From: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
To: Fiona Ebner <f.ebner@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object
Date: Fri, 14 Nov 2025 07:47:18 +0100 [thread overview]
Message-ID: <9c701bd2-f62f-47cc-b90a-c9d9be779b96@canarybit.eu> (raw)
In-Reply-To: <9e7f7269-d718-4854-9594-b87f42afb4c6@proxmox.com>
On 11/13/25 12:35, Fiona Ebner wrote:
> Am 28.10.25 um 1:56 PM schrieb Anton Iacobaeus:
>> @@ -291,6 +291,50 @@ my $tdx_fmt = {
>> format_description => "tdx-type",
>> enum => ['tdx'],
>> },
>> + 'attestation' => {
>> + description => "Enable TDX attestation by including quote-generation-socket",
>> + type => 'boolean',
>> + default => 1,
>> + },
>> + 'socket-type' => {
>> + type => 'string',
>> + optional => 1,
>> + enum => ['unix', 'vsock'],
>> + default => 'vsock',
>> + description => "Socket type to communicate with the Quote Generation Service",
>> + },
>> + 'vsock-cid' => {
>> + type => 'integer',
>> + minimum => 2,
>> + default => 2,
>> + optional => 1,
>> + description => "CID for vsock of Quote Generation Service",
>> + },
>> + 'vsock-port' => {
>> + type => 'integer',
>> + minimum => 0,
>> + default => 4050,
>> + optional => 1,
>> + description => "Port for vsock of Quote Generation Service",
>> + },
>> + 'unix-path' => {
>> + type => 'string',
>> + optional => 1,
>> + description => "Path to Unix socket",
>> + format_description => "unix-path",
>> + },
>> + 'unix-abstract' => {
>> + description => "Use Linux abstract socket address",
>> + type => 'boolean',
>> + default => 0,
>> + optional => 1,
>> + },
>> + 'unix-tight' => {
>> + description => "Pads the abstract socket address.",
>> + type => 'boolean',
>> + default => 1,
>> + optional => 1,
>> + },
>
> Do we really want/need to support all these possible configuration
> options to start out? In particular, 'unix-tight' and 'unix-abstract'
> seem like we could rather just require users to set it up a certain way.
> Maybe vsock+cid+port is enough to begin with and we can add more when
> users actually request it? Or are there situations where a vsock cannot
> easily be set up?
>
Yes I agree, vsock+cid+port will be enough for most users and we can add
more if requested. I added Unix sockets since it is the default in
libvirt, but vsock should always be easy to setup. 'unix-tight' and
'unix-abstract' was added to match the QEMU schema, doubt that they are
needed in many cases.
Do you want a v4 with only vsock and the below style nits addressed?
>> };
>> PVE::JSONSchema::register_format('pve-qemu-tdx-fmt', $tdx_fmt);
>>
>> @@ -960,6 +1004,36 @@ sub get_amd_sev_object {
>> return $sev_mem_object;
>> }
>>
>> +sub get_quote_generation_socket {
>> + my ($conf) = @_;
>> + my $type = $conf->{'socket-type'}
>> + or die "A socket type is required for Quote Generation Socket.\n";
>> +
>> + my $socket = {
>> + type => $type,
>> + };
>> +
>> + if ($type eq 'unix') {
>> + my $path = $conf->{'unix-path'}
>> + or die "Missing path for unix socket.\n";
>> +
>> + $socket->{'path'} = $path;
>> + $socket->{'abstract'} = json_bool($conf->{'unix-abstract'})
>> + if defined $conf->{'unix-abstract'};
>> + $socket->{'tight'} = json_bool($conf->{'unix-tight'})
>> + if defined $conf->{'unix-tight'};
>> + } elsif ($type eq 'vsock') {
>> + my ($cid, $port) = @{$conf}{ 'vsock-cid', 'vsock-port' };
>
> Style nit: our code base uses the following style:
> $conf->@{qw(vsock-cid vsock-port)};
>
>> + die "Missing cid/port for vsock.\n" unless defined $cid && defined $port;
>
> Style nit: we don't usually use unless [0] and please use parentheses
> with defined()
>
>> +
>> + @$socket{ 'cid', 'port' } = ($cid, $port);
>
> Style nit: again, not really a style seen in our code base, I'd prefer
> to just have two assignments
>
>> + } else {
>> + die "Unsupported socket type for TDX Quote Generation Socket.\n";
>> + }
>> +
>> + return $socket;
>> +}
>> +
>> sub get_intel_tdx_object {
>> my ($intel_tdx, $bios) = @_;
>> my $intel_tdx_conf = PVE::JSONSchema::parse_property_string($tdx_fmt, $intel_tdx);
>> @@ -971,7 +1045,16 @@ sub get_intel_tdx_object {
>> if (!$bios || $bios ne 'ovmf') {
>> die "To use Intel TDX, you need to change the BIOS to OVMF.\n";
>> }
>> - return 'tdx-guest,id=tdx0';
>> +
>> + my $tdx_object = {
>> + 'qom-type' => 'tdx-guest',
>> + id => 'tdx0',
>> + };
>> +
>> + $tdx_object->{'quote-generation-socket'} = get_quote_generation_socket($intel_tdx_conf)
>> + unless !$intel_tdx_conf->{'attestation'};
>
> Style nit regarding unless
>
> [0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-14 6:46 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 12:54 [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX Anton Iacobaeus
2025-11-14 10:06 ` [pve-devel] applied: " Fiona Ebner
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object Anton Iacobaeus
2025-11-13 11:35 ` Fiona Ebner
2025-11-13 11:54 ` Thomas Lamprecht
2025-11-13 12:12 ` Fiona Ebner
2025-11-14 6:47 ` Anton Iacobaeus [this message]
2025-11-14 10:08 ` Fiona Ebner
2025-11-10 15:03 ` [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-11-12 13:48 ` Fiona Ebner
2025-11-12 14:48 ` Fiona Ebner
2025-11-13 11:21 ` [pve-devel] partially-applied: " Fiona Ebner
2025-11-14 6:39 ` Anton Iacobaeus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c701bd2-f62f-47cc-b90a-c9d9be779b96@canarybit.eu \
--to=anton.iacobaeus@canarybit.eu \
--cc=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox