From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id F142D1FF17A for ; Tue, 28 Oct 2025 13:55:51 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 29A701AD6D; Tue, 28 Oct 2025 13:56:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1761656128; x=1762260928; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:mime-version:message-id:date:subject:cc:to:from: from; bh=Gfi3+cqLBI7t05qiQVJuGVa3MW+CfWO8JPy4RSV7IfM=; b=S/0XsNUF1NDmpL3V5SGvuhVjsqt8my/rkqJVl/NSu3Sr/O3nQVzOnApgDcATuNp0Te3PS2Pu8bmig G+f1prEnql4CxLRa6YH3tfWB/O/7IHqBWOV8TBEnK020oquAA7UKxKqCECGc5H5hww5acea7oF8geD yy9Egp9ng+weYWJ+wcSXkylpxIlYpVTkciLXHH1MOSywAxqowA+k5WYMCsJYJXEtuG3ALX5u3jEGkS sABmoBoyhjOa9vzS9z36ie3byPtcsEP1RyCeEIS50YpH8FOYzokyT3i2nFGbZlTYNMtTaSd5j1zC9Y PTeHXxt3D3+QnTZ2lLaNXh6U0Bm533w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1761656128; x=1762260928; d=canarybit.eu; s=ed1; h=content-transfer-encoding:mime-version:message-id:date:subject:cc:to:from: from; bh=Gfi3+cqLBI7t05qiQVJuGVa3MW+CfWO8JPy4RSV7IfM=; b=sywW0qefd6g/RrVbiB5hdjDK3cLJXFUdJlrpXkRXxkxk7Mo3q9ya1445Ui4/hFyB8eBXHYNfuV+LU 12g8sDiAA== X-HalOne-ID: 5a44f40c-b3fd-11f0-ad93-d510462faafc From: Anton Iacobaeus To: pve-devel@lists.proxmox.com Date: Tue, 28 Oct 2025 13:54:22 +0100 Message-ID: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.866 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy MIME_BASE64_TEXT 1.741 Message text disguised using base64 encoding RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [qemuserver.pm, canarybit.eu, helpers.pm, intel.com, proxmox.com, cpuconfig.pm, qemu.pm, qemu.org, ovmf.pm] Subject: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This patches series adds support for launching Intel TDX confidential VMs via QEMU. Basic attestation support is also added. Intel TDX requires QEMU >= v10.1 and kernel >= 6.16. A TDX compatible CPU is also required, with TDX enabled in the BIOS. Attestation also requires a running Quote Generation Service (QGS) on the host (or dedicated VM) connected to a Provisioning Certificate Caching Service (PCCS), more information can be found at: https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/ Only a subset of the possible socket types are implemented with this patch. Ideally the SocketAddress object as defined in QEMU would be fully implemented, but for the sake of TDX this is not neccessary. More information at: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-sockets.SocketAddress The TDX object can also be extended with additional configuration options, but these are not neccessary for regular usage of TDX. More information available at: https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties Future work can build upon this patch to improve these shortcomings. Thanks to Fiona for the review. Changes since v2: https://lists.proxmox.com/pipermail/pve-devel/2025-October/075766.html * Fixed nits and formatting * Added reasoning for firmware Config-B * Added reasoning for kernel_irqchip=split * Added support for configuration of the quote-generation-socket for attestation. pve-edk2-firmware: Philipp Giersfeld (3): Change name of SEV-related OVMF files Add firmware target for TDFV Add SCSI in NCCFV for TD guest .../patches/Enable_SCSI_IntelTdx_DXEFV.patch | 52 ++++++++++++++++ debian/patches/series | 1 + debian/pve-edk2-firmware-ovmf.install | 7 ++- debian/pve-edk2-firmware-ovmf.links | 3 + debian/rules | 59 +++++++++++++------ 5 files changed, 100 insertions(+), 22 deletions(-) create mode 100644 debian/patches/Enable_SCSI_IntelTdx_DXEFV.patch create mode 100644 debian/pve-edk2-firmware-ovmf.links pve-manager: Anton Iacobaeus (1): Add support for TDX attestation Philipp Giersfeld (1): Add support for Intel TDX www/manager6/Makefile | 1 + www/manager6/qemu/Options.js | 12 +++ www/manager6/qemu/TdxEdit.js | 194 +++++++++++++++++++++++++++++++++++ 3 files changed, 207 insertions(+) create mode 100644 www/manager6/qemu/TdxEdit.js qemu-server: Anton Iacobaeus (1): Add support for TDX quote-generation-socket object Philipp Giersfeld (3): Adapt AMD SEV code for compatibility with other platforms Add check for TDX support Add support for Intel TDX src/PVE/API2/Qemu.pm | 6 +- src/PVE/QemuMigrate/Helpers.pm | 1 + src/PVE/QemuServer.pm | 28 +++- src/PVE/QemuServer/CPUConfig.pm | 129 ++++++++++++++++-- src/PVE/QemuServer/OVMF.pm | 53 ++++--- .../query-machine-capabilities.c | 98 +++++++++++-- src/test/cfg2cmd/sev-es.conf.cmd | 2 +- src/test/cfg2cmd/sev-snp.conf.cmd | 2 +- src/test/cfg2cmd/sev-std.conf.cmd | 2 +- src/usr/modules-load.conf | 1 + 10 files changed, 270 insertions(+), 52 deletions(-) -- 2.43.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel