From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id D7E641FF15E for ; Mon, 13 Oct 2025 16:26:06 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1610616621; Mon, 13 Oct 2025 16:26:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1760365550; x=1760970350; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:content-type:in-reply-to:from:references:to:subject: mime-version:date:message-id:from; bh=AUgLoQJN2+7LdFU6SgiONs7kDl/bbU6c8xOw7e51usg=; b=HFMC5n5N8DS1e2U9nZmu7WHFCYG2GK+zBmVqRgoCBQAhNfPhqVcIZdsvdl/kTkF5HBxli70grbbpr yZkEJBEKfQvKwj9t2uD/guSEby9TmaHeK2Kh/6acGJC65FRo+lK2ZdBU+syPe1ayFc4uAyf/vNfizp U7LPI2TuvzUfmRHLt4l6tMCd0sARZ/V3rYaVSwU7HRcCP1f0mbnEwOrXOPkP+DsGG14xiWc5E1KY0L vCEEtwl4ynrkeGVytUJAUro+/dp+e/rc5ii8VRZjepPEMGBVwiIr7nAZpuRuhmKPrR7WZVakiV/GSt 9LBvZ/rGvL1FKETJSilb3miisxFjZwg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1760365550; x=1760970350; d=canarybit.eu; s=ed1; h=content-transfer-encoding:content-type:in-reply-to:from:references:to:subject: mime-version:date:message-id:from; bh=AUgLoQJN2+7LdFU6SgiONs7kDl/bbU6c8xOw7e51usg=; b=/5uLgWpH2DONizBjyVfeCEohcsbn4bTy/CmpySHRGhSlN2orJMLRoHPP2wxqULoRY6REDR9Ab4FQu +ESZIFSBg== X-HalOne-ID: 83cff6e5-a840-11f0-a42b-f7376af24660 Message-ID: <7cbf0061-b357-4de4-8191-6a7453e2cae7@canarybit.eu> Date: Mon, 13 Oct 2025 16:25:50 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox VE development discussion References: <20251001151237.50385-1-anton.iacobaeus@canarybit.eu> <20251001151237.50385-8-anton.iacobaeus@canarybit.eu> <9f98346e-9a41-4060-ac06-84cc355cf4ca@proxmox.com> Content-Language: en-US From: Anton Iacobaeus In-Reply-To: <9f98346e-9a41-4060-ac06-84cc355cf4ca@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.005 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [canarybit.eu] Subject: Re: [pve-devel] [PATCH qemu-server v2 3/3] Add support for Intel TDX X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 10/13/25 11:30, Fiona Ebner wrote: > Am 08.10.25 um 12:21 PM schrieb Fiona Ebner: >> Am 04.10.25 um 3:23 PM schrieb Anton Iacobaeus: >>> From: Philipp Giersfeld >>> >>> This commit adds support for setting up an Intel TDX VM. A Intel TDX VM >>> can be setup similar to AMD SEV but uses a different firmware image. >>> >>> Signed-off-by: Philipp Giersfeld >>> Signed-off-by: Anton Iacobaeus >> >> Apart from a few nits, see below: >> Reviewed-by: Fiona Ebner >>> @@ -3965,6 +3978,10 @@ sub config_to_command { >>> if ($conf->{'amd-sev'}) { >>> push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios}); >>> push @$machineFlags, 'confidential-guest-support=sev0'; >>> + } elsif ($conf->{'intel-tdx'}) { >>> + push @$devices, '-object', get_intel_tdx_object($conf->{'intel-tdx'}, $conf->{bios}); >>> + push @$machineFlags, 'confidential-guest-support=tdx0'; >>> + push @$machineFlags, 'kernel_irqchip=split'; > > One more thing I noticed/remembered: > > Don't we also need something like > -device vhost-vsock-pci,guest-cid=3 > > for communication between QGS and TD VM like described in the docs: > https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/05/host_os_setup/#setup-communication-path-between-qgs-and-td > > ? Yes you are correct, but it is only required for attestation support, which was initially out of scope for this series. The changes are however quite small and they could fit in this series. Note that TDX memory encryption works without any communication between the QGS and TD VM. The QGS is only contacted for quote generation. In terms of this particular device, it was only used in TDX Early Preview. Today a quote-generation-socket should instead be included directly in the TDX object, like this: -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type": "vsock", "cid":"2","port":"4050"}}' I think this change can be included in this series, but it adds some additional scope since the type, cid and port can be configured differently from these defaults. > >> >> Nit: would be nice to have a comment describing the rationale behind the >> kernel_irqchip option and/or a sentence in the commit message. >> >>> } >>> >>> PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices); > Yes indeed, I will add that. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel