(OVMF_4M_FLAGS)
+OVMF_TDX_4M_FLAGS = $(OVMF_4M_FLAGS)
AAVMF_FLAGS = $(COMMON_FLAGS)
AAVMF_FLAGS += -DTPM2_ENABLE=TRUE
@@ -57,7 +58,7 @@ undefine CONF_PATH
%:
dh $@
-override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32 build-ovmf-sev build-qemu-efi-riscv64
+override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32 build-ovmf-sev build-ovmf-tdx build-qemu-efi-riscv64
debian/setup-build-stamp:
cp -a debian/Logo.bmp MdeModulePkg/Logo/Logo.bmp
@@ -88,6 +89,12 @@ OVMF_SEV_IMAGES := $(addprefix $(OVMF_SEV_INSTALL_DIR)/,OVMF_SEV_CODE_4M.fd OVM
# Note: OVMF_CVM_* are also available via symlinks. Can be removed by next major pve version (PVE 10).
# See pve-edk2-firmware-ovmf.links
+OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install
+OVMF_TDX_BUILD_DIR = Build/IntelTdx/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi
+OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL)
+OVMF_TDX_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd)
+
QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AAVMF_ENROLL = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
@@ -132,6 +139,18 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp
cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \
$(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd
+build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES)
+$(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp
+ rm -rf $(OVMF_TDX_INSTALL_DIR)
+ mkdir $(OVMF_TDX_INSTALL_DIR)
+ set -e; . ./edksetup.sh; \
+ build -a X64 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/IntelTdx/IntelTdxX64.dsc \
+ $(OVMF_TDX_4M_FLAGS) -b $(BUILD_TYPE)
+ cp $(OVMF_TDX_BUILD_DIR)/FV/OVMF.fd \
+ $(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd
+
build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS)
$(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
rm -rf $(OVMF_INSTALL_DIR)
@@ -276,4 +295,4 @@ get-orig-source:
edk2-$(DEB_VERSION_UPSTREAM)
rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
-.PHONY: build-ovmf build-ovmf32 build-ovmf-sev build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
+.PHONY: build-ovmf build-ovmf32 build-ovmf-sev build-ovmf-tdx build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX Anton Iacobaeus
` (7 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
The FV in `IntelTdx/IntelTdxX64.fdf` was split into two FVs, one for a
TD guest and one for non-cc guest. The SCSI driver was moved to the
non-cc NCCFV. In order for PVE to use an image with SCSI include the
SCSI driver in the FV for TD guest.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
.../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 53 insertions(+)
create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
diff --git a/debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch b/debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
new file mode 100644
index 0000000..5f9c40d
--- /dev/null
+++ b/debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
@@ -0,0 +1,52 @@
+diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+index c05761ab..02807c37 100644
+--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
++++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+@@ -204,6 +204,16 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
+ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
++INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
++!if $(PVSCSI_ENABLE) == TRUE
++INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
++!endif
++!if $(MPT_SCSI_ENABLE) == TRUE
++INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf
++!endif
++!if $(LSI_SCSI_ENABLE) == TRUE
++INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf
++!endif
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+@@ -223,6 +233,8 @@ INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
+ INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
++INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
++INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+ INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+@@ -290,21 +302,9 @@ READ_LOCK_STATUS = TRUE
+ # DXE Phase modules
+ #
+ INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+-INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-!if $(PVSCSI_ENABLE) == TRUE
+-INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+-!endif
+-!if $(MPT_SCSI_ENABLE) == TRUE
+-INF OvmfPkg/MptScsiDxe/MptScsiDxe.inf
+-!endif
+-!if $(LSI_SCSI_ENABLE) == TRUE
+-INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf
+-!endif
+ INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
+ INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+-INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+-INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf
+ INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
diff --git a/debian/patches/series b/debian/patches/series
index f9e3582..c0155a2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
Revert-UefiCpuPkg-Produce-EFI-memory-attributes-prot.patch
UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+Enable_SCSI_IntelTdx_DXEFV.patch
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (2 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-11-14 10:06 ` [pve-devel] applied: " Fiona Ebner
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation Anton Iacobaeus
` (6 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
This commit adds suppport to enable Intel TDX for a VM similar to AMD
SEV.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
www/manager6/Makefile | 1 +
www/manager6/qemu/Options.js | 12 +++++
www/manager6/qemu/TdxEdit.js | 93 ++++++++++++++++++++++++++++++++++++
3 files changed, 106 insertions(+)
create mode 100644 www/manager6/qemu/TdxEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 85f9268d..af9baa68 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -275,6 +275,7 @@ JSSRC= \
qemu/SevEdit.js \
qemu/Smbios1Edit.js \
qemu/SystemEdit.js \
+ qemu/TdxEdit.js \
qemu/USBEdit.js \
qemu/VirtiofsEdit.js \
sdn/Browser.js \
diff --git a/www/manager6/qemu/Options.js b/www/manager6/qemu/Options.js
index 6fe96fe2..e40fb4a3 100644
--- a/www/manager6/qemu/Options.js
+++ b/www/manager6/qemu/Options.js
@@ -386,6 +386,18 @@ Ext.define('PVE.qemu.Options', {
return value;
},
},
+ 'intel-tdx': {
+ header: gettext('Intel TDX'),
+ editor: caps.vms['VM.Config.HWType'] ? 'PVE.qemu.TdxEdit' : undefined,
+ defaultValue: Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')',
+ renderer: function (value, metaData, record, ri, ci, store, pending) {
+ let intel_tdx = PVE.Parser.parsePropertyString(value, 'type');
+ if (intel_tdx.type === 'tdx') {
+ return 'Intel (' + value + ')';
+ }
+ return value;
+ },
+ },
hookscript: {
header: gettext('Hookscript'),
},
diff --git a/www/manager6/qemu/TdxEdit.js b/www/manager6/qemu/TdxEdit.js
new file mode 100644
index 00000000..3f43bf7a
--- /dev/null
+++ b/www/manager6/qemu/TdxEdit.js
@@ -0,0 +1,93 @@
+Ext.define('PVE.qemu.TdxInputPanel', {
+ extend: 'Proxmox.panel.InputPanel',
+ xtype: 'pveTdxInputPanel',
+
+ onlineHelp: 'qm_memory', // TODO: change to 'qm_memory_encryption' one available
+
+ viewModel: {
+ data: {
+ type: '__default__',
+ },
+ formulas: {
+ tdxEnabled: (get) => get('type') === 'tdx',
+ },
+ },
+
+ onGetValues: function (values) {
+ if (values.delete === 'type') {
+ values.delete = 'intel-tdx';
+ return values;
+ }
+ let ret = {};
+ ret['intel-tdx'] = PVE.Parser.printPropertyString(values, 'type');
+ return ret;
+ },
+
+ setValues: function (values) {
+ this.callParent(arguments);
+ },
+
+ items: [
+ {
+ xtype: 'proxmoxKVComboBox',
+ fieldLabel: gettext('Intel TDX Type'),
+ labelWidth: 150,
+ name: 'type',
+ value: '__default__',
+ comboItems: [
+ [
+ '__default__',
+ Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')',
+ ],
+ ['tdx', 'Intel TDX'],
+ ],
+ bind: {
+ value: '{type}',
+ },
+ },
+ {
+ xtype: 'displayfield',
+ userCls: 'pmx-hint',
+ value: gettext('WARNING: When using Intel TDX no EFI disk is loaded as pflash.'),
+ bind: {
+ hidden: '{!tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'displayfield',
+ userCls: 'pmx-hint',
+ value: gettext('Note: Intel TDX requires host kernel version 6.16 or higher.'),
+ bind: {
+ hidden: '{!tdxEnabled}',
+ },
+ },
+ ],
+
+ advancedItems: [],
+});
+
+Ext.define('PVE.qemu.TdxEdit', {
+ extend: 'Proxmox.window.Edit',
+
+ subject: 'Intel Trust Domain Extension (TDX)',
+
+ items: {
+ xtype: 'pveTdxInputPanel',
+ },
+
+ width: 400,
+
+ initComponent: function () {
+ let me = this;
+
+ me.callParent();
+
+ me.load({
+ success: function (response) {
+ let conf = response.result.data;
+ let intel_tdx = conf['intel-tdx'] || '__default__';
+ me.setValues(PVE.Parser.parsePropertyString(intel_tdx, 'type'));
+ },
+ });
+ },
+});
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (3 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms Anton Iacobaeus
` (5 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel
Add configuration options for the quote-generation-socket used to
communicate with the Quote Generation Service. This enables attestation
support for TDX using vsock or unix sockets.
More information can be found at:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
This only includes support for vsock and unix sockets. The SocketAddress
object in QEMU also supports inet and fd, which are not commonly used in
TDX.
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
www/manager6/qemu/TdxEdit.js | 103 ++++++++++++++++++++++++++++++++++-
1 file changed, 102 insertions(+), 1 deletion(-)
diff --git a/www/manager6/qemu/TdxEdit.js b/www/manager6/qemu/TdxEdit.js
index 3f43bf7a..95e086b5 100644
--- a/www/manager6/qemu/TdxEdit.js
+++ b/www/manager6/qemu/TdxEdit.js
@@ -7,9 +7,14 @@ Ext.define('PVE.qemu.TdxInputPanel', {
viewModel: {
data: {
type: '__default__',
+ attestation: 1,
+ socketType: 'vsock',
},
formulas: {
tdxEnabled: (get) => get('type') === 'tdx',
+ attestationEnabled: (get) => Number(get('attestation')) === 1,
+ vsockEnabled: (get) => get('socketType') === 'vsock',
+ unixSocketEnabled: (get) => get('socketType') === 'unix',
},
},
@@ -18,12 +23,17 @@ Ext.define('PVE.qemu.TdxInputPanel', {
values.delete = 'intel-tdx';
return values;
}
+ if (values.tight !== undefined && !values.tight) {
+ values['unix-tight'] = 0;
+ }
+ delete values.tight;
let ret = {};
ret['intel-tdx'] = PVE.Parser.printPropertyString(values, 'type');
return ret;
},
setValues: function (values) {
+ values.tight = PVE.Parser.parseBoolean(values['unix-tight'], 1);
this.callParent(arguments);
},
@@ -63,7 +73,98 @@ Ext.define('PVE.qemu.TdxInputPanel', {
},
],
- advancedItems: [],
+ advancedItems: [
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Enable Attestation'),
+ labelWidth: 150,
+ name: 'attestation',
+ value: 1,
+ uncheckedValue: 0,
+ bind: {
+ value: '{attestation}',
+ hidden: '{!tdxEnabled}',
+ disabled: '{!tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ fieldLabel: gettext('Socket Type'),
+ labelWidth: 150,
+ name: 'socket-type',
+ value: 'vsock',
+ comboItems: [
+ ['vsock', 'VSOCK'],
+ ['unix', 'Unix Socket'],
+ ],
+ bind: {
+ value: '{socketType}',
+ hidden: '{!tdxEnabled}',
+ disabled: '{!attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxintegerfield',
+ fieldLabel: gettext('CID'),
+ labelWidth: 150,
+ name: 'vsock-cid',
+ minValue: 2,
+ value: '2',
+ allowBlank: false,
+ bind: {
+ hidden: '{!vsockEnabled || !tdxEnabled}',
+ disabled: '{!vsockEnabled || !attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxintegerfield',
+ fieldLabel: gettext('Port'),
+ labelWidth: 150,
+ name: 'vsock-port',
+ minValue: 0,
+ value: '4050',
+ allowBlank: false,
+ bind: {
+ hidden: '{!vsockEnabled || !tdxEnabled}',
+ disabled: '{!vsockEnabled || !attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'textfield',
+ fieldLabel: gettext('Socket Path'),
+ labelWidth: 150,
+ name: 'unix-path',
+ value: '/var/run/tdx-qgs/qgs.socket',
+ allowBlank: false,
+ bind: {
+ hidden: '{!unixSocketEnabled || !tdxEnabled}',
+ disabled: '{!unixSocketEnabled || !attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Abstract'),
+ labelWidth: 150,
+ name: 'unix-abstract',
+ value: 0,
+ bind: {
+ hidden: '{!unixSocketEnabled || !tdxEnabled}',
+ disabled: '{!unixSocketEnabled || !attestationEnabled || !tdxEnabled}',
+ },
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Tight'),
+ labelWidth: 150,
+ name: 'tight',
+ value: 1,
+ uncheckedValue: 0,
+ bind: {
+ hidden: '{!unixSocketEnabled || !tdxEnabled}',
+ disabled: '{!unixSocketEnabled || !attestationEnabled || !tdxEnabled}',
+ },
+ },
+ ],
});
Ext.define('PVE.qemu.TdxEdit', {
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (4 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support Anton Iacobaeus
` (4 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Change variable and function names that are specific to AMD SEV to
reflect this. Also, change name of general CC functions and variable
names to be used in conjunction with other platforms.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
src/PVE/API2/Qemu.pm | 6 ++---
src/PVE/QemuServer.pm | 8 +++---
src/PVE/QemuServer/CPUConfig.pm | 15 +++++------
src/PVE/QemuServer/OVMF.pm | 42 ++++++++++++++++---------------
src/test/cfg2cmd/sev-es.conf.cmd | 2 +-
src/test/cfg2cmd/sev-snp.conf.cmd | 2 +-
src/test/cfg2cmd/sev-std.conf.cmd | 2 +-
7 files changed, 40 insertions(+), 37 deletions(-)
diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 71bedc1e..29b4f1b2 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -618,13 +618,13 @@ my sub create_disks : prototype($$$$$$$$$$$) {
if ($ds eq 'efidisk0') {
my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
- my $amd_sev_type = PVE::QemuServer::CPUConfig::get_amd_sev_type($conf);
+ my $cvm_type = PVE::QemuServer::CPUConfig::get_cvm_type($conf);
die
"SEV-SNP uses consolidated read-only firmware and does not require an EFI disk\n"
- if $amd_sev_type && $amd_sev_type eq 'snp';
+ if $cvm_type && $cvm_type eq 'snp';
($volid, $size) = PVE::QemuServer::OVMF::create_efidisk(
- $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $amd_sev_type,
+ $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $cvm_type,
);
} elsif ($ds eq 'tpmstate0') {
# swtpm can only use raw volumes, and uses a fixed size
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index df2476aa..9e2cef3a 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -62,7 +62,7 @@ use PVE::QemuServer::Helpers
use PVE::QemuServer::Cloudinit;
use PVE::QemuServer::CGroup;
use PVE::QemuServer::CPUConfig
- qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_amd_sev_type);
+ qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type);
use PVE::QemuServer::Drive qw(
is_valid_drivename
checked_volume_format
@@ -3226,7 +3226,7 @@ sub config_to_command {
if !$forcecpu && get_cpu_bitness($conf->{cpu}, $arch) == 32;
my $hw_info = {
- 'amd-sev-type' => get_amd_sev_type($conf),
+ 'cvm-type' => get_cvm_type($conf),
arch => $arch,
'machine-version' => $machine_version,
q35 => $q35,
@@ -7922,9 +7922,9 @@ sub get_efivars_size {
my $arch = PVE::QemuServer::Helpers::get_vm_arch($conf);
$efidisk //= $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
- my $amd_sev_type = get_amd_sev_type($conf);
+ my $cvm_type = get_cvm_type($conf);
- return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $amd_sev_type);
+ return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $cvm_type);
}
sub update_efidisk_size {
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 786a99d8..65a7b565 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -18,7 +18,7 @@ our @EXPORT_OK = qw(
get_cpu_bitness
is_native_arch
get_amd_sev_object
- get_amd_sev_type
+ get_cvm_type
);
# under certain race-conditions, this module might be loaded before pve-cluster
@@ -881,14 +881,15 @@ sub get_hw_capabilities {
return $hw_capabilities;
}
-sub get_amd_sev_type {
+sub get_cvm_type {
my ($conf) = @_;
- return undef if !$conf->{'amd-sev'};
-
- my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
-
- return $sev->{type};
+ if ($conf->{'amd-sev'}) {
+ my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
+ return $sev->{type};
+ } else {
+ return undef;
+ }
}
sub get_amd_sev_object {
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 08134e30..8b02d089 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -29,10 +29,10 @@ my $OVMF = {
"$EDK2_FW_BASE/OVMF_CODE_4M.secboot.fd", "$EDK2_FW_BASE/OVMF_VARS_4M.ms.fd",
],
'4m-sev' => [
- "$EDK2_FW_BASE/OVMF_CVM_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_CVM_VARS_4M.fd",
+ "$EDK2_FW_BASE/OVMF_SEV_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_SEV_VARS_4M.fd",
],
'4m-snp' => [
- "$EDK2_FW_BASE/OVMF_CVM_4M.fd",
+ "$EDK2_FW_BASE/OVMF_SEV_4M.fd",
],
# FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build
# anymore. how can we deperacate this sanely without breaking existing instances, or using
@@ -49,19 +49,19 @@ my $OVMF = {
};
my sub get_ovmf_files($$$$) {
- my ($arch, $efidisk, $smm, $amd_sev_type) = @_;
+ my ($arch, $efidisk, $smm, $cvm_type) = @_;
my $types = $OVMF->{$arch}
or die "no OVMF images known for architecture '$arch'\n";
my $type = 'default';
if ($arch eq 'x86_64') {
- if ($amd_sev_type && $amd_sev_type eq 'snp') {
+ if ($cvm_type && $cvm_type eq 'snp') {
$type = "4m-snp";
my ($ovmf) = $types->{$type}->@*;
die "EFI base image '$ovmf' not found\n" if !-f $ovmf;
return ($ovmf);
- } elsif ($amd_sev_type) {
+ } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) {
$type = "4m-sev";
} elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
$type = $smm ? "4m" : "4m-no-smm";
@@ -81,14 +81,14 @@ my sub get_ovmf_files($$$$) {
my sub print_ovmf_drive_commandlines {
my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_;
- my ($amd_sev_type, $arch, $q35) = $hw_info->@{qw(amd-sev-type arch q35)};
+ my ($cvm_type, $arch, $q35) = $hw_info->@{qw(cvm-type arch q35)};
my $d = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
- if $amd_sev_type && $amd_sev_type eq 'snp';
+ if $cvm_type && $cvm_type eq 'snp';
- my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $amd_sev_type);
+ my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type);
my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0";
if ($d) {
@@ -122,16 +122,16 @@ my sub print_ovmf_drive_commandlines {
}
sub get_efivars_size {
- my ($arch, $efidisk, $smm, $amd_sev_type) = @_;
+ my ($arch, $efidisk, $smm, $cvm_type) = @_;
- my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type);
+ my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type);
return -s $ovmf_vars;
}
sub create_efidisk($$$$$$$$) {
- my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $amd_sev_type) = @_;
+ my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $cvm_type) = @_;
- my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type);
+ my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type);
my $vars_size_b = -s $ovmf_vars;
my $vars_size = PVE::Tools::convert_size($vars_size_b, 'b' => 'kb');
@@ -147,15 +147,15 @@ sub create_efidisk($$$$$$$$) {
my sub generate_ovmf_blockdev {
my ($conf, $storecfg, $vmid, $hw_info, $readonly) = @_;
- my ($amd_sev_type, $arch, $machine_version, $q35) =
- $hw_info->@{qw(amd-sev-type arch machine-version q35)};
+ my ($cvm_type, $arch, $machine_version, $q35) =
+ $hw_info->@{qw(cvm-type arch machine-version q35)};
my $drive = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
- if $amd_sev_type && $amd_sev_type eq 'snp';
+ if $cvm_type && $cvm_type eq 'snp';
- my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $amd_sev_type);
+ my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $cvm_type);
my $ovmf_code_blockdev = {
driver => 'raw',
@@ -203,16 +203,18 @@ my sub generate_ovmf_blockdev {
sub print_ovmf_commandline {
my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_;
- my $amd_sev_type = $hw_info->{'amd-sev-type'};
+ my $cvm_type = $hw_info->{'cvm-type'};
my $cmd = [];
my $machine_flags = [];
- if ($amd_sev_type && $amd_sev_type eq 'snp') {
+ if ($cvm_type && $cvm_type eq 'snp') {
if (defined($conf->{efidisk0})) {
- log_warn("EFI disks are not supported with SEV-SNP and will be ignored");
+ log_warn(
+ "EFI disks are not supported with Confidential Virtual Machines and will be ignored"
+ );
}
- push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $amd_sev_type);
+ push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $cvm_type);
} else {
if ($version_guard->(10, 0, 0)) { # for the switch to -blockdev
my ($code_blockdev, $vars_blockdev, $throttle_group) =
diff --git a/src/test/cfg2cmd/sev-es.conf.cmd b/src/test/cfg2cmd/sev-es.conf.cmd
index 3cc2dbc6..f61a72c6 100644
--- a/src/test/cfg2cmd/sev-es.conf.cmd
+++ b/src/test/cfg2cmd/sev-es.conf.cmd
@@ -10,7 +10,7 @@
-daemonize \
-smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
-object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \
- -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
+ -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
-blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \
-smp '1,sockets=1,cores=1,maxcpus=1' \
-nodefaults \
diff --git a/src/test/cfg2cmd/sev-snp.conf.cmd b/src/test/cfg2cmd/sev-snp.conf.cmd
index 3308e86e..14b55d3e 100644
--- a/src/test/cfg2cmd/sev-snp.conf.cmd
+++ b/src/test/cfg2cmd/sev-snp.conf.cmd
@@ -9,7 +9,7 @@
-pidfile /var/run/qemu-server/8006.pid \
-daemonize \
-smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
- -bios /usr/share/pve-edk2-firmware//OVMF_CVM_4M.fd \
+ -bios /usr/share/pve-edk2-firmware//OVMF_SEV_4M.fd \
-smp '1,sockets=1,cores=1,maxcpus=1' \
-nodefaults \
-boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
diff --git a/src/test/cfg2cmd/sev-std.conf.cmd b/src/test/cfg2cmd/sev-std.conf.cmd
index 6291a302..c23fe6d2 100644
--- a/src/test/cfg2cmd/sev-std.conf.cmd
+++ b/src/test/cfg2cmd/sev-std.conf.cmd
@@ -10,7 +10,7 @@
-daemonize \
-smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
-object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \
- -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
+ -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
-blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \
-smp '1,sockets=1,cores=1,maxcpus=1' \
-nodefaults \
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (5 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX Anton Iacobaeus
` (3 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Check whether TDX is enabled on this machine. Instead of using CPUID
like AMD SEV, Intel TDX enablement can be verified by reading the MSR
(https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/05/host_os_setup/).
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
.../query-machine-capabilities.c | 98 ++++++++++++++++---
src/usr/modules-load.conf | 1 +
2 files changed, 86 insertions(+), 13 deletions(-)
diff --git a/src/query-machine-capabilities/query-machine-capabilities.c b/src/query-machine-capabilities/query-machine-capabilities.c
index 0c522afc..33317aca 100644
--- a/src/query-machine-capabilities/query-machine-capabilities.c
+++ b/src/query-machine-capabilities/query-machine-capabilities.c
@@ -4,6 +4,8 @@
#include <sys/stat.h>
#include <errno.h>
#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
#define eprintf(...) fprintf(stderr, __VA_ARGS__)
@@ -18,17 +20,56 @@ typedef struct {
uint8_t cbitpos;
uint8_t reduced_phys_bits;
-} cpu_caps_t;
+} cpu_caps_amd_sev_t;
-void query_cpu_capabilities(cpu_caps_t *res) {
+typedef struct {
+ bool tdx_support;
+} cpu_caps_intel_tdx_t;
+
+int read_msr(uint32_t msr_index, uint64_t *value) {
+ uint64_t data;
+ char* msr_file_name = "/dev/cpu/0/msr";
+ int fd;
+
+ fd = open(msr_file_name, O_RDONLY);
+ if (fd < 0) {
+ if (errno == ENXIO) {
+ eprintf("rdmsr: No CPU 0\n");
+ return -1;
+ } else if (errno == EIO) {
+ eprintf("rdmsr: CPU doesn't support MSRs\n");
+ return -1;
+ } else {
+ perror("rdmsr: failed to open MSR");
+ return -1;
+ }
+ }
+
+ if (pread(fd, &data, sizeof(data), msr_index) != sizeof(data)) {
+ if (errno == EIO) {
+ eprintf("rdmsr: CPU cannot read MSR 0x%08x\n", msr_index);
+ return -1;
+ } else {
+ perror("rdmsr: pread");
+ return -1;
+ }
+ }
+
+ *value = data;
+
+ close(fd);
+ return 0;
+}
+
+void query_cpu_capabilities_sev(cpu_caps_amd_sev_t *res) {
uint32_t eax, ebx, ecx, edx;
// query Encrypted Memory Capabilities, see:
// https://en.wikipedia.org/wiki/CPUID#EAX=8000001Fh:_Encrypted_Memory_Capabilities
uint32_t query_function = 0x8000001F;
asm volatile("cpuid"
- : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx)
- : "0"(query_function)
+ : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx)
+ : "0"(query_function)
);
res->sev_support = (eax & (1<<1)) != 0;
@@ -39,6 +80,19 @@ void query_cpu_capabilities(cpu_caps_t *res) {
res->reduced_phys_bits = (ebx >> 6) & 0x3f;
}
+int query_cpu_capabilities_tdx(cpu_caps_intel_tdx_t *res) {
+ uint64_t tme_value, sgx_value, tdx_value;
+
+ if (read_msr(0x982, &tme_value) == 0 && read_msr(0xa0, &sgx_value) == 0 &&
+ read_msr(0x1401, &tdx_value) == 0) {
+ res->tdx_support = ((tme_value >> 1) & 1ULL) & (!sgx_value) & ((tdx_value >> 11) & 1ULL);
+ } else {
+ eprintf("Intel TDX support undetermined\n");
+ return -1;
+ }
+ return 0;
+}
+
int prepare_output_directory() {
// Check that the directory exists and create it if it does not.
struct stat statbuf;
@@ -65,8 +119,8 @@ int main() {
return 1;
}
- cpu_caps_t caps;
- query_cpu_capabilities(&caps);
+ cpu_caps_amd_sev_t caps_sev;
+ query_cpu_capabilities_sev(&caps_sev);
FILE *file = fopen(OUTPUT_PATH, "w");
if (file == NULL) {
@@ -82,18 +136,36 @@ int main() {
" \"sev-support\": %s,"
" \"sev-support-es\": %s,"
" \"sev-support-snp\": %s"
- " }"
- " }\n",
- caps.cbitpos,
- caps.reduced_phys_bits,
- caps.sev_support ? "true" : "false",
- caps.sev_es_support ? "true" : "false",
- caps.sev_snp_support ? "true" : "false"
+ " }",
+ caps_sev.cbitpos,
+ caps_sev.reduced_phys_bits,
+ caps_sev.sev_support ? "true" : "false",
+ caps_sev.sev_es_support ? "true" : "false",
+ caps_sev.sev_snp_support ? "true" : "false"
);
if (ret < 0) {
eprintf("Error writing to file '" OUTPUT_PATH "': %s\n", strerror(errno));
}
+ cpu_caps_intel_tdx_t caps_tdx;
+ if (query_cpu_capabilities_tdx(&caps_tdx) == 0) {
+ ret = fprintf(file,
+ ","
+ " \"intel-tdx\": {"
+ " \"tdx-support\": %s"
+ " }",
+ caps_tdx.tdx_support ? "true" : "false"
+ );
+ if (ret < 0) {
+ eprintf("Error writing to file '" OUTPUT_PATH "': %s\n", strerror(errno));
+ }
+ }
+
+ ret = fprintf(file, " }\n");
+ if (ret < 0) {
+ eprintf("Error writing to file '" OUTPUT_PATH "': %s\n", strerror(errno));
+ }
+
ret = fclose(file);
if (ret != 0) {
eprintf("Error closing file '" OUTPUT_PATH "': %s\n", strerror(errno));
diff --git a/src/usr/modules-load.conf b/src/usr/modules-load.conf
index aee7d42a..f45d256b 100644
--- a/src/usr/modules-load.conf
+++ b/src/usr/modules-load.conf
@@ -1 +1,2 @@
vhost_net
+msr
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (6 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object Anton Iacobaeus
` (2 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel; +Cc: Philipp Giersfeld
From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
This commit adds support for setting up an Intel TDX VM. A Intel TDX VM
can be setup similar to AMD SEV but uses a different firmware image.
Intel TDX requires kernel_irqchip to be set to `split`, instead of the
default `on`. QEMU does change the default for TDX guests, but it is
included explicitly here for clarity.
Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
src/PVE/QemuMigrate/Helpers.pm | 1 +
src/PVE/QemuServer.pm | 21 +++++++++++++++++++--
src/PVE/QemuServer/CPUConfig.pm | 29 +++++++++++++++++++++++++++++
src/PVE/QemuServer/OVMF.pm | 13 ++++++++++++-
4 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/src/PVE/QemuMigrate/Helpers.pm b/src/PVE/QemuMigrate/Helpers.pm
index f191565a..466517da 100644
--- a/src/PVE/QemuMigrate/Helpers.pm
+++ b/src/PVE/QemuMigrate/Helpers.pm
@@ -20,6 +20,7 @@ sub check_non_migratable_resources {
my @blockers = ();
if ($state) {
push @blockers, "amd-sev" if $conf->{"amd-sev"};
+ push @blockers, "intel-tdx" if $conf->{"intel-tdx"};
push @blockers, "virtiofs" if PVE::QemuServer::Virtiofs::virtiofs_enabled($conf);
}
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 9e2cef3a..98180506 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -61,8 +61,15 @@ use PVE::QemuServer::Helpers
qw(config_aware_timeout get_iscsi_initiator_name min_version kvm_user_version windows_version);
use PVE::QemuServer::Cloudinit;
use PVE::QemuServer::CGroup;
-use PVE::QemuServer::CPUConfig
- qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type);
+use PVE::QemuServer::CPUConfig qw(
+ print_cpu_device
+ get_cpu_options
+ get_cpu_bitness
+ is_native_arch
+ get_amd_sev_object
+ get_intel_tdx_object
+ get_cvm_type
+);
use PVE::QemuServer::Drive qw(
is_valid_drivename
checked_volume_format
@@ -296,6 +303,12 @@ my $confdesc = {
format => 'pve-qemu-sev-fmt',
type => 'string',
},
+ 'intel-tdx' => {
+ description => "Trusted Domain Extension (TDX) features by Intel CPUs",
+ optional => 1,
+ format => 'pve-qemu-tdx-fmt',
+ type => 'string',
+ },
balloon => {
optional => 1,
type => 'integer',
@@ -3756,6 +3769,10 @@ sub config_to_command {
if ($conf->{'amd-sev'}) {
push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
push @$machineFlags, 'confidential-guest-support=sev0';
+ } elsif ($conf->{'intel-tdx'}) {
+ push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ push @$machineFlags, 'confidential-guest-support=tdx0';
+ push @$machineFlags, 'kernel_irqchip=split';
}
PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices);
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 65a7b565..415d1a9f 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -18,6 +18,7 @@ our @EXPORT_OK = qw(
get_cpu_bitness
is_native_arch
get_amd_sev_object
+ get_intel_tdx_object
get_cvm_type
);
@@ -282,6 +283,17 @@ my $sev_fmt = {
};
PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
+my $tdx_fmt = {
+ type => {
+ description => "Enable TDX",
+ type => 'string',
+ default_key => 1,
+ format_description => "tdx-type",
+ enum => ['tdx'],
+ },
+};
+PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
+
PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits);
sub parse_phys_bits {
@@ -887,6 +899,9 @@ sub get_cvm_type {
if ($conf->{'amd-sev'}) {
my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
return $sev->{type};
+ } elsif ($conf->{'intel-tdx'}) {
+ my $tdx = PVE::JSONSchema::parse_property_string($tdx_fmt, $conf->{'intel-tdx'});
+ return $tdx->{type};
} else {
return undef;
}
@@ -945,6 +960,20 @@ sub get_amd_sev_object {
return $sev_mem_object;
}
+sub get_intel_tdx_object {
+ my ($intel_tdx, $bios) = @_;
+ my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
+ my $tdx_hw_caps = get_hw_capabilities()->{'intel-tdx'};
+
+ if (!$tdx_hw_caps->{'tdx-support'}) {
+ die "Your CPU does not support Intel TDX.\n";
+ }
+ if (!$bios || $bios ne 'ovmf') {
+ die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
+ }
+ return 'tdx-guest,id=tdx0';
+}
+
__PACKAGE__->register();
__PACKAGE__->init();
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 8b02d089..7675a5a5 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -34,6 +34,9 @@ my $OVMF = {
'4m-snp' => [
"$EDK2_FW_BASE/OVMF_SEV_4M.fd",
],
+ '4m-tdx' => [
+ "$EDK2_FW_BASE/OVMF_TDX_4M.fd",
+ ],
# FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build
# anymore. how can we deperacate this sanely without breaking existing instances, or using
# older backups and snapshot?
@@ -63,6 +66,11 @@ my sub get_ovmf_files($$$$) {
return ($ovmf);
} elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) {
$type = "4m-sev";
+ } elsif ($cvm_type && $cvm_type eq 'tdx') {
+ $type = "4m-tdx";
+ my ($ovmf) = $types->{$type}->@*;
+ die "EFI base image '$ovmf' not found\n" if !-f $ovmf;
+ return ($ovmf);
} elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
$type = $smm ? "4m" : "4m-no-smm";
$type .= '-ms' if $efidisk->{'pre-enrolled-keys'};
@@ -88,6 +96,9 @@ my sub print_ovmf_drive_commandlines {
die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
if $cvm_type && $cvm_type eq 'snp';
+ die "Attempting to configure TDX with pflash devices instead of using `-bios`\n"
+ if $cvm_type && $cvm_type eq 'tdx';
+
my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type);
my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0";
@@ -208,7 +219,7 @@ sub print_ovmf_commandline {
my $cmd = [];
my $machine_flags = [];
- if ($cvm_type && $cvm_type eq 'snp') {
+ if ($cvm_type && ($cvm_type eq 'snp' || $cvm_type eq 'tdx')) {
if (defined($conf->{efidisk0})) {
log_warn(
"EFI disks are not supported with Confidential Virtual Machines and will be ignored"
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (7 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX Anton Iacobaeus
@ 2025-10-28 12:54 ` Anton Iacobaeus
2025-11-13 11:35 ` Fiona Ebner
2025-11-10 15:03 ` [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-11-13 11:21 ` [pve-devel] partially-applied: " Fiona Ebner
10 siblings, 1 reply; 21+ messages in thread
From: Anton Iacobaeus @ 2025-10-28 12:54 UTC (permalink / raw)
To: pve-devel
Extend the tdx object with the quote-generation-socket as defined in:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
Only vsock and unix sockets are included here since they are the most
commonly used socket types with TDX attestation.
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
src/PVE/QemuServer.pm | 3 +-
src/PVE/QemuServer/CPUConfig.pm | 87 ++++++++++++++++++++++++++++++++-
2 files changed, 87 insertions(+), 3 deletions(-)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 98180506..77aa612a 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3770,7 +3770,8 @@ sub config_to_command {
push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
push @$machineFlags, 'confidential-guest-support=sev0';
} elsif ($conf->{'intel-tdx'}) {
- push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+ push @$devices, '-object', to_json($tdx_object, { canonical => 1 });
push @$machineFlags, 'confidential-guest-support=tdx0';
push @$machineFlags, 'kernel_irqchip=split';
}
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 415d1a9f..a847085c 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -5,7 +5,7 @@ use warnings;
use JSON;
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(json_bool);
use PVE::Cluster qw(cfs_register_file cfs_read_file);
use PVE::Tools qw(run_command get_host_arch);
use PVE::QemuServer::Helpers qw(min_version);
@@ -291,6 +291,50 @@ my $tdx_fmt = {
format_description => "tdx-type",
enum => ['tdx'],
},
+ 'attestation' => {
+ description => "Enable TDX attestation by including quote-generation-socket",
+ type => 'boolean',
+ default => 1,
+ },
+ 'socket-type' => {
+ type => 'string',
+ optional => 1,
+ enum => ['unix', 'vsock'],
+ default => 'vsock',
+ description => "Socket type to communicate with the Quote Generation Service",
+ },
+ 'vsock-cid' => {
+ type => 'integer',
+ minimum => 2,
+ default => 2,
+ optional => 1,
+ description => "CID for vsock of Quote Generation Service",
+ },
+ 'vsock-port' => {
+ type => 'integer',
+ minimum => 0,
+ default => 4050,
+ optional => 1,
+ description => "Port for vsock of Quote Generation Service",
+ },
+ 'unix-path' => {
+ type => 'string',
+ optional => 1,
+ description => "Path to Unix socket",
+ format_description => "unix-path",
+ },
+ 'unix-abstract' => {
+ description => "Use Linux abstract socket address",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
+ 'unix-tight' => {
+ description => "Pads the abstract socket address.",
+ type => 'boolean',
+ default => 1,
+ optional => 1,
+ },
};
PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
@@ -960,6 +1004,36 @@ sub get_amd_sev_object {
return $sev_mem_object;
}
+sub get_quote_generation_socket {
+ my ($conf) = @_;
+ my $type = $conf->{'socket-type'}
+ or die "A socket type is required for Quote Generation Socket.\n";
+
+ my $socket = {
+ type => $type,
+ };
+
+ if ($type eq 'unix') {
+ my $path = $conf->{'unix-path'}
+ or die "Missing path for unix socket.\n";
+
+ $socket->{'path'} = $path;
+ $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
+ if defined $conf->{'unix-abstract'};
+ $socket->{'tight'} = json_bool($conf->{'unix-tight'})
+ if defined $conf->{'unix-tight'};
+ } elsif ($type eq 'vsock') {
+ my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
+ die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
+
+ @$socket{ 'cid', 'port' } = ($cid, $port);
+ } else {
+ die "Unsupported socket type for TDX Quote Generation Socket.\n";
+ }
+
+ return $socket;
+}
+
sub get_intel_tdx_object {
my ($intel_tdx, $bios) = @_;
my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
@@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
if (!$bios || $bios ne 'ovmf') {
die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
}
- return 'tdx-guest,id=tdx0';
+
+ my $tdx_object = {
+ 'qom-type' => 'tdx-guest',
+ id => 'tdx0',
+ };
+
+ $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
+ unless !$intel_tdx_conf->{'attestation'};
+
+ return $tdx_object;
}
__PACKAGE__->register();
--
2.43.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object Anton Iacobaeus
@ 2025-11-13 11:35 ` Fiona Ebner
2025-11-13 11:54 ` Thomas Lamprecht
2025-11-14 6:47 ` Anton Iacobaeus
0 siblings, 2 replies; 21+ messages in thread
From: Fiona Ebner @ 2025-11-13 11:35 UTC (permalink / raw)
To: Proxmox VE development discussion, Anton Iacobaeus
Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
> @@ -291,6 +291,50 @@ my $tdx_fmt = {
> format_description => "tdx-type",
> enum => ['tdx'],
> },
> + 'attestation' => {
> + description => "Enable TDX attestation by including quote-generation-socket",
> + type => 'boolean',
> + default => 1,
> + },
> + 'socket-type' => {
> + type => 'string',
> + optional => 1,
> + enum => ['unix', 'vsock'],
> + default => 'vsock',
> + description => "Socket type to communicate with the Quote Generation Service",
> + },
> + 'vsock-cid' => {
> + type => 'integer',
> + minimum => 2,
> + default => 2,
> + optional => 1,
> + description => "CID for vsock of Quote Generation Service",
> + },
> + 'vsock-port' => {
> + type => 'integer',
> + minimum => 0,
> + default => 4050,
> + optional => 1,
> + description => "Port for vsock of Quote Generation Service",
> + },
> + 'unix-path' => {
> + type => 'string',
> + optional => 1,
> + description => "Path to Unix socket",
> + format_description => "unix-path",
> + },
> + 'unix-abstract' => {
> + description => "Use Linux abstract socket address",
> + type => 'boolean',
> + default => 0,
> + optional => 1,
> + },
> + 'unix-tight' => {
> + description => "Pads the abstract socket address.",
> + type => 'boolean',
> + default => 1,
> + optional => 1,
> + },
Do we really want/need to support all these possible configuration
options to start out? In particular, 'unix-tight' and 'unix-abstract'
seem like we could rather just require users to set it up a certain way.
Maybe vsock+cid+port is enough to begin with and we can add more when
users actually request it? Or are there situations where a vsock cannot
easily be set up?
> };
> PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
>
> @@ -960,6 +1004,36 @@ sub get_amd_sev_object {
> return $sev_mem_object;
> }
>
> +sub get_quote_generation_socket {
> + my ($conf) = @_;
> + my $type = $conf->{'socket-type'}
> + or die "A socket type is required for Quote Generation Socket.\n";
> +
> + my $socket = {
> + type => $type,
> + };
> +
> + if ($type eq 'unix') {
> + my $path = $conf->{'unix-path'}
> + or die "Missing path for unix socket.\n";
> +
> + $socket->{'path'} = $path;
> + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
> + if defined $conf->{'unix-abstract'};
> + $socket->{'tight'} = json_bool($conf->{'unix-tight'})
> + if defined $conf->{'unix-tight'};
> + } elsif ($type eq 'vsock') {
> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
Style nit: our code base uses the following style:
$conf->@{qw(vsock-cid vsock-port)};
> + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
Style nit: we don't usually use unless [0] and please use parentheses
with defined()
> +
> + @$socket{ 'cid', 'port' } = ($cid, $port);
Style nit: again, not really a style seen in our code base, I'd prefer
to just have two assignments
> + } else {
> + die "Unsupported socket type for TDX Quote Generation Socket.\n";
> + }
> +
> + return $socket;
> +}
> +
> sub get_intel_tdx_object {
> my ($intel_tdx, $bios) = @_;
> my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
> @@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
> if (!$bios || $bios ne 'ovmf') {
> die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
> }
> - return 'tdx-guest,id=tdx0';
> +
> + my $tdx_object = {
> + 'qom-type' => 'tdx-guest',
> + id => 'tdx0',
> + };
> +
> + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
> + unless !$intel_tdx_conf->{'attestation'};
Style nit regarding unless
[0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-11-13 11:35 ` Fiona Ebner
@ 2025-11-13 11:54 ` Thomas Lamprecht
2025-11-13 12:12 ` Fiona Ebner
2025-11-14 6:47 ` Anton Iacobaeus
1 sibling, 1 reply; 21+ messages in thread
From: Thomas Lamprecht @ 2025-11-13 11:54 UTC (permalink / raw)
To: Proxmox VE development discussion, Fiona Ebner
Am 13.11.25 um 12:35 schrieb Fiona Ebner:
> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>> + } elsif ($type eq 'vsock') {
>> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
>
> Style nit: our code base uses the following style:
> $conf->@{qw(vsock-cid vsock-port)};
The main important thing here is IMO using postfix reference notation though.
As personally, I'm not a huge fan of qw if not needed, I'm certainly fine with
others using it, but would not promote it over:
$conf->@{'vsock-cid', 'vsock-port'};
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-11-13 11:54 ` Thomas Lamprecht
@ 2025-11-13 12:12 ` Fiona Ebner
0 siblings, 0 replies; 21+ messages in thread
From: Fiona Ebner @ 2025-11-13 12:12 UTC (permalink / raw)
To: Thomas Lamprecht, Proxmox VE development discussion
Am 13.11.25 um 12:54 PM schrieb Thomas Lamprecht:
> Am 13.11.25 um 12:35 schrieb Fiona Ebner:
>> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>>> + } elsif ($type eq 'vsock') {
>>> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
>>
>> Style nit: our code base uses the following style:
>> $conf->@{qw(vsock-cid vsock-port)};
>
> The main important thing here is IMO using postfix reference notation though.
> As personally, I'm not a huge fan of qw if not needed, I'm certainly fine with
> others using it, but would not promote it over:
>
> $conf->@{'vsock-cid', 'vsock-port'};
Ack
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-11-13 11:35 ` Fiona Ebner
2025-11-13 11:54 ` Thomas Lamprecht
@ 2025-11-14 6:47 ` Anton Iacobaeus
2025-11-14 10:08 ` Fiona Ebner
1 sibling, 1 reply; 21+ messages in thread
From: Anton Iacobaeus @ 2025-11-14 6:47 UTC (permalink / raw)
To: Fiona Ebner, Proxmox VE development discussion
On 11/13/25 12:35, Fiona Ebner wrote:
> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>> @@ -291,6 +291,50 @@ my $tdx_fmt = {
>> format_description => "tdx-type",
>> enum => ['tdx'],
>> },
>> + 'attestation' => {
>> + description => "Enable TDX attestation by including quote-generation-socket",
>> + type => 'boolean',
>> + default => 1,
>> + },
>> + 'socket-type' => {
>> + type => 'string',
>> + optional => 1,
>> + enum => ['unix', 'vsock'],
>> + default => 'vsock',
>> + description => "Socket type to communicate with the Quote Generation Service",
>> + },
>> + 'vsock-cid' => {
>> + type => 'integer',
>> + minimum => 2,
>> + default => 2,
>> + optional => 1,
>> + description => "CID for vsock of Quote Generation Service",
>> + },
>> + 'vsock-port' => {
>> + type => 'integer',
>> + minimum => 0,
>> + default => 4050,
>> + optional => 1,
>> + description => "Port for vsock of Quote Generation Service",
>> + },
>> + 'unix-path' => {
>> + type => 'string',
>> + optional => 1,
>> + description => "Path to Unix socket",
>> + format_description => "unix-path",
>> + },
>> + 'unix-abstract' => {
>> + description => "Use Linux abstract socket address",
>> + type => 'boolean',
>> + default => 0,
>> + optional => 1,
>> + },
>> + 'unix-tight' => {
>> + description => "Pads the abstract socket address.",
>> + type => 'boolean',
>> + default => 1,
>> + optional => 1,
>> + },
>
> Do we really want/need to support all these possible configuration
> options to start out? In particular, 'unix-tight' and 'unix-abstract'
> seem like we could rather just require users to set it up a certain way.
> Maybe vsock+cid+port is enough to begin with and we can add more when
> users actually request it? Or are there situations where a vsock cannot
> easily be set up?
>
Yes I agree, vsock+cid+port will be enough for most users and we can add
more if requested. I added Unix sockets since it is the default in
libvirt, but vsock should always be easy to setup. 'unix-tight' and
'unix-abstract' was added to match the QEMU schema, doubt that they are
needed in many cases.
Do you want a v4 with only vsock and the below style nits addressed?
>> };
>> PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
>>
>> @@ -960,6 +1004,36 @@ sub get_amd_sev_object {
>> return $sev_mem_object;
>> }
>>
>> +sub get_quote_generation_socket {
>> + my ($conf) = @_;
>> + my $type = $conf->{'socket-type'}
>> + or die "A socket type is required for Quote Generation Socket.\n";
>> +
>> + my $socket = {
>> + type => $type,
>> + };
>> +
>> + if ($type eq 'unix') {
>> + my $path = $conf->{'unix-path'}
>> + or die "Missing path for unix socket.\n";
>> +
>> + $socket->{'path'} = $path;
>> + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
>> + if defined $conf->{'unix-abstract'};
>> + $socket->{'tight'} = json_bool($conf->{'unix-tight'})
>> + if defined $conf->{'unix-tight'};
>> + } elsif ($type eq 'vsock') {
>> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
>
> Style nit: our code base uses the following style:
> $conf->@{qw(vsock-cid vsock-port)};
>
>> + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
>
> Style nit: we don't usually use unless [0] and please use parentheses
> with defined()
>
>> +
>> + @$socket{ 'cid', 'port' } = ($cid, $port);
>
> Style nit: again, not really a style seen in our code base, I'd prefer
> to just have two assignments
>
>> + } else {
>> + die "Unsupported socket type for TDX Quote Generation Socket.\n";
>> + }
>> +
>> + return $socket;
>> +}
>> +
>> sub get_intel_tdx_object {
>> my ($intel_tdx, $bios) = @_;
>> my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
>> @@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
>> if (!$bios || $bios ne 'ovmf') {
>> die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
>> }
>> - return 'tdx-guest,id=tdx0';
>> +
>> + my $tdx_object = {
>> + 'qom-type' => 'tdx-guest',
>> + id => 'tdx0',
>> + };
>> +
>> + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
>> + unless !$intel_tdx_conf->{'attestation'};
>
> Style nit regarding unless
>
> [0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
2025-11-14 6:47 ` Anton Iacobaeus
@ 2025-11-14 10:08 ` Fiona Ebner
0 siblings, 0 replies; 21+ messages in thread
From: Fiona Ebner @ 2025-11-14 10:08 UTC (permalink / raw)
To: Anton Iacobaeus, Proxmox VE development discussion
Am 14.11.25 um 7:46 AM schrieb Anton Iacobaeus:
> Yes I agree, vsock+cid+port will be enough for most users and we can add
> more if requested. I added Unix sockets since it is the default in
> libvirt, but vsock should always be easy to setup. 'unix-tight' and
> 'unix-abstract' was added to match the QEMU schema, doubt that they are
> needed in many cases.
>
> Do you want a v4 with only vsock and the below style nits addressed?
Yes, please! I'm not sure it will make it into the upcoming release of
Proxmox VE 9.1, but can be applied soon after otherwise.
Best Regards,
Fiona
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (8 preceding siblings ...)
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object Anton Iacobaeus
@ 2025-11-10 15:03 ` Anton Iacobaeus
2025-11-12 13:48 ` Fiona Ebner
2025-11-13 11:21 ` [pve-devel] partially-applied: " Fiona Ebner
10 siblings, 1 reply; 21+ messages in thread
From: Anton Iacobaeus @ 2025-11-10 15:03 UTC (permalink / raw)
To: pve-devel
Hi,
I understand review time can vary but just wanted to check on the status
of this series. Seems like it got formatted incorrectly in the archives,
but it looks fine in my mail client. If a resend or other clarifications
is needed before review I am happy to do so.
On 10/28/25 13:54, Anton Iacobaeus wrote:
> This patches series adds support for launching Intel TDX confidential
> VMs via QEMU. Basic attestation support is also added.
>
> Intel TDX requires QEMU >= v10.1 and kernel >= 6.16. A TDX compatible
> CPU is also required, with TDX enabled in the BIOS. Attestation also
> requires a running Quote Generation Service (QGS) on the host (or
> dedicated VM) connected to a Provisioning Certificate Caching Service
> (PCCS), more information can be found at:
> https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/
>
> Only a subset of the possible socket types are implemented with this
> patch. Ideally the SocketAddress object as defined in QEMU would be
> fully implemented, but for the sake of TDX this is not neccessary. More
> information at:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress
>
> The TDX object can also be extended with additional configuration
> options, but these are not neccessary for regular usage of TDX. More
> information available at:
> https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties
>
> Future work can build upon this patch to improve these shortcomings.
>
> Thanks to Fiona for the review.
>
> Changes since v2: https://lists.proxmox.com/pipermail/pve-devel/2025-October/075766.html
> * Fixed nits and formatting
> * Added reasoning for firmware Config-B
> * Added reasoning for kernel_irqchip=split
> * Added support for configuration of the quote-generation-socket for attestation.
>
> pve-edk2-firmware:
>
> Philipp Giersfeld (3):
> Change name of SEV-related OVMF files
> Add firmware target for TDFV
> Add SCSI in NCCFV for TD guest
>
> .../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 ++++++++++++++++
> debian/patches/series | 1 +
> debian/pve-edk2-firmware-ovmf.install | 7 ++-
> debian/pve-edk2-firmware-ovmf.links | 3 +
> debian/rules | 59 +++++++++++++------
> 5 files changed, 100 insertions(+), 22 deletions(-)
> create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch
> create mode 100644 debian/pve-edk2-firmware-ovmf.links
>
> pve-manager:
>
> Anton Iacobaeus (1):
> Add support for TDX attestation
>
> Philipp Giersfeld (1):
> Add support for Intel TDX
>
> www/manager6/Makefile | 1 +
> www/manager6/qemu/Options.js | 12 +++
> www/manager6/qemu/TdxEdit.js | 194 +++++++++++++++++++++++++++++++++++
> 3 files changed, 207 insertions(+)
> create mode 100644 www/manager6/qemu/TdxEdit.js
>
> qemu-server:
>
> Anton Iacobaeus (1):
> Add support for TDX quote-generation-socket object
>
> Philipp Giersfeld (3):
> Adapt AMD SEV code for compatibility with other platforms
> Add check for TDX support
> Add support for Intel TDX
>
> src/PVE/API2/Qemu.pm | 6 +-
> src/PVE/QemuMigrate/Helpers.pm | 1 +
> src/PVE/QemuServer.pm | 28 +++-
> src/PVE/QemuServer/CPUConfig.pm | 129 ++++++++++++++++--
> src/PVE/QemuServer/OVMF.pm | 53 ++++---
> .../query-machine-capabilities.c | 98 +++++++++++--
> src/test/cfg2cmd/sev-es.conf.cmd | 2 +-
> src/test/cfg2cmd/sev-snp.conf.cmd | 2 +-
> src/test/cfg2cmd/sev-std.conf.cmd | 2 +-
> src/usr/modules-load.conf | 1 +
> 10 files changed, 270 insertions(+), 52 deletions(-)
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
2025-11-10 15:03 ` [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
@ 2025-11-12 13:48 ` Fiona Ebner
2025-11-12 14:48 ` Fiona Ebner
0 siblings, 1 reply; 21+ messages in thread
From: Fiona Ebner @ 2025-11-12 13:48 UTC (permalink / raw)
To: Proxmox VE development discussion, Anton Iacobaeus
Hi Anton,
sorry for the delay!
Am 10.11.25 um 4:03 PM schrieb Anton Iacobaeus:
> Hi,
>
> I understand review time can vary but just wanted to check on the status
> of this series. Seems like it got formatted incorrectly in the archives,
> but it looks fine in my mail client. If a resend or other clarifications
> is needed before review I am happy to do so.
Yes, apparently something in our mail stack (upgrade is planned with the
hope it makes things better) mixes up line-endings somewhere even if
sent with '--transfer-encoding=base64' but that is fine, I can fix it up
when applying. I also needed to rebase the patches on top of the latest
changes [0].
I did not go ahead with applying the edk2 patches yet, because I got a
question: Don't we want to enroll the Microsoft and distro keys for the
image? Debian upstream added TDX support just a few days ago and they
enroll the Microsoft and distro keys and even dropped the variant
without pre-enrolled keys [1] that was part of the initial merge. The
changes [0] include an "enroll_vendor" helper so we could use that and
get an OVMF_TDX_4M.ms.fd image.
What do you think?
Best Regards,
Fiona
[0]:
https://git.proxmox.com/?p=pve-edk2-firmware.git;a=commitdiff;h=c50fc74a992c0913a0fb84dc33c8ce8c36230604;hp=714c8a05662580d4553e045b3c404b614dc1ac27
[1]:
https://salsa.debian.org/qemu-team/edk2/-/commit/4dd2f2c8de1e3c6c3391cd9c25377966f556f2ff
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
2025-11-12 13:48 ` Fiona Ebner
@ 2025-11-12 14:48 ` Fiona Ebner
0 siblings, 0 replies; 21+ messages in thread
From: Fiona Ebner @ 2025-11-12 14:48 UTC (permalink / raw)
To: Proxmox VE development discussion, Anton Iacobaeus
Am 12.11.25 um 2:48 PM schrieb Fiona Ebner:
> I did not go ahead with applying the edk2 patches yet, because I got a
> question: Don't we want to enroll the Microsoft and distro keys for the
> image? Debian upstream added TDX support just a few days ago and they
> enroll the Microsoft and distro keys and even dropped the variant
> without pre-enrolled keys [1] that was part of the initial merge. The
> changes [0] include an "enroll_vendor" helper so we could use that and
> get an OVMF_TDX_4M.ms.fd image.
>
> What do you think?
My proposal to add on top:
> diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install
> index 22186563bb..cd5313bb0d 100644
> --- a/debian/pve-edk2-firmware-ovmf.install
> +++ b/debian/pve-edk2-firmware-ovmf.install
> @@ -3,7 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware
> -debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware
> +debian/ovmf-tdx-install/OVMF_TDX_4M.ms.fd /usr/share/pve-edk2-firmware
> debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware
> debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware
> debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware
> diff --git a/debian/rules b/debian/rules
> index 9def34d267..044071cf90 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -95,8 +95,10 @@ OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install
> OVMF_TDX_BUILD_ROOT = Build/IntelTdx
> OVMF_TDX_BUILD_DIR = $(OVMF_TDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
(Note that I already split the above to follow commit "16bb13da3d
debian/rules: Define *_BUILD_ROOT variables" that was picked up from
Debian).
> OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi
> +OVMF_TDX_ENROLL = $(OVMF_TDX_BUILD_DIR)/X64/EnrollDefaultKeys.efi
> OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL)
> OVMF_TDX_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd)
> +OVMF_TDX_PREENROLLED_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.ms.fd)
>
> QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
> QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
> @@ -145,7 +147,7 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp
> cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \
> $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd
>
> -build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES)
> +build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) $(OVMF_TDX_PREENROLLED_IMAGES)
> $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp
> rm -rf $(OVMF_TDX_INSTALL_DIR)
> mkdir $(OVMF_TDX_INSTALL_DIR)
> @@ -215,6 +217,9 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
> %/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
> $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
>
> +%/OVMF_TDX_4M.ms.fd: %/OVMF_TDX_4M.fd debian/PkKek-1-vendor.pem $(OVMF_TDX_ENROLL) $(OVMF_TDX_SHELL)
> + $(call enroll_vendor,$(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd,$@,amd64)
> +
> BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
> $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
>
Let me know if this looks good to you or if you prefer something else :)
Best Regards,
Fiona
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* [pve-devel] partially-applied: [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
` (9 preceding siblings ...)
2025-11-10 15:03 ` [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
@ 2025-11-13 11:21 ` Fiona Ebner
2025-11-14 6:39 ` Anton Iacobaeus
10 siblings, 1 reply; 21+ messages in thread
From: Fiona Ebner @ 2025-11-13 11:21 UTC (permalink / raw)
To: Proxmox VE development discussion, Anton Iacobaeus
Many thanks! Since the Proxmox VE 9.1 minor release is not too-far off,
I went ahead and partially applied the series, so that the initial
feature is in :) I left out attestation for now, I'll send a response to
that patch afterwards.
Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
> pve-edk2-firmware:
>
> Philipp Giersfeld (3):
> Change name of SEV-related OVMF files
> Add firmware target for TDFV
> Add SCSI in NCCFV for TD guest
Applied these three while adding my suggested follow-up for enrollment:
836ab12370 Change name of SEV-related OVMF files
8bd1c1afa3 Add firmware target for TDFV
9fdf1a8994 Add SCSI in NCCFV for TD guest
3bcde1f645 d/{rules,.install}: tdx: ship image with pre-enrolled keys
> qemu-server:
>
> Philipp Giersfeld (3):
> Adapt AMD SEV code for compatibility with other platforms
> Add check for TDX support
> Add support for Intel TDX
Applied these three and added a follow-up to only query supported
features for the matching CPU vendor:
b518383f Adapt AMD SEV code for compatibility with other platforms
96a23d39 Add check for TDX support
db96e126 Add support for Intel TDX
c1934a5d query machine capabilities: only query features of matching CPU
vendor
Best Regards,
Fiona
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [pve-devel] partially-applied: [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
2025-11-13 11:21 ` [pve-devel] partially-applied: " Fiona Ebner
@ 2025-11-14 6:39 ` Anton Iacobaeus
0 siblings, 0 replies; 21+ messages in thread
From: Anton Iacobaeus @ 2025-11-14 6:39 UTC (permalink / raw)
To: Fiona Ebner, Proxmox VE development discussion
On 11/13/25 12:21, Fiona Ebner wrote:
> Many thanks! Since the Proxmox VE 9.1 minor release is not too-far off,
> I went ahead and partially applied the series, so that the initial
> feature is in :) I left out attestation for now, I'll send a response to
> that patch afterwards.
>
> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>> pve-edk2-firmware:
>>
>> Philipp Giersfeld (3):
>> Change name of SEV-related OVMF files
>> Add firmware target for TDFV
>> Add SCSI in NCCFV for TD guest
>
> Applied these three while adding my suggested follow-up for enrollment:
>
> 836ab12370 Change name of SEV-related OVMF files
> 8bd1c1afa3 Add firmware target for TDFV
> 9fdf1a8994 Add SCSI in NCCFV for TD guest
> 3bcde1f645 d/{rules,.install}: tdx: ship image with pre-enrolled keys
>
Thanks! We tested with secure boot and it seems to work well and your
suggested follow-up looks solid.
>> qemu-server:
>>
>> Philipp Giersfeld (3):
>> Adapt AMD SEV code for compatibility with other platforms
>> Add check for TDX support
>> Add support for Intel TDX
> Applied these three and added a follow-up to only query supported
> features for the matching CPU vendor:
>
> b518383f Adapt AMD SEV code for compatibility with other platforms
> 96a23d39 Add check for TDX support
> db96e126 Add support for Intel TDX
> c1934a5d query machine capabilities: only query features of matching CPU
> vendor
>
> Best Regards,
> Fiona
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 21+ messages in thread