public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
Date: Tue, 28 Oct 2025 13:54:31 +0100	[thread overview]
Message-ID: <20251028125459.287308-10-anton.iacobaeus@canarybit.eu> (raw)
In-Reply-To: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu>

Extend the tdx object with the quote-generation-socket as defined in:
https://www.qemu.org/docs/master/interop/qemu-storage-daemon-qmp-ref.html#object-QSD-qom.TdxGuestProperties

Only vsock and unix sockets are included here since they are the most
commonly used socket types with TDX attestation.

Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
 src/PVE/QemuServer.pm           |  3 +-
 src/PVE/QemuServer/CPUConfig.pm | 87 ++++++++++++++++++++++++++++++++-
 2 files changed, 87 insertions(+), 3 deletions(-)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 98180506..77aa612a 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -3770,7 +3770,8 @@ sub config_to_command {
         push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
         push @$machineFlags, 'confidential-guest-support=sev0';
     } elsif ($conf->{'intel-tdx'}) {
-        push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+        my $tdx_object = get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios});
+        push @$devices, '-object', to_json($tdx_object, { canonical => 1 });
         push @$machineFlags, 'confidential-guest-support=tdx0';
         push @$machineFlags, 'kernel_irqchip=split';
     }
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 415d1a9f..a847085c 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -5,7 +5,7 @@ use warnings;
 
 use JSON;
 
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(json_bool);
 use PVE::Cluster qw(cfs_register_file cfs_read_file);
 use PVE::Tools qw(run_command get_host_arch);
 use PVE::QemuServer::Helpers qw(min_version);
@@ -291,6 +291,50 @@ my $tdx_fmt = {
         format_description => "tdx-type",
         enum => ['tdx'],
     },
+    'attestation' => {
+        description => "Enable TDX attestation by including quote-generation-socket",
+        type => 'boolean',
+        default => 1,
+    },
+    'socket-type' => {
+        type => 'string',
+        optional => 1,
+        enum => ['unix', 'vsock'],
+        default => 'vsock',
+        description => "Socket type to communicate with the Quote Generation Service",
+    },
+    'vsock-cid' => {
+        type => 'integer',
+        minimum => 2,
+        default => 2,
+        optional => 1,
+        description => "CID for vsock of Quote Generation Service",
+    },
+    'vsock-port' => {
+        type => 'integer',
+        minimum => 0,
+        default => 4050,
+        optional => 1,
+        description => "Port for vsock of Quote Generation Service",
+    },
+    'unix-path' => {
+        type => 'string',
+        optional => 1,
+        description => "Path to Unix socket",
+        format_description => "unix-path",
+    },
+    'unix-abstract' => {
+        description => "Use Linux abstract socket address",
+        type => 'boolean',
+        default => 0,
+        optional => 1,
+    },
+    'unix-tight' => {
+        description => "Pads the abstract socket address.",
+        type => 'boolean',
+        default => 1,
+        optional => 1,
+    },
 };
 PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
 
@@ -960,6 +1004,36 @@ sub get_amd_sev_object {
     return $sev_mem_object;
 }
 
+sub get_quote_generation_socket {
+    my ($conf) = @_;
+    my $type = $conf->{'socket-type'}
+        or die "A socket type is required for Quote Generation Socket.\n";
+
+    my $socket = {
+        type => $type,
+    };
+
+    if ($type eq 'unix') {
+        my $path = $conf->{'unix-path'}
+            or die "Missing path for unix socket.\n";
+
+        $socket->{'path'} = $path;
+        $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
+            if defined $conf->{'unix-abstract'};
+        $socket->{'tight'} = json_bool($conf->{'unix-tight'})
+            if defined $conf->{'unix-tight'};
+    } elsif ($type eq 'vsock') {
+        my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
+        die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
+
+        @$socket{ 'cid', 'port' } = ($cid, $port);
+    } else {
+        die "Unsupported socket type for TDX Quote Generation Socket.\n";
+    }
+
+    return $socket;
+}
+
 sub get_intel_tdx_object {
     my ($intel_tdx, $bios) = @_;
     my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
@@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
     if (!$bios || $bios ne 'ovmf') {
         die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
     }
-    return 'tdx-guest,id=tdx0';
+
+    my $tdx_object = {
+        'qom-type' => 'tdx-guest',
+        id => 'tdx0',
+    };
+
+    $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
+        unless !$intel_tdx_conf->{'attestation'};
+
+    return $tdx_object;
 }
 
 __PACKAGE__->register();
-- 
2.43.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


      parent reply	other threads:[~2025-10-28 12:56 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` Anton Iacobaeus [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251028125459.287308-10-anton.iacobaeus@canarybit.eu \
    --to=anton.iacobaeus@canarybit.eu \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal